Automated Malware Analysis Report for Whynotwin11.Exe

ID: 442089 Sample Name: WhyNotWin11.exe Cookbook: default.jbs Time: 22:25:36 Date: 29/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report WhyNotWin11.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 System Summary: 4 Signature Overview 5 System Summary: 5 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 15 Rich Headers 15 Data Directories 15 Sections 15 Resources 15 Imports 15 Version Infos 15 Possible Origin 15 Static AutoIT Info 15 Network Behavior 15 Code Manipulations 15 Statistics 15 Behavior 16 System Behavior 16 Analysis Process: WhyNotWin11.exe PID: 4220 Parent PID: 5736 16 General 16 File Activities 16 File Created 16 File Deleted 16 File Read 16 Analysis Process: dxdiag.exe PID: 4856 Parent PID: 4220 16 General 16 File Activities 16 File Created 16 File Written 16 Registry Activities 16 Key Created 17 Key Value Created 17 Key Value Modified 17 Analysis Process: powershell.exe PID: 5968 Parent PID: 4220 17 General 17 File Activities 17 File Created 17 File Deleted 17 Copyright Joe Security LLC 2021 Page 2 of 20 File Written 17 File Read 17 Analysis Process: conhost.exe PID: 5960 Parent PID: 5968 17 General 17 Analysis Process: powershell.exe PID: 3260 Parent PID: 4220 17 General 17 File Activities 18 File Created 18 File Deleted 18 File Written 18 File Read 18 Analysis Process: conhost.exe PID: 620 Parent PID: 3260 18 General 18 Analysis Process: MSTEE.sys PID: 4 Parent PID: -1 18 General 18 Analysis Process: MSKSSRV.sys PID: 4 Parent PID: -1 19 General 19 Analysis Process: powershell.exe PID: 3484 Parent PID: 4220 19 General 19 Analysis Process: conhost.exe PID: 4544 Parent PID: 3484 19 General 19 Disassembly 19 Code Analysis 19

Overview

General Information Detection Signatures Classification

Sample WhyNotWin11.exe Name: BBiiinnaarrryy iiiss llliiikkeelllyy aa ccoomppiiillleedd AAuutttooIIIttt sscc…

Analysis ID: 442089 QBiuuneearrriiiyee ssis s sleieknnessliyiittti iivave ec BoBmIIIOpSSil e IIIndnf ffoAorrrumtoaaItttii ioosncn … MD5: 8789b72870e493… Quueerrriiieess sseennssiiitttiiivvee dBdiiiIssOkk S iiinn Ifffnoofrrromrmaatttaiiiootinno n(((v v…

SHA1: 70b2c3cd510a46… Ransomware Quueerrriiieess sseennssiiitttiiivvee sdseiesrrrkvv iiicicneef o iiinrnmfffooarrrmtioaanttti iio(ov… Miner Spreading SHA256: 50f779f942777df… Quueerrriiieess sseennssiiitttiiivvee vsvieiddreevoioc dede einvvificocerem iinnafftooiorrm Quueerrriiieess sseennssiiitttiiivvee vviiiddeeoo ddeevviiiccee iiinnfffoorrrm… mmaallliiiccciiioouusss Infos: malicious Evader Phishing

sssuusssppiiiccciiioouusss Quueerrryiye fsffiiirr rmsewwnasarirrteeiv ttetaa bvblillede e iiinonff fodorrermviaacttetiiioo inn f ((o(llliirikkm… suspicious

Most interesting Screenshot: cccllleeaann clean CQChuheecrcykk ssf i rfffomorrrw aaavvraaeiiil llataabbblllelee s siynysfsottteermma ddtirrroiiivvnee (ssl i k…

Exploiter Banker CCohonenttctaakiiinsn ssf o llloro nangvg a ssillleaeebeplpess s (((y>>s==t e 33m m diiinrni))v) es

ECEnonanabtballleeinsss d dleoebnbugug gs plperrreiiivvpiiillslee g(g>ee=ss 3 min) Spyware Trojan / Bot

Adware FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… Score: 48 Range: 0 - 100 IIFInnossutttaanllldlllss a aa h ggilglloohbb anallul moboueusrs eeo fhh Wooooiknkdow / Us

Whitelisted: false MInasaytya slsllsllee eaep pg (l((oeebvvaalss miiivveoe u lllosooeop phsso))) o tttoko hhiiinnddeerrr … Confidence: 100% PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss aaivnne ii inlnovvoaapllliiisdd) ccthohe ehcciknksdsueumr

PPEE fffiiilllee ccoonntttaaiiinnss sasttntrrra ainngvgaeel irrdree scsohoueurcrrcckeesssum

QPEuue efrirrliiiee ssc ossenentnassiiniitttisiivv ese t Orappneegrrreaa ttrtiiiennsggo SSuyrycssettteesm… Process Tree Quueerrriiieess sseennssiiitttiiivvee pOprrrpooeccereasstsisnoogrrr iSiinnyfffoosrrtrmemaa…

Quueerrriiieess tsthheeen vsvoiotillvuuem peer oiinncffeoosrrmsoaart tiiononfno (r(nmnaaam System is w10x64 Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam…

WhyNotWin11.exe (PID: 4220 cmdline: 'C:\Users\user\Desktop\WhyNotWin11.exe' MD5: 8SQS7ppu8aae9wwrBinen7ss2 dt8dhrr7reiiiv0v evEerorr4sslu9m31e5 iDnBfo9rm48aBti3o7n7 (1n0aEm70FB) dxdiag.exe (PID: 4856 cmdline: dxdiag /whql:off /t C:\Users\user\AppData\Local\Temp\dxdiaghlhhclf.tmp MD5: 27CA7ED67C71BAA5690086BA05448416) Spawns drivers powershell.exe (PID: 5968 cmdline: powershell -Command $env:firmware_type | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 3260 cmdline: powershell -Command Get-Partition -DriveLetter C | Get-Disk | Select-Object -Property PartitionStyle | Out-File -FilePath C:\Users \user\AppData\Local\Temp\~lyukrmt.tmp MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 3484 cmdline: powershell -Command Confirm-SecureBootUEFI | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) MSTEE.sys (PID: 4 cmdline: MD5: 8A11E03B32840C0B73C14D16794F1A8A) MSKSSRV.sys (PID: 4 cmdline: MD5: 6CF0815F0A75828CE1E0EE87EF0082F9) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Non Interactive PowerShell

Click to jump to signature section

System Summary:

Binary is likely a compiled AutoIt script file

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Windows Management LSASS Process Masquerading 1 Input Security Software Replication Input Exfiltration Data Eavesdrop on Through Instrumentation 4 2 1 Driver 1 Injection 2 Capture 1 Discovery 4 2 1 Through Capture 1 Over Other Obfuscation Insecure Removable Removable Network Network Media 1 Media 1 Medium Communication Default Scheduled Task/Job Boot or LSASS Virtualization/Sandbox LSASS Process Discovery 2 Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Logon Driver 1 Evasion 3 4 1 Memory Desktop Removable Over Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Process Injection 2 Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) Script Account Evasion 3 4 1 Admin Shares Network Exfiltration Track Device (Windows) Manager Shared Location Drive Local At (Windows) Logon Script Logon Binary Padding NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Software Packing LSA Peripheral Device SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Items Items Delivery Discovery 2 2 4 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Sample: WhyNotWin11.exe Signature Startdate: 29/06/2021

Architecture: WINDOWS Created File Score: 48 DNS/IP Info Is Dropped

Binary is likely a compiled started started Is Win d o stwartsed P r ocess AutoIt script file Number of created Registry Values

Number of created Files WhyNotWin11.exe MSTEE.sys MSKSSRV.sys Visual Basic

1 Delphi Java

.Net C# or VB.NET Queries sensitive video device information (via Query firmware table WMI, Win32_VideoController, information (likely started started started C, C++ or oth e r s tlaartend g u age often done to detect to detect VMs) virtual machines) Is malicious

Internet

dxdiag.exe powershell.exe powershell.exe powershell.exe

102 10 33 18

Queries sensitive disk Queries sensitive BIOS Queries sensitive service Query firmware table information (via WMI, Information (via WMI, information (via WMI, information (likely Win32_DiskDrive, often Win32_Bios & Win32_BaseBoard, started started started Win32_LogicalDisk, often to detect VMs) done to detect virtual often done to detect done to detect sandboxes) machines) virtual machines)

conhost.exe conhost.exe conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link WhyNotWin11.exe 6% Virustotal Browse WhyNotWin11.exe 4% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://www.whynotwin11.org/9 0% Avira URL Cloud safe pesterbdd.com/images/Pester.png 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 7 of 20 Source Detection Scanner Label Link pesterbdd.com/images/Pester.png 0% URL Reputation safe https://fcofix.org/rcmaehl/wiki/I 0% Avira URL Cloud safe https://go.micro 0% URL Reputation safe https://go.micro 0% URL Reputation safe https://go.micro 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe www.iis.fhg.de/audioPA 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/ 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/License 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://fcofix.org/WhyNotWin11/releaseso 0% Avira URL Cloud safe https://discord.gg/uBnBcBx 0% Avira URL Cloud safe https://api.fcofix.org/repos/rcmaehl/WhyNotWin11/releases 0% Avira URL Cloud safe https://fcofix.org/WhyNotWin11/releases 0% Avira URL Cloud safe https://connect.micr 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 442089 Start date: 29.06.2021 Start time: 22:25:36 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: WhyNotWin11.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 29 analysed: Number of new started drivers analysed: 2 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Copyright Joe Security LLC 2021 Page 8 of 20 Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.evad.winEXE@12/20@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 22:26:28 API Interceptor 40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\c7781427bc861c82\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx Process: C:\Windows\System32\dxdiag.exe File Type: data Category: dropped Size (bytes): 196656 Entropy (8bit): 0.015688265064222315 Encrypted: false SSDEEP: 6:5OH0T9/0T0J0PBY0ipUtmL/q+O9/0T0J0PBY0ipUtmL/q+D:Ck9/sB9iatm2T9/sB9iatm26 MD5: AAFCFE2318AA02F22E432CBAC77DE1AC SHA1: 610D514B5E32057DC63C592FFE109E200FA2B610 SHA-256: 95644B9F0815B0D1DA81E9BEF66F9581D03ED4D5571F8656CAD4ED45D3AD3C81 SHA-512: 178E01E979BB82EC2B840EE7305052237E452C7CE2DC40E1353D755B1A78AB7BB6E18785EF98825046412F9DFA3BA29439D48FE67089ED78BB8F2BA63270E349 Malicious: false

Copyright Joe Security LLC 2021 Page 9 of 20 C:\Users\user\AppData\Local\D3DSCache\c7781427bc861c82\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx Reputation: low Preview: =...... f......

C:\Users\user\AppData\Local\D3DSCache\c7781427bc861c82\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock Process: C:\Windows\System32\dxdiag.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 16 Entropy (8bit): 2.75 Encrypted: false SSDEEP: 3:AlFsT:Ek MD5: 831BEEF70A32B30EAC373457E324D1A0 SHA1: 5BC8D4CD18207422CEDFA2E91E05F91B146E6581 SHA-256: 9A18CAC27A08201B20F71227310F88AE4733F81867B0DAEBB2B3290DA0CA1C00 SHA-512: D11C15E5E89FA2C2AFEA24F2E86F72B04584FBE26551788F59C51BC79A3D48C2316B85AA8F7BFD78C674A1BA667C8709E84D1E71CD85B896068AECAC40157CF C Malicious: false Preview: KCOLEERFKCOLEERF

C:\Users\user\AppData\Local\D3DSCache\c7781427bc861c82\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val Process: C:\Windows\System32\dxdiag.exe File Type: data Category: dropped Size (bytes): 2960 Entropy (8bit): 4.9880421123132646 Encrypted: false SSDEEP: 48:Eaaf/LQmP7fSarec62LB3QtZzOTIMZDlyrYbvvKecI2LB3QtZza:Eay/LQ2S2KtZzOsMZ5y07CKtZz MD5: 2D5D866A2736F62D4F845B4BA5179BAD SHA1: 16FBD40CBFB47C6AF0EC76449F0AF9444DEB0A62 SHA-256: 10E08C9E517109953EEBE2E5A97828591F7204491213ED84FE9328B6CE2CF1DB SHA-512: 1E6757E635FFECE16BE4CB13A0516E5A7371EE0B5B0E9A71C6CDE9DB5C16FCC94271D963CC19D0EB619A2F425D6E2467D12A5669199B778468C5D536607B9E8 D Malicious: false Preview: ...... >...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.d.x.d.i.a.g...e.x.e...... (...p.DJ!.IL.....Z.F...... 8...(....\@L..Z..w10..{.DXBC.wi#L2.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 52926 Entropy (8bit): 5.057221940661537 Encrypted: false SSDEEP: 1536:8taAxV3CNBQkj25h4iUxuaV7flJnVv6Hf5qdpn9QOdBQNOzktAHk4NKe7MEYoV4A:rAxV3CNBQkj25qiUuaV7flJnVvwf5qdh MD5: 6A3A1A8D9AA262648EFC4F9890578051 SHA1: B703E844836D8D1516FC45CD7B666B60B70E963F SHA-256: 08FC05C00AE83991C21513E104DDF9ADBC2E4AA0D8E42F3C9B35AE6AD1852A47 SHA-512: 1F7AC88BFA654BA0796E313D4EC692ED192E95150AB90AC8456B18CDDAA7681F8FEB46B9B6FBB70076C041869994FA12A7DBBCC26B0EE8411558420A7871140 3 Malicious: false Preview: PSMODULECACHE.M...... I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1L...... gsmbo...... gsmbm...... Enable-SmbDele gation...... Remove-SmbMultichannelConstraint...... gsmbd...... gsmbb...... gsmbc...... gsmba...... Set-SmbPathAcl...... Grant-SmbShareAccess...... Get-SmbBandWid thLimit...... rsmbm...... New-SmbGlobalMapping...... rsmbb...... Get-SmbGlobalMapping...... Remove-SmbShare...... rksmba...... gsmbmc...... rsmbs...... Get-SmbCo nnection...... rsmbt...... Remove-SmbBandwidthLimit...... Set-SmbServerConfiguration...... cssmbo...... udsmbmc...... ssmbsc...... ssmbb...... Get-SmbShareAccess...... Get-SmbOpenFile...... dsmbd...... ssmbs...... ssmbp...... nsmbgm...... ulsmba...... Close-SmbOpenFile...... Revoke-SmbShareAccess...... nsmbt...... Disable- SmbDelegation...... nsmbs...... Block-SmbShareAccess...... gsmbcn...... Set-SmbBandwidthLimit...... Get-SmbClientConfiguration...... Get-SmbSession...... Get-Sm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Copyright Joe Security LLC 2021 Page 10 of 20 C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Size (bytes): 64 Entropy (8bit): 0.34726597513537405 Encrypted: false SSDEEP: 3:Nlll:Nll MD5: 446DD1CF97EABA21CF14D03AEBC79F27 SHA1: 36E4CC7367E0C7B40F4A8ACE272941EA46373799 SHA-256: A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF SHA-512: A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7 Malicious: false Preview: @...e......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vpmlwhl.ptv.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxu35wqb.fi5.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khcor3be.buv.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oovcqwzv.jro.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic)

Copyright Joe Security LLC 2021 Page 11 of 20 C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oovcqwzv.jro.ps1 Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn1a4vmy.4jn.ps1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubjo20b3.hgq.psm1 Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\dxdiaghlhhclf.tmp Process: C:\Windows\System32\dxdiag.exe File Type: ASCII text, with CRLF, LF line terminators Category: dropped Size (bytes): 88377 Entropy (8bit): 5.224114321262324 Encrypted: false SSDEEP: 768:OSErzBfzBqQJk55UtfvbWgYpSmr8sjyuxKjUqklnGpw/KykNEr+aL/FRJ1BKwI0:Op5IwyTIru/71C0 MD5: 6A499EC2B814E595B882D62CE7EBD816 SHA1: 42B5B0A3B3F0289747C653E4C6FA810730791D2C SHA-256: B7A9197D6B9CDD5B3E18FB496D5D8EF560BA13EA1DB2C2B4373596A226905C04 SHA-512: 289C8B4C4440BB0899DBCA13D6FDCB69A88A7303E46CD493E92579C6E4C6B37AED0C2AC9F3F38BFC8348F1DBD6C863E5CAF8A02AEE3A05E4B4EC60622B73B D78 Malicious: false

Copyright Joe Security LLC 2021 Page 12 of 20 C:\Users\user\AppData\Local\Temp\dxdiaghlhhclf.tmp Preview: ------..System Information..------.. Time of this report: 6/29/2021, 22:26:26.. Machine name: 648351.. Machine Id: {A2AB526A-D38D- 4FC9-8BA0-E34B8D6354E8}.. Operating System: Windows 10 Pro 64-bit (10.0, Build 17134) (17134.rs4_release.180410-1804).. Language: English (Re gional Setting: English).. System Manufacturer: 6Ymfc4xwBg6zMnG.. System Model: duhanWP1.. BIOS: VMW71.00V.13989454.B64.190 6190538 (type: UEFI).. Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 CPUs), ~2.2GHz.. Memory: 8192MB RAM.. Available OS Memory: 8192MB RAM.. Page File: 1086MB used, 4416MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Scaling: Disabl

C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: Little-endian UTF-16 Unicode text, with CR line terminators Category: dropped Size (bytes): 16 Entropy (8bit): 2.771782221599798 Encrypted: false SSDEEP: 3:QjelriNn:Q6pk MD5: 0E13095E6C36F0AF19D63840FE6F945A SHA1: AD053237340BB76E86BCFE81574830CF02C5C8FF SHA-256: A7846AED2EBF5A722F58B67F9792C467CB0893D14E01CF0EFB89846A66A67E99 SHA-512: E899F63C538C2F142EDBC1A268B4CF65FCDACEB1D4FEBFE2B1C72C396B74F5850A825D4295514DACFDD673E6F44C336916ED6997EC3FA4ABF78BF4D0993D28 3A Malicious: false Preview: ..F.a.l.s.e.....

C:\Users\user\Documents\20210629\PowerShell_transcript.648351.+v1ZYDdQ.20210629222627.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 1039 Entropy (8bit): 5.186563711183153 Encrypted: false SSDEEP: 24:BxSAhCxvBnFx2DOX9AnWIHjeTKKjX4CIym1ZJXtATnxSAZe:BZQvhFoONAWIqDYB1Z7AzZZe MD5: E5E21C2BE8F48B3AAF6EDA61C3582A75 SHA1: D26526AF24C0046CF14DF6DC81EE9066D92ACD3F SHA-256: CD34686B9BF6F4C7F6EE38C04F225772136E7DC3CA777EB0BF2E59AF98AC2694 SHA-512: 64EC95E38E51106E24896A188FF7D20681CDD9485CD6A11F4DF7CF9690F45989904DB5AD3B94CC3555A1C1B2696B062BA341CEAEAE46A57061EB829A479DC637 Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210629222628..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 648351 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command $env:firmware_type | Out-File -FilePath C:\Users\user\AppData\Loc al\Temp\~lyukrmt.tmp..Process ID: 5968..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10 .0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..****************** ****..Command start time: 20210629222628..**********************..PS>$env:firmware_type | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp..**** ******************..Command start time: 20210629222726..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 2

C:\Users\user\Documents\20210629\PowerShell_transcript.648351.BeFXrG7q.20210629222637.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 1163 Entropy (8bit): 5.203866828991217 Encrypted: false SSDEEP: 24:BxSA0xvBnFx2DOXs9yNpCAnW9HjeTKKjX4CIym1ZJXkyNpCAznxSAZ+:BZIvhFoOtCAW9qDYB1ZvCATZZ+ MD5: 602938A7ED265F61C3E3A63C4B1A834F SHA1: 81B87701778966BA145589EFED05122E70EEAF9E SHA-256: 1DD307C91E87E5A0033A13253AAC290B57DE54AB7DAF28685B78F3BB2B9D761B SHA-512: 0EB04B1EAA6E3B328EC7354AB1CC2E60AC9E45D5E5A1FFD4BCE41FDD08FDE066D6E5DDDAF29692BEF948684EA88DBD78A6CB5BE1F34626F80C0EDB97FA87 600E Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210629222637..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 648351 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Get-Partition -DriveLetter C | Get-Disk | Select-Object -Property PartitionStyle | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp..Process ID: 3260..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVe rsions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..S erializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210629222637..**********************..PS>Get-Partition -DriveLetter C | Get- Disk | Select-Object -Property PartitionStyle | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp..**********************..Command start time: 202106

C:\Users\user\Documents\20210629\PowerShell_transcript.648351.zE+c3BTl.20210629222705.txt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Copyright Joe Security LLC 2021 Page 13 of 20 C:\Users\user\Documents\20210629\PowerShell_transcript.648351.zE+c3BTl.20210629222705.txt File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 1047 Entropy (8bit): 5.187698956703415 Encrypted: false SSDEEP: 24:BxSAPxvBnFx2DOXs2AnWJHjeTKKjX4CIym1ZJXP2AYnxSAZ5:BZJvhFoOc2AWJqDYB1Zd2AGZZ5 MD5: 24A65E473AFEEB33382F1E54375C799A SHA1: F30E39617E2D0F6FFD1371F25CAAB62134100C8B SHA-256: BADCBE52F25D304015ABFCB30748B81A14DDA789676D267FB1A91793352360D8 SHA-512: C8A23DD0C7C79C3EE8502C3A12E41D0CA9E5E6FCB7106C6DC94166653891E379577A9906D785B7B955942F6B9B1A3DCFA7C0227046F94E31953B076DFBE183FE Malicious: false Preview: .**********************..Windows PowerShell transcript start..Start time: 20210629222706..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 648351 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Confirm-SecureBootUEFI | Out-File -FilePath C:\Users\user\AppData \Local\Temp\~lyukrmt.tmp..Process ID: 3484..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..************** ********..Command start time: 20210629222706..**********************..PS>Confirm-SecureBootUEFI | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.t mp..**********************..Command start time: 20210629222813..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 6.3578931197366595 TrID: Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: WhyNotWin11.exe File size: 1007616 MD5: 8789b72870e49315db948b37710e70fb SHA1: 70b2c3cd510a46a965b79fd1266d089f359fd701 SHA256: 50f779f942777df9ed5b85d6b449e40a705b3426c88c641 594c7de5beecca6ad SHA512: 2e9980d54dd8c99bd24eba82fcd97c1cc954883645a001 6203c5cc58c5522ad3ba5a9a00bf7e70645880db2116fba 52f1f2b0b2e000006a2b83305428f63c207 SSDEEP: 24576:DRaZROMOm8FN7TjsPnzt2heeRhQbJEOeamh bmy:9kxOm+7TjsPnztyDMmaUbm File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... v.bi2..:2. .:2..:.b.:3..:t..:...:t..:+..:t..:...:;..::..:;..:3..:;..:...:2..:...:.\.:b..:.\.: 3..:?..:3..:2..:3..:.\.:3..:Rich2..

File Icon

Icon Hash: 6767676767676767

Static PE Info

General Entrypoint: 0x14002fb2c Entrypoint Section: .text Digitally signed: false Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x60DA145F [Mon Jun 28 18:26:39 2021 UTC] TLS Callbacks: CLR (.Net) Version:

Copyright Joe Security LLC 2021 Page 14 of 20 General OS Version Major: 5 OS Version Minor: 2 File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: 161c85364c462057ba28801ac1ad5404

Entrypoint Preview

Rich Headers

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xa8285 0xa8400 False 0.549565262816 data 6.51159091106 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0xaa000 0x31808 0x31a00 False 0.289377361461 data 5.29127439186 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0xdc000 0xb230 0x5e00 False 0.0889710771277 data 1.15891733596 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0xe8000 0x699c 0x6a00 False 0.495688384434 data 5.87141014565 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .rsrc 0xef000 0xe2e8 0xe400 False 0.556469298246 data 5.80383920153 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0xfe000 0xa7c 0xc00 False 0.4833984375 data 5.15455256996 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Possible Origin

Language of compilation system Country where language is spoken Map

English Great Britain

Static AutoIT Info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Click to jump to process

System Behavior

Analysis Process: WhyNotWin11.exe PID: 4220 Parent PID: 5736

General

Start time: 22:26:24 Start date: 29/06/2021 Path: C:\Users\user\Desktop\WhyNotWin11.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\WhyNotWin11.exe' Imagebase: 0x7ff72cad0000 File size: 1007616 bytes MD5 hash: 8789B72870E49315DB948B37710E70FB Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

File Created

File Deleted

File Read

Analysis Process: dxdiag.exe PID: 4856 Parent PID: 4220

General

Start time: 22:26:25 Start date: 29/06/2021 Path: C:\Windows\System32\dxdiag.exe Wow64 process (32bit): false Commandline: dxdiag /whql:off /t C:\Users\user\AppData\Local\Temp\dxdiaghlhhclf.tmp Imagebase: 0x7ff7505d0000 File size: 369664 bytes MD5 hash: 27CA7ED67C71BAA5690086BA05448416 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

File Created

File Written

Registry Activities Show Windows behavior

Key Value Created

Key Value Modified

Analysis Process: powershell.exe PID: 5968 Parent PID: 4220

General

Start time: 22:26:26 Start date: 29/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell -Command $env:firmware_type | Out-File -FilePath C:\Users\user\AppDat a\Local\Temp\~lyukrmt.tmp Imagebase: 0x7ff785e30000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Analysis Process: conhost.exe PID: 5960 Parent PID: 5968

General

Start time: 22:26:26 Start date: 29/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 3260 Parent PID: 4220

General

Start time: 22:26:36

Copyright Joe Security LLC 2021 Page 17 of 20 Start date: 29/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell -Command Get-Partition -DriveLetter C | Get-Disk | Select-Object -Property Part itionStyle | Out-File -FilePath C:\Users\user\AppData\Local\Temp\~lyukrmt.tmp Imagebase: 0x7ff785e30000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Analysis Process: conhost.exe PID: 620 Parent PID: 3260

General

Start time: 22:26:37 Start date: 29/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: MSTEE.sys PID: 4 Parent PID: -1

General

Start time: 22:26:40 Start date: 29/06/2021 Path: C:\Windows\System32\drivers\MSTEE.sys Wow64 process (32bit): false Commandline: Imagebase: 0x7ff7488e0000 File size: 12800 bytes MD5 hash: 8A11E03B32840C0B73C14D16794F1A8A Has elevated privileges: Has administrator privileges: Programmed in: C, C++ or other language Reputation: moderate

General

Start time: 22:26:41 Start date: 29/06/2021 Path: C:\Windows\System32\drivers\MSKSSRV.sys Wow64 process (32bit): Commandline: Imagebase: File size: 33280 bytes MD5 hash: 6CF0815F0A75828CE1E0EE87EF0082F9 Has elevated privileges: Has administrator privileges: Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: powershell.exe PID: 3484 Parent PID: 4220

General

Start time: 22:27:04 Start date: 29/06/2021 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: powershell -Command Confirm-SecureBootUEFI | Out-File -FilePath C:\Users\user\Ap pData\Local\Temp\~lyukrmt.tmp Imagebase: 0x7ff785e30000 File size: 447488 bytes MD5 hash: 95000560239032BC68B4C2FDFCDEF913 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

Analysis Process: conhost.exe PID: 4544 Parent PID: 3484

General

Start time: 22:27:04 Start date: 29/06/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis