PXUVmodpCYqRIPQ.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
Filetype: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.578677614254891
|
Filename: |
PXUVmodpCYqRIPQ.exe
|
Filesize: |
547840
|
MD5: |
b12869ee25cc50e4ebb7c66fd75b7b35
|
SHA1: |
765488b8536cd89a7bd8ef0100ef97e9d7014c34
|
SHA256: |
5a283f2f193bd78816d21cc62d0bb67a5570bc631f5c3752444abc28515e542c
|
SHA512: |
39785edae5309c817f67341c2acb58800bbb89928c09553c01a7b5507a7fd4b1c66de207dde6a83efe8c7cff701835d6112d31b5b5f7254320ac250857da7fde
|
SSDEEP: |
12288:jYd8xnswecl9ABKpzwmmZgya5PIh2FbLy0EOxmeOwmLBoYLyt:0weezF7onwmu
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\).g..............0..4...&.......S...
...`....@.. ....................................@................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Malicious sample detected (through community Yara rule) |
System Summary |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
.NET source code contains potential unpacker |
Data Obfuscation |
|
Adds a directory exclusion to Windows Defender |
HIPS / PFW / Operating System Protection Evasion |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for sample |
AV Detection |
|
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) |
Malware Analysis System Evasion |
Security Software Discovery
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
Yara signature match |
System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
.NET source code contains long base64-encoded strings |
System Summary |
|
.NET source code contains many randomly named methods |
Data Obfuscation |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Executes batch files |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PXUVmodpCYqRIPQ.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PXUVmodpCYqRIPQ.exe.log
|
Category: |
dropped
|
Dump: |
PXUVmodpCYqRIPQ.exe.log.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.34331486778365
|
Encrypted: |
false
|
Ssdeep: |
24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
|
Size: |
1216
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmp6ABF.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmp6ABF.tmp
|
Category: |
dropped
|
Dump: |
tmp6ABF.tmp.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.111631326774768
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
|
Size: |
1573
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Scheduled temp file as task from temp location |
Persistence and Installation Behavior |
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Sigma detected: Suspicious Schtasks From Env Var Folder |
System Summary |
|
Creates temporary files |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Taskshell.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Roaming\Taskshell.exe
|
Category: |
dropped
|
Dump: |
Taskshell.exe.9.dr
|
ID: |
dr_14
|
Target ID: |
9
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.578677614254891
|
Encrypted: |
false
|
Ssdeep: |
12288:jYd8xnswecl9ABKpzwmmZgya5PIh2FbLy0EOxmeOwmLBoYLyt:0weezF7onwmu
|
Size: |
547840
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Adds a directory exclusion to Windows Defender |
HIPS / PFW / Operating System Protection Evasion |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: Invoke-Obfuscation CLIP+ Launcher |
System Summary |
|
Sigma detected: Invoke-Obfuscation VAR+ Launcher |
System Summary |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Roaming\xcsUjVN.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Roaming\xcsUjVN.exe
|
Category: |
dropped
|
Dump: |
xcsUjVN.exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.578677614254891
|
Encrypted: |
false
|
Ssdeep: |
12288:jYd8xnswecl9ABKpzwmmZgya5PIh2FbLy0EOxmeOwmLBoYLyt:0weezF7onwmu
|
Size: |
547840
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Adds a directory exclusion to Windows Defender |
HIPS / PFW / Operating System Protection Evasion |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates files inside the user directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Roaming\xcsUjVN.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Roaming\xcsUjVN.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
xcsUjVN.exe_Zone.Identifier.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Taskshell.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Taskshell.exe.log
|
Category: |
dropped
|
Dump: |
Taskshell.exe.log.22.dr
|
ID: |
dr_19
|
Target ID: |
22
|
Process: |
C:\Users\user\AppData\Roaming\Taskshell.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.34331486778365
|
Encrypted: |
false
|
Ssdeep: |
24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
|
Size: |
1216
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xcsUjVN.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xcsUjVN.exe.log
|
Category: |
dropped
|
Dump: |
xcsUjVN.exe.log.10.dr
|
ID: |
dr_16
|
Target ID: |
10
|
Process: |
C:\Users\user\AppData\Roaming\xcsUjVN.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.34331486778365
|
Encrypted: |
false
|
Ssdeep: |
24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
|
Size: |
1216
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
Category: |
modified
|
Dump: |
StartupProfileData-NonInteractive.4.dr
|
ID: |
dr_10
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
data
|
Entropy: |
5.379571632516198
|
Encrypted: |
false
|
Ssdeep: |
48:hWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:hLHxvCsIfA2KRHmOugw1s
|
Size: |
2232
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ocduxlf.la4.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ocduxlf.la4.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_1ocduxlf.la4.psm1.4.dr
|
ID: |
dr_9
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qaakl0i.rrq.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qaakl0i.rrq.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_4qaakl0i.rrq.ps1.2.dr
|
ID: |
dr_6
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a51n0j4b.0fp.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a51n0j4b.0fp.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_a51n0j4b.0fp.psm1.25.dr
|
ID: |
dr_27
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnupz1of.aeq.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnupz1of.aeq.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_cnupz1of.aeq.psm1.4.dr
|
ID: |
dr_12
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epka4x3w.cn0.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epka4x3w.cn0.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_epka4x3w.cn0.ps1.2.dr
|
ID: |
dr_4
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fswybfmh.z10.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fswybfmh.z10.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_fswybfmh.z10.ps1.25.dr
|
ID: |
dr_24
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0liy2mn.kgo.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0liy2mn.kgo.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_h0liy2mn.kgo.psm1.2.dr
|
ID: |
dr_5
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0zwkwtd.go3.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0zwkwtd.go3.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_i0zwkwtd.go3.psm1.2.dr
|
ID: |
dr_7
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jukudura.zah.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jukudura.zah.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_jukudura.zah.psm1.23.dr
|
ID: |
dr_21
|
Target ID: |
23
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfpvhpkj.svu.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfpvhpkj.svu.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_kfpvhpkj.svu.ps1.4.dr
|
ID: |
dr_11
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssmkoa0k.fzb.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssmkoa0k.fzb.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_ssmkoa0k.fzb.psm1.23.dr
|
ID: |
dr_23
|
Target ID: |
23
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twon4kc3.b3x.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twon4kc3.b3x.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_twon4kc3.b3x.ps1.23.dr
|
ID: |
dr_22
|
Target ID: |
23
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4jblz2x.tla.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4jblz2x.tla.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_u4jblz2x.tla.ps1.4.dr
|
ID: |
dr_8
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaccw03f.dni.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaccw03f.dni.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_uaccw03f.dni.ps1.25.dr
|
ID: |
dr_26
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjvv15qu.wsa.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjvv15qu.wsa.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_xjvv15qu.wsa.ps1.23.dr
|
ID: |
dr_20
|
Target ID: |
23
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynt0owbr.qdb.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynt0owbr.qdb.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_ynt0owbr.qdb.psm1.25.dr
|
ID: |
dr_25
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\tmp4AB4.tmp.bat
|
DOS batch file, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmp4AB4.tmp.bat
|
Category: |
dropped
|
Dump: |
tmp4AB4.tmp.bat.9.dr
|
ID: |
dr_13
|
Target ID: |
9
|
Process: |
C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe
|
Type: |
DOS batch file, ASCII text, with CRLF line terminators
|
Entropy: |
5.054318091001482
|
Encrypted: |
false
|
Ssdeep: |
3:mKDDCMNqTtvL5ot+kiEaKC5kPNIvmqRDt+kiE2J5xAInTRI77VZPy:hWKqTtT6wknaZ5kVIvmq1wkn23fTUVk
|
Size: |
153
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Executes batch files |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmp880B.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmp880B.tmp
|
Category: |
dropped
|
Dump: |
tmp880B.tmp.10.dr
|
ID: |
dr_15
|
Target ID: |
10
|
Process: |
C:\Users\user\AppData\Roaming\xcsUjVN.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.111631326774768
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
|
Size: |
1573
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmp948E.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmp948E.tmp
|
Category: |
dropped
|
Dump: |
tmp948E.tmp.21.dr
|
ID: |
dr_18
|
Target ID: |
21
|
Process: |
C:\Users\user\AppData\Roaming\Taskshell.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.111631326774768
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
|
Size: |
1573
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmpCF93.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpCF93.tmp
|
Category: |
dropped
|
Dump: |
tmpCF93.tmp.33.dr
|
ID: |
dr_28
|
Target ID: |
33
|
Process: |
C:\Users\user\AppData\Roaming\Taskshell.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.111631326774768
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
|
Size: |
1573
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmpEF41.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpEF41.tmp
|
Category: |
dropped
|
Dump: |
tmpEF41.tmp.37.dr
|
ID: |
dr_29
|
Target ID: |
37
|
Process: |
C:\Users\user\AppData\Roaming\Taskshell.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.111631326774768
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTVv
|
Size: |
1573
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Spawns processes |
System Summary |
|
|
\Device\Null
|
ASCII text, with CRLF line terminators, with overstriking
|
dropped
|
|
|
|
File: |
\Device\Null
|
Category: |
dropped
|
Dump: |
Null.17.dr
|
ID: |
dr_17
|
Target ID: |
17
|
Process: |
C:\Windows\SysWOW64\timeout.exe
|
Type: |
ASCII text, with CRLF line terminators, with overstriking
|
Entropy: |
4.41440934524794
|
Encrypted: |
false
|
Ssdeep: |
3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|