Windows Analysis Report
hy.ps1

Overview

General Information

Sample name:	hy.ps1
Analysis ID:	1431651
MD5:	c867dbeca2907417d58f0bfb4de699d6
SHA1:	fa942ea34e59c938d9c307a9c5054118b21fa699
SHA256:	19317da5733e40de48774b836f81b6edd83a60976ef180b6e796928399cee1c3
Tags:	ps1
Infos:

Detection

AsyncRAT, DcRat, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AsyncRAT

Yara detected DcRat

Yara detected MetasploitPayload

Found suspicious powershell code related to unpacking or dynamic code loading

Hijacks the control flow in another process

Loading BitLocker PowerShell Module

Queues an APC in another process (thread injection)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Found malware configuration

Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Ports": ["3232"], "Server": ["91.92.252.234"], "Certificate": "MIICKTCCAZKgAwIBAgIVAKS5rqUGvWQFohqhbbhc/fhczFOxMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNTI2MTIyOTU1WhcNMzQwMzA0MTIyOTU1WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjGggOWyKXHfRasv3ufPfya8A0qsxRAddSMAEiqyDLn9M1H6RFDtqd/Yok/NubIYLe1FbXiB0YfCR5RgdsQVKnUSEA2sI64BtMLpe/b15JcHRFWCt3Vr0Ho1S1Vpym4tXD3C2pBb+0Xwdx2z46EhZun0Lg/7fxMO+MR5EP+ZSzn0CAwEAAaMyMDAwHQYDVR0OBBYEFN19qEt9bh/uiiMyJBaJLMC7IcpgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEALf1x+A2bpgZri/KC6IBK2KIhZ634c6L+XeB/lfFGD7HFklggfsiRpl5v6/we6amFaV2uLlFVr2uduITo9ItSBzei5GvPVJvb7HGKY1TRdeGrur2Jm1KgNvMTLOhRw+4rStVaGPP2EzKEvev7ufogjloM3cAkhevaNasxxcDhMCw=", "Server Signature": "MZCsI864kmIzKFJC44vL3ya3ABqlMaLoEPmnFnwJE3ff3mZPALfgyzyzZ6QEJ/IzBakmLsEJga3Ls/81f/i6c++NCJCFfkeq/72Z5DXypIfIHefvzC/jQJR4Vg3yGUxtv1dmoafcvwBchkK5sy3fwqJ0BXfUgy7iJUDxOUMs50s="}

Source:

Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2299448154.000001F0C81F2000.00000004.00000020.00020000.00000000.sdmp

Source: powershell.exe, 00000000.00000002.2300072444.000001F0CA051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2300072444.000001F0CA051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000003.00000002.2300760860.000001FEDB6FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000003.00000002.2301419592.000001FEDD421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Detected potential crypto function

Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000001FEDB642523	3_2_000001FEDB642523
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000001FEDB642103	3_2_000001FEDB642103
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000001FEDB64295B	3_2_000001FEDB64295B
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000001FEDB642DE3	3_2_000001FEDB642DE3
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000001FEDB6414DB	3_2_000001FEDB6414DB

Yara signature match

Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000003.00000002.2300760860.000001FEDB6FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000003.00000002.2301419592.000001FEDD421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, Settings.cs

Base64 encoded string: 'ZKy9yrztpz7yv3/a1mEzj7LN1ILbjAEngwbJuJN9gXUu2eYPLZGP4ulxSCEkn+5i8r0vJujifi71RwLaW3nyag==', 'ybygf6+agXAHWxflsE7Sr+wxZU6JYC+Pvd1S4RZ5sQSB0NtjWt5QTygoRGp+pMg28vvgeT0Oh4nItVicifUq0Q==', 'qTRhtxKTffPeOJ3knxBmUWWYHCE0+dVGhddRopV3Mlf6RSzuTneF8s4ZbOKqALBC1zmBEqplhVyEj2jpjYyY/g==', 'wiy6g6MUPmF4m/1bjIHPPUPZHcs2bgU7f4IZblHyBnHIh3P69HxgY+MqTPnxWb9Iz5xEsNmWgHThh28CTMs+s6IZ7Rf8mns9WANc8L372g1BeiFZiviCF5MiB/IeLQlfQGCkypHuAXuQaTtQn4Ioc/YGlrSOyL1NUv42+RRls71outdBa7pIB1zZ9hBpaeAr1exIMtL+Js2B/Xqy+XkEn8Zi55N3wuHTFb46WcidEggZ4LMinWq4Qd6/w2mHc/Ry+NMWBVVLQazNdj6b+P4VTM3n8b4QRW3Pk9ZlxoXsliJpEN7HCYuOHjUFPfyzRX0oYy7h1qSLoAXMQkDNQuDVc63/yVrFYw7ETOCMYXqdT2aKMbwkn4v+N5JJ1Q4Y8gPiSs1nrufgAw0QQbLV40UE5Kbz5SaqsYp8Bn2m4Cb9hspjlKd2qUVqLyJ2V7+FNwKv1Znwi2tjecQnoacR+zOnfZ8bz9wSZkak67PTaw/kPX/42YjE9tGq6ZbYPEQethQyixmB3r5p22kmcI3vvBlIv/R9QNAM1CYHRcHA8vYh662Qpw9T0xDJhILEEXG6k6CNHvj0kidRL9c7m/54415xDeGc/AaaiZ0KbctlyjvvDoDCqp++Egs1BzJ8aXfet3Aa1tEQqiDAwXAgTrhIwzDci9GnFeovmgSeQms9yp5RDWhiMY2f5AmQq76rz4jKwIGnuBzjSfk0ceUuASBMvaVygFVOSm7CSpD4hpEFNqNumMjvuTZ6MImmAFPqE3MF3BdMvvNhl0X3bld6bJYWSq+Lk7B6psdb2Yv1nEYG7K5kXFbpMuxmyhgh9kkH5HkbXeQ7XoLFq0Su7X51xfCkcmLyhfKqGYhOOAwRzhN2Iewu6S01BfKhzvHEtj7ijl1kTSerglGkLU5t6BkEt8Gdm+cCcqtbW3HKoj/z1CIoqhc1Ji28hUYGHkWmyywRyImOwlVtIm9gdvolhFK8gevIehJi/sNGbhAUqaPuWD1VT6XyM7S9YsJQ9uZBcAnedsnBp9cE3iJjQGu37evNrxlJW2U2KhmtPGHx71TTHrqQ+gBhG5I=', 'JNo5eYTTmLScwaJty1FGb9Cw1L5a7Bx99KM5Rb3CC8iFe5FH8A7Y/2uLaJHGoIAHjA+xgAhpsZQf9r6JqLtdXA==', 'HpJFVrfZtMkBQA7PAo91pVXU4D8x7V4+OxVLUsIQtKG2xK+iRXY501yTtQItCuLbDtSXqlxi/mHSeX2jaKPm+w==', 'vJNb45CmzU209S7A3rIKofVdmRiwGIW6iqJmEv0PUpsotSRkfxFRQLZL4KfU1/yWdhvgXAffWTpS6tZKK1shbw=='

Source: classification engine

Classification label: mal100.troj.evad.winPS1@4/10@0/0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\System32\notepad.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\hy.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('My
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String(@"IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9SdXNoLVBvd2VyU2hlbGwtT2JmdXNjYXRvciwgbWFkZSBieSBEQVJLTjAkWQoKJGRlY29kZWRTY3JpcHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVV

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: notepad.exe, 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
Source: notepad.exe, 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\System32\notepad.exe	Memory allocated: 1FEDD100000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\notepad.exe	Memory allocated: 1FEF5420000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\notepad.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4590			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5174			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior
Source: C:\Windows\System32\notepad.exe TID: 5112	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\notepad.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 1FEDB630067 value: FF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 1FEDB63017A value: FF	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 1FEDB630191 value: FF	Jump to behavior

ID:	1431651
Product:	CloudBasic
Start time:	15:11:13
Start date:	25.04.2024
Sample:	hy.ps1
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c867dbeca2907417d58f0bfb4de699d6
SHA1:	fa942ea34e59c938d9c307a9c5054118b21fa699
SHA256:	19317da5733e40de48774b836f81b6edd83a60976ef180b6e796928399cee1c3

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	EF4099FCAB6D29945272316889156337	5AAFAD4581D21179B892604BEBD6038792F8CBD6	A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	2530F828998D06ABB41CE3D8F0D4C89A	1DE8CE458ED8D96FD1ECF818958EE9E387F2167D	52AE3D08D5A493DAFBCDC9CDBBC8E8AFC67DC50BE83F498A4FBA5892065CDC60
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkawl2pe.cxf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j30tmlh1.bex.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk1cj3jc.qq5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo5uo42e.2ly.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3EC1V92W5H6258ESQE6M.temp	data	F2F61D98E46EB1A71F8C23C1F0D97398	E80B9C7024A4C56C156E9AA5FFCDFF9344839C9B	37E60C14202CD0558976BE50D4856279912D5214ECB6BD2FED6964750893665F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	F2F61D98E46EB1A71F8C23C1F0D97398	E80B9C7024A4C56C156E9AA5FFCDFF9344839C9B	37E60C14202CD0558976BE50D4856279912D5214ECB6BD2FED6964750893665F
\Device\ConDrv	ASCII text	125766A8B861C872E67C4D5D1FB765AD	1D15312CA5FDC779CBCF219E8EF3D2D10A7EB8DF	08D85C62DB94603664E2CDD3EBADBF83CBB86DCE28B8A3340A43236EF066C098

Windows Analysis Report hy.ps1

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
hy.ps1

Malware Threat Intel
Provided by