Malware Analysis Report

2024-10-18 22:18

Sample ID 240410-nbkpasgg5v
Target a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0
SHA256 a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0
Tags
qr link upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0

Threat Level: Shows suspicious behavior

The file a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link upx

UPX packed file

One or more HTTP URLs in qr code identified

Reads runtime system information

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-10 11:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

90s

Max time network

155s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01fn4kgo.3yy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2800-0-0x000001E91F0A0000-0x000001E91F0C2000-memory.dmp

memory/2800-10-0x00007FFA6F4B0000-0x00007FFA6FF71000-memory.dmp

memory/2800-11-0x000001E91CF80000-0x000001E91CF90000-memory.dmp

memory/2800-12-0x000001E91CF80000-0x000001E91CF90000-memory.dmp

memory/2800-15-0x00007FFA6F4B0000-0x00007FFA6FF71000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20231215-en

Max time kernel

89s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

130s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1

Network

N/A

Files

memory/2152-8-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/2152-9-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/2152-7-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2152-6-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/2152-10-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

memory/2152-11-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/2152-4-0x000000001B250000-0x000000001B532000-memory.dmp

memory/2152-5-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

memory/2152-12-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/2152-13-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

104s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frhqxxv4.f4s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2116-5-0x0000029B50CF0000-0x0000029B50D12000-memory.dmp

memory/2116-10-0x00007FFD246A0000-0x00007FFD25161000-memory.dmp

memory/2116-11-0x0000029B69260000-0x0000029B69270000-memory.dmp

memory/2116-12-0x0000029B69260000-0x0000029B69270000-memory.dmp

memory/2116-15-0x00007FFD246A0000-0x00007FFD25161000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1

Network

N/A

Files

memory/1992-4-0x000000001B290000-0x000000001B572000-memory.dmp

memory/1992-6-0x0000000001E30000-0x0000000001E38000-memory.dmp

memory/1992-7-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1992-5-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

memory/1992-8-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

memory/1992-9-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1992-10-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1992-11-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1992-12-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1992-13-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240215-en

Max time kernel

117s

Max time network

122s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1

Network

N/A

Files

memory/2204-5-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2204-4-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2204-7-0x00000000027F0000-0x00000000027F8000-memory.dmp

memory/2204-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2204-9-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2204-6-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2204-10-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2204-11-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2204-12-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2204-13-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240319-en

Max time kernel

151s

Max time network

162s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 172.166.92.12:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qx2tstrl.s12.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/776-5-0x00000280750E0000-0x0000028075102000-memory.dmp

memory/776-10-0x00007FF892A60000-0x00007FF893521000-memory.dmp

memory/776-11-0x00000280751D0000-0x00000280751E0000-memory.dmp

memory/776-12-0x00000280751D0000-0x00000280751E0000-memory.dmp

memory/776-15-0x00007FF892A60000-0x00007FF893521000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_tempvideo.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_tempvideo.ps1

Network

N/A

Files

memory/2124-4-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

memory/2124-5-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2124-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2124-7-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/2124-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2124-9-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/2124-11-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/2124-10-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/2124-12-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/2124-13-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

175s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js

Network

Country Destination Domain Proto
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:17

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

207s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/1572-2-0x00000207DEAD0000-0x00000207DEAF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhmymy0w.22d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1572-10-0x00007FFE7D4F0000-0x00007FFE7DFB1000-memory.dmp

memory/1572-11-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp

memory/1572-12-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp

memory/1572-13-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp

memory/1572-16-0x00007FFE7D4F0000-0x00007FFE7DFB1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3040-0-0x00000216B62F0000-0x00000216B6312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stpuzkjz.xlx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3040-10-0x00007FF9CD030000-0x00007FF9CDAF1000-memory.dmp

memory/3040-11-0x000002169D3E0000-0x000002169D3F0000-memory.dmp

memory/3040-12-0x000002169D3E0000-0x000002169D3F0000-memory.dmp

memory/3040-13-0x000002169D3E0000-0x000002169D3F0000-memory.dmp

memory/3040-16-0x00007FF9CD030000-0x00007FF9CDAF1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

130s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1

Network

N/A

Files

memory/2076-4-0x000000001B480000-0x000000001B762000-memory.dmp

memory/2076-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2076-7-0x0000000001F00000-0x0000000001F80000-memory.dmp

memory/2076-5-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/2076-8-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/2076-10-0x0000000001F00000-0x0000000001F80000-memory.dmp

memory/2076-9-0x0000000001F00000-0x0000000001F80000-memory.dmp

memory/2076-11-0x0000000001F00000-0x0000000001F80000-memory.dmp

memory/2076-12-0x0000000001F00000-0x0000000001F80000-memory.dmp

memory/2076-13-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

164s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/4368-9-0x000002C219C50000-0x000002C219C72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s0e1ygc.ifd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4368-10-0x00007FFB33B90000-0x00007FFB34651000-memory.dmp

memory/4368-11-0x000002C232320000-0x000002C232330000-memory.dmp

memory/4368-12-0x000002C232320000-0x000002C232330000-memory.dmp

memory/4368-15-0x000002C232320000-0x000002C232330000-memory.dmp

memory/4368-16-0x00007FFB33B90000-0x00007FFB34651000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

1s

Max time network

133s

Command Line

[/tmp/var/tmp/proc/mysql]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/var/tmp/proc/mysql N/A
File opened for reading /proc/sys/net/core/somaxconn /tmp/var/tmp/proc/mysql N/A
File opened for reading /proc/stat /tmp/var/tmp/proc/mysql N/A

Processes

/tmp/var/tmp/proc/mysql

[/tmp/var/tmp/proc/mysql]

/usr/bin/getconf

[/usr/bin/getconf CLK_TCK]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.2.49:443 cdn.fwupd.org tcp
US 151.101.129.91:443 tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.19:443 1527653184.rsc.cdn77.org tcp

Files

memory/1565-1-0x0000000000400000-0x0000000000e6e0d8-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1

Network

N/A

Files

memory/2680-4-0x000000001B440000-0x000000001B722000-memory.dmp

memory/2680-6-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

memory/2680-5-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2680-7-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2680-8-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2680-9-0x0000000002AF0000-0x0000000002B70000-memory.dmp

memory/2680-10-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

memory/2680-11-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

memory/2680-12-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240319-en

Max time kernel

118s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240220-en

Max time kernel

118s

Max time network

121s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1

Network

N/A

Files

memory/2132-4-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2132-6-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2132-5-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/2132-7-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/2132-9-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/2132-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/2132-10-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/2132-11-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/2132-12-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/2132-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

0s

Max time network

5s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1

Signatures

N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1

Network

N/A

Files

memory/2984-5-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

memory/2984-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2984-7-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2984-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2984-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

memory/2984-11-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2984-10-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2984-9-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2984-12-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2984-13-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

178s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 48.242.123.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2urymvz.1ww.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4932-9-0x0000020B24F30000-0x0000020B24F52000-memory.dmp

memory/4932-10-0x00007FF9D4850000-0x00007FF9D5311000-memory.dmp

memory/4932-11-0x0000020B24F00000-0x0000020B24F10000-memory.dmp

memory/4932-14-0x0000020B24F00000-0x0000020B24F10000-memory.dmp

memory/4932-15-0x00007FF9D4850000-0x00007FF9D5311000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1

Network

N/A

Files

memory/1952-4-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/1952-5-0x0000000002390000-0x0000000002398000-memory.dmp

memory/1952-6-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/1952-7-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1952-9-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1952-8-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1952-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/1952-11-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1952-12-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1952-13-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

167s

Max time network

183s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240221-en

Max time kernel

117s

Max time network

127s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1

Network

N/A

Files

memory/2080-4-0x000000001B380000-0x000000001B662000-memory.dmp

memory/2080-5-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2080-6-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/2080-7-0x00000000023F0000-0x0000000002470000-memory.dmp

memory/2080-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

memory/2080-9-0x00000000023F0000-0x0000000002470000-memory.dmp

memory/2080-10-0x00000000023F0000-0x0000000002470000-memory.dmp

memory/2080-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win7-20240220-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:16

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-10 11:13

Reported

2024-04-10 11:17

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

183s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0r4gy4u.403.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2612-6-0x00000234BBCF0000-0x00000234BBD12000-memory.dmp

memory/2612-10-0x00007FFE20BA0000-0x00007FFE21661000-memory.dmp

memory/2612-11-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp

memory/2612-12-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp

memory/2612-13-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp

memory/2612-16-0x00007FFE20BA0000-0x00007FFE21661000-memory.dmp