Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SimpleLapsGui_v1.2_Exe.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

initial sample

Details

Filetype:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.998099900939836
Filename:	SimpleLapsGui_v1.2_Exe.zip
Filesize:	570290
MD5:	40e296eaf380e6a09af319b4927dc0ec
SHA1:	a51ef3a534366aeebbb08675a0e96ffdfc8e6267
SHA256:	d1448b239203fe5dc355e3e41a55b8096e7e9259d44fced44e8e51b70df0fe8f
SHA512:	bfb0e7073a3c0caf9c55bd75b4abd8336e1b85175c9c9b393877ef743a0912626a5f20fa1d94752399578b2e0c49c16b58a868e85bcdeca4312f8685b71db5a0
SSDEEP:	12288:A7UY37uSZCS0cYZSVijBdZ4Nq+vggDdLuPKCPMc9NUtTUCR0P:JC7Dz0rSgbZqqcDdLIKCP1UBUCaP
Preview:	PK.........e.V7x..=....P......SimpleLapsGui.exe.}y\|SU..K....}a)..)..*......<...$R...V-....$Pl..K..K....2.0.......,......e..)..b..K)Ux.s.})-.\|.....\|.w.w.s.=.=.>..... ....uAX+.?.....L...o}..n.O..5y?.?.l....3.xx...e.<...O...\|(kF.....g.F..z..).....b7.....So..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample is known by Antivirus	System Summary

C:\Users\user\AppData\Local\Temp\n0thihp0.cmdline

Unicode text, UTF-8 (with BOM) text, with very long lines (346), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n0thihp0.cmdline
Category:	dropped
Dump:	n0thihp0.cmdline.14.dr
ID:	dr_2
Target ID:	14
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (346), with no line terminators
Entropy:	5.218954180181912
Encrypted:	false
Size:	349
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Compiles C# or VB.Net code	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Sigma detected: Dynamic CSharp Compile Artefact	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\nqvspln._SimpleLapsGui.ps1

ASCII text, with very long lines (33496), with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nqvspln._SimpleLapsGui.ps1
Category:	dropped
Dump:	nqvspln._SimpleLapsGui.ps1.13.dr
ID:	dr_1
Target ID:	13
Process:	C:\Users\user\Desktop\SimpleLapsGui_v1.2_Exe\SimpleLapsGui.exe
Type:	ASCII text, with very long lines (33496), with CRLF line terminators
Entropy:	6.093423249320448
Encrypted:	false
Size:	60388
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.14.dr
ID:	dr_5
Target ID:	14
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.4388213111648
Encrypted:	false
Size:	16940
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbobnfje.qtv.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbobnfje.qtv.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_dbobnfje.qtv.psm1.14.dr
ID:	dr_3
Target ID:	14
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Size:	60
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\autA745.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autA745.tmp
Category:	dropped
Dump:	autA745.tmp.13.dr
ID:	dr_0
Target ID:	13
Process:	C:\Users\user\Desktop\SimpleLapsGui_v1.2_Exe\SimpleLapsGui.exe
Type:	data
Entropy:	7.8488516150202265
Encrypted:	false
Size:	43426
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\n0thihp0.0.cs

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n0thihp0.0.cs
Category:	dropped
Dump:	n0thihp0.0.cs.14.dr
ID:	dr_4
Target ID:	14
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	4.876107337898055
Encrypted:	false
Size:	179
Whitelisted:	false

IPs

Domain

Country

Malicious

23.55.253.34

unknown

United States

127.0.0.1

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SimpleLapsGui_v1.2_Exe.zip

Files

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSimpleLapsGui_v1.2_Exe.zip

Files

IPs

IOC Report
SimpleLapsGui_v1.2_Exe.zip