Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.ps1

ASCII text

initial sample

Details

Filetype:	ASCII text
Entropy:	5.531697379175942
Filename:	file.ps1
Filesize:	135178
MD5:	ee9898b3640a3d1c71aabade3ba25595
SHA1:	6855cf4e022d1956af522f63cc3194e53ba1ed49
SHA256:	e986a90a89678db350cd89ae29a5902e6dbb9dfda70cbd29e3289f82dd0ca865
SHA512:	b8a8d118d22e3de945a0913399309f577657a19de64ee561996fe6625db5636faf319e656971c4146aab74b9a1239d1c9a1c9b2059a23c6e99ad72681482b325
SSDEEP:	3072:C3uoUSPUupf+tLjGNX8cCIHKVmhDvaYSXTVcabKNwyUQI1hytOAfk:6USPUupf+ti8cpPDypXB7bKNwXQAyC
Preview:	function Hzin.{.PUBlg (CTOywb) (VyEopS) (kgef) (ruJwp) (RSQCVV) (avSGO) (nZABfj) (wYBp) (cLMU) (dQZSZm) (FfgwK) (PUSd) (BxbG) (rJgAfp) (OQtGfO).}.function nfEx.{.$Gbucvh=WdQxe 6 m m O Q u z.$s2cx=KYIC '8' 4 a C 5 W M w p z.$s2cx+$Gbucvh.}.function WnTocr.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1628158735648508
Encrypted:	false
Ssdeep:	3:NlllulFgtj:NllUa
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbzdxgou.amf.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbzdxgou.amf.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_pbzdxgou.amf.psm1.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmvq5uzg.d44.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmvq5uzg.d44.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_qmvq5uzg.d44.ps1.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Category:	dropped
Dump:	A13YHUCNLHRPHQDSXMZJ.temp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7394498499409226
Encrypted:	false
Ssdeep:	96:aeo33CxHJnTkvhkvCCt/xwg3JHMxwg3JHQ:aeoypn3/xhyxhu
Size:	6221
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A13YHUCNLHRPHQDSXMZJ.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A13YHUCNLHRPHQDSXMZJ.temp
Category:	dropped
Dump:	A13YHUCNLHRPHQDSXMZJ.temp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7394498499409226
Encrypted:	false
Ssdeep:	96:aeo33CxHJnTkvhkvCCt/xwg3JHMxwg3JHQ:aeoypn3/xhyxhu
Size:	6221
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\file.ps1"

Details

Is windows:	true
Is dropped:	false
PID:	7536
Target ID:	0
Parent PID:	2580
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\file.ps1"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	23:19:50
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff788560000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7544
Target ID:	1
Parent PID:	7536
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	23:19:50
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pesterbdd.com/images/Pester.png

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

https://oneget.orgX

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

https://oneget.org

unknown

There are 4 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

206D4995000

heap

page read and write

7DF97E000

stack

page read and write

206DDAD4000

trusted library allocation

page read and write

7DF9FB000

stack

page read and write

7E044F000

stack

page read and write

206D6260000

heap

page readonly

7DEF3E000

stack

page read and write

206DCE25000

trusted library allocation

page read and write

206DDAF2000

trusted library allocation

page read and write

206D6784000

heap

page read and write

206D6621000

trusted library allocation

page read and write

206D6A28000

trusted library allocation

page read and write

206DE0E6000

trusted library allocation

page read and write

206DB86A000

trusted library allocation

page read and write

7DF6F8000

stack

page read and write

206D499B000

heap

page read and write

206D6801000

trusted library allocation

page read and write

206D6888000

trusted library allocation

page read and write

206D48C0000

heap

page read and write

206D49DD000

heap

page read and write

206DB1F0000

trusted library allocation

page read and write

206DBC3D000

trusted library allocation

page read and write

206D67C3000

heap

page read and write

206DD5B5000

trusted library allocation

page read and write

206D493D000

heap

page read and write

206DAA6F000

trusted library allocation

page read and write

206D881C000

trusted library allocation

page read and write

206D6786000

heap

page read and write

7DF57D000

stack

page read and write

206DD010000

trusted library allocation

page read and write

7DF5F9000

stack

page read and write

206DDDB0000

trusted library allocation

page read and write

206D49A2000

heap

page read and write

206DDD03000

trusted library allocation

page read and write

206D9E4E000

trusted library allocation

page read and write

206DD93B000

trusted library allocation

page read and write

206D4BB5000

heap

page read and write

206D6739000

heap

page read and write

206DD16A000

trusted library allocation

page read and write

7E0408000

stack

page read and write

7DF676000

stack

page read and write

7DEFFE000

stack

page read and write

206DD205000

trusted library allocation

page read and write

206D7BF4000

trusted library allocation

page read and write

206DD158000

trusted library allocation

page read and write

206DD307000

trusted library allocation

page read and write

206D493B000

heap

page read and write

7DEEB5000

stack

page read and write

206D6651000

trusted library allocation

page read and write

7DEFBD000

stack

page read and write

206D665C000

trusted library allocation

page read and write

206D972B000

trusted library allocation

page read and write

206D6240000

heap

page read and write

206D49B5000

heap

page read and write

206D71F4000

trusted library allocation

page read and write

206DC63D000

trusted library allocation

page read and write

206D6623000

trusted library allocation

page read and write

206D6746000

heap

page read and write

206D67F0000

heap

page read and write

206D497D000

heap

page read and write

206DB824000

trusted library allocation

page read and write

206DB08B000

trusted library allocation

page read and write

206D6250000

trusted library allocation

page read and write

206D4860000

heap

page read and write

206DB8E7000

trusted library allocation

page read and write

206D66E0000

heap

page execute and read and write

206DB889000

trusted library allocation

page read and write

206D66F0000

heap

page read and write

7DF7FE000

stack

page read and write

206D62D0000

heap

page read and write

206DBB77000

trusted library allocation

page read and write

7DF27D000

stack

page read and write

206D8D27000

trusted library allocation

page read and write

206DAB1D000

trusted library allocation

page read and write

206D85F4000

trusted library allocation

page read and write

206D4BB0000

heap

page read and write

206D4940000

heap

page read and write

206DCB49000

trusted library allocation

page read and write

206D497A000

heap

page read and write

206DD37D000

trusted library allocation

page read and write

206D49E4000

heap

page read and write

206DE6BE000

trusted library allocation

page read and write

206D48F0000

heap

page read and write

7DF3FE000

stack

page read and write

7DF2FE000

stack

page read and write

206D6210000

trusted library allocation

page read and write

206DE5CC000

trusted library allocation

page read and write

206DA9CC000

trusted library allocation

page read and write

206D8D2B000

trusted library allocation

page read and write

206D8C7B000

trusted library allocation

page read and write

206DB091000

trusted library allocation

page read and write

7DF87E000

stack

page read and write

206D67EB000

heap

page read and write

7DF4FE000

stack

page read and write

206D4780000

heap

page read and write

206D4903000

heap

page read and write

206DBC39000

trusted library allocation

page read and write

206DD3F7000

trusted library allocation

page read and write

206DE476000

trusted library allocation

page read and write

206DA84E000

trusted library allocation

page read and write

206DBB73000

trusted library allocation

page read and write

206D4880000

heap

page read and write

7DF47F000

stack

page read and write

206D6704000

heap

page read and write

206DCB1D000

trusted library allocation

page read and write

7DF777000

stack

page read and write

206DCBA3000

trusted library allocation

page read and write

206DA92E000

trusted library allocation

page read and write

206D62D5000

heap

page read and write

206D6270000

trusted library allocation

page read and write

7DF37B000

stack

page read and write

206DD043000

trusted library allocation

page read and write

206D4997000

heap

page read and write

There are 103 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.ps1

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.ps1

Files

Processes

URLs

Memdumps

IOC Report
file.ps1