Task
task1
Task
task2
General
-
Target
Exes_996ba35165bb62473d2a6743a5200d45.exe
-
Sample
190729-9kj9ph1dhj
-
SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
Score
N/A
Malware Config
Signatures
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5d4-0\Microsoft.PowerShell.GraphicalHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\700-0\Microsoft.PowerShell.ISECommon.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\310-0\Microsoft.PowerShell.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\27c-0\Microsoft.PowerShell.ScheduledJob.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\Microsoft.PowerShell.Security.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\Microsoft.Windows.DSC.CoreConfProviders.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\644-0\Microsoft.PowerShell.Security.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\778-0\Microsoft.PowerShell.Utility.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6e4-0\Microsoft.PowerShell.Workflow.ServiceCore.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6e4-0\System.Management.Automation.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ed18cbebc219551b9c8751127acc37ae\System.Management.Automation.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\538-0\Microsoft.WSMan.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\46c-0\Microsoft.WSMan.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\760-0\Microsoft.WSMan.Runtime.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\c80373093de278b947eba63c75e1dc5c\Microsoft.WSMan.Runtime.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\690-0\Microsoft.PowerShell.Commands.Diagnostics.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\e7cff9a972c7e895395ce19219ee7e10\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 7 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\724-0\Microsoft.PowerShell.Commands.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\94a50c309cab8fd0a7b9f3f9d30bfa7d\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\724-0\Microsoft.PowerShell.Diagnostics.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\8ef96b02ffb05e145d43e74e4ec4a4af\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\724-0\Microsoft.PowerShell.Security.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\caaf26965ac83d6ce3cec7276b56e20f\Microsoft.PowerShell.Security.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\2f0-0\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\3c31905935689790ae19814e443d0e69\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 7 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\76c-0\Microsoft.PowerShell.ConsoleHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\199cfe0e93a1644147eeeb686532c57e\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\76c-0\Microsoft.PowerShell.GPowerShell.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\934b8f230a672944b178c7bbfb33a555\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\76c-0\Microsoft.PowerShell.ScheduledJob.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\0d1b6fe0b8138e850120ff7a88a3b07c\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\694-0\Microsoft.PowerShell.Core.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\abd7f39bddd5bc98242373ee1615ab63\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\694-0\Microsoft.PowerShell.GraphicalHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\8889d3661791480ba80246f12a5c2f48\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4d8-0\Microsoft.PowerShell.Editor.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\9b722a0a3dc01d0c6194ffbfe25b563c\Microsoft.PowerShell.Editor.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\41c-0\Microsoft.PowerShell.ISECommon.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\b8e01a33542a3ce3a189a2bae9530e8a\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\41c-0\Microsoft.PowerShell.Utility.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\7a819854c83f3f4847304ff444080321\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bc-0\Microsoft.PowerShell.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\db532429e51fb52dcc881b6e56421bdc\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\65c-0\Microsoft.PowerShell.Security.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\59b82e63da9e424e1d6c9f76e309d9e3\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\6d8-1\Microsoft.PowerShell.Workflow.ServiceCore.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\125fc21007cedb909651d62fd3cb7d33\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\658-0\Microsoft.WSMan.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\eb8d35ee2ef448b0ac4b0e396927b26c\Microsoft.WSMan.Management.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8-0\Microsoft.WSMan.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\c4b53787a23c4d79686fcc4ef7f58a65\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\128-0\Microsoft.WSMan.Runtime.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\7e551f4dc439944b2a2eb69bb9edc30a\Microsoft.WSMan.Runtime.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs