Analysis Overview
SHA256
c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1
Threat Level: Known bad
The file c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1 was found to be: Known bad.
Malicious Activity Summary
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
One or more HTTP URLs in qr code identified
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 18:17
Signatures
One or more HTTP URLs in qr code identified
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
84s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3376-0-0x00007FFCBC233000-0x00007FFCBC235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfaixdpz.meh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3376-6-0x00000180FF110000-0x00000180FF132000-memory.dmp
memory/3376-11-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp
memory/3376-12-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp
memory/3376-15-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp
memory/3376-16-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20241010-en
Max time kernel
10s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
161s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20241010-en
Max time kernel
11s
Max time network
20s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
87s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
163s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4220-0-0x00007FFA73333000-0x00007FFA73335000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4o2pxlo.lcf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4220-6-0x000001506F660000-0x000001506F682000-memory.dmp
memory/4220-11-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp
memory/4220-12-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp
memory/4220-14-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp
memory/4220-16-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
162s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/984-0-0x00007FFE54893000-0x00007FFE54895000-memory.dmp
memory/984-1-0x000001829B7A0000-0x000001829B7C2000-memory.dmp
memory/984-2-0x00007FFE54890000-0x00007FFE55351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0uftryid.ilg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/984-12-0x00007FFE54890000-0x00007FFE55351000-memory.dmp
memory/984-15-0x00007FFE54890000-0x00007FFE55351000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20241023-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
145s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240729-en
Max time kernel
12s
Max time network
21s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
87s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240903-en
Max time kernel
123s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240708-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1
Network
Files
memory/824-4-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp
memory/824-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/824-6-0x0000000000660000-0x0000000000668000-memory.dmp
memory/824-7-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
memory/824-8-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
memory/824-9-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
memory/824-11-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
memory/824-10-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
memory/824-12-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:20
Platform
win7-20240903-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1
Network
Files
memory/3020-4-0x000007FEF59AE000-0x000007FEF59AF000-memory.dmp
memory/3020-5-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/3020-6-0x0000000002290000-0x0000000002298000-memory.dmp
memory/3020-7-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
memory/3020-8-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
memory/3020-9-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
memory/3020-10-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
memory/3020-11-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
memory/3020-12-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240903-en
Max time kernel
120s
Max time network
143s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1
Network
Files
memory/2068-4-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp
memory/2068-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/2068-6-0x00000000027E0000-0x00000000027E8000-memory.dmp
memory/2068-7-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
memory/2068-8-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
memory/2068-9-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
memory/2068-10-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
memory/2068-11-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
memory/2068-12-0x000007FEF5970000-0x000007FEF630D000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20241010-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1
Network
Files
memory/2324-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp
memory/2324-5-0x000000001B870000-0x000000001BB52000-memory.dmp
memory/2324-6-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/2324-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2324-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2324-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2324-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2324-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2324-12-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
174s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:20
Platform
win7-20240903-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/1584-0-0x00007FFEAF023000-0x00007FFEAF025000-memory.dmp
memory/1584-6-0x000002573B060000-0x000002573B082000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcly4v4j.vio.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1584-11-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp
memory/1584-12-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp
memory/1584-15-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:20
Platform
win7-20240903-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1
Network
Files
memory/2200-4-0x000007FEF641E000-0x000007FEF641F000-memory.dmp
memory/2200-5-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2200-6-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/2200-7-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2200-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2200-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2200-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2200-11-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/2200-12-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20241010-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
164s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
162s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
161s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
165s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4336-0-0x00007FFB3FE43000-0x00007FFB3FE45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zj4sbdfm.zkx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4336-10-0x0000018CD78D0000-0x0000018CD78F2000-memory.dmp
memory/4336-11-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp
memory/4336-12-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp
memory/4336-15-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240708-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-06 18:17
Reported
2024-11-06 18:21
Platform
win7-20240903-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js