Malware Analysis Report

2025-01-03 09:56

Sample ID 241106-ww4xnsveph
Target c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1
SHA256 c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1
Tags
execution qr link
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1

Threat Level: Known bad

The file c042b0ee6d5a92475a8487ea162ddcbafcad98cbd4f460398a908995f59169b1 was found to be: Known bad.

Malicious Activity Summary

execution qr link

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

One or more HTTP URLs in qr code identified

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 18:17

Signatures

One or more HTTP URLs in qr code identified

qr link

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

84s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

159s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3376-0-0x00007FFCBC233000-0x00007FFCBC235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfaixdpz.meh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3376-6-0x00000180FF110000-0x00000180FF132000-memory.dmp

memory/3376-11-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp

memory/3376-12-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp

memory/3376-15-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp

memory/3376-16-0x00007FFCBC230000-0x00007FFCBCCF1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20241010-en

Max time kernel

10s

Max time network

19s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

161s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20241010-en

Max time kernel

11s

Max time network

20s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

87s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

163s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4220-0-0x00007FFA73333000-0x00007FFA73335000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4o2pxlo.lcf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4220-6-0x000001506F660000-0x000001506F682000-memory.dmp

memory/4220-11-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp

memory/4220-12-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp

memory/4220-14-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp

memory/4220-16-0x00007FFA73330000-0x00007FFA73DF1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

162s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/984-0-0x00007FFE54893000-0x00007FFE54895000-memory.dmp

memory/984-1-0x000001829B7A0000-0x000001829B7C2000-memory.dmp

memory/984-2-0x00007FFE54890000-0x00007FFE55351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0uftryid.ilg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/984-12-0x00007FFE54890000-0x00007FFE55351000-memory.dmp

memory/984-15-0x00007FFE54890000-0x00007FFE55351000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20241023-en

Max time kernel

119s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\SignatureHelper.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240729-en

Max time kernel

12s

Max time network

21s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

161s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\gutenberg.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

87s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240903-en

Max time kernel

123s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240708-en

Max time kernel

120s

Max time network

131s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1

Network

N/A

Files

memory/824-4-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp

memory/824-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

memory/824-6-0x0000000000660000-0x0000000000668000-memory.dmp

memory/824-7-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

memory/824-8-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

memory/824-9-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

memory/824-11-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

memory/824-10-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

memory/824-12-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

129s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\shortcode-options.class.ps1

Network

N/A

Files

memory/3020-4-0x000007FEF59AE000-0x000007FEF59AF000-memory.dmp

memory/3020-5-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/3020-6-0x0000000002290000-0x0000000002298000-memory.dmp

memory/3020-7-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

memory/3020-8-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

memory/3020-9-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

memory/3020-10-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

memory/3020-11-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

memory/3020-12-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240903-en

Max time kernel

120s

Max time network

143s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1

Network

N/A

Files

memory/2068-4-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

memory/2068-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

memory/2068-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/2068-7-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2068-8-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2068-9-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2068-10-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2068-11-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

memory/2068-12-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20241010-en

Max time kernel

119s

Max time network

128s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\admin-options.class.ps1

Network

N/A

Files

memory/2324-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

memory/2324-5-0x000000001B870000-0x000000001BB52000-memory.dmp

memory/2324-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

memory/2324-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2324-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2324-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2324-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2324-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2324-12-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

174s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\sms-class.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.min.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

160s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\customize-options.class.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1584-0-0x00007FFEAF023000-0x00007FFEAF025000-memory.dmp

memory/1584-6-0x000002573B060000-0x000002573B082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcly4v4j.vio.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1584-11-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp

memory/1584-12-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp

memory/1584-15-0x00007FFEAF020000-0x00007FFEAFAE1000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

128s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\classes\metabox-options.class.ps1

Network

N/A

Files

memory/2200-4-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

memory/2200-5-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2200-6-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/2200-7-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2200-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2200-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2200-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2200-11-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2200-12-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20241010-en

Max time kernel

120s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\user.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

164s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\qrcode.class.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

161s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\action\comment.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\go.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

165s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\zibll\inc\class\file-class.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4336-0-0x00007FFB3FE43000-0x00007FFB3FE45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zj4sbdfm.zkx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4336-10-0x0000018CD78D0000-0x0000018CD78F2000-memory.dmp

memory/4336-11-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp

memory/4336-12-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp

memory/4336-15-0x00007FFB3FE40000-0x00007FFB40901000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240708-en

Max time kernel

121s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\main.js

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-06 18:17

Reported

2024-11-06 18:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\zibll\inc\codestar-framework\assets\js\plugins.js

Network

N/A

Files

N/A