|
pDut.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
| Filetype: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.117696934685876
|
| Filename: |
pDut.dll
|
| Filesize: |
641885
|
| MD5: |
b8eea1c2963c2f26ff4ffe8de869c3cc
|
| SHA1: |
2a8a13db7afd001f093a2c6f82bc6ed93b1884c5
|
| SHA256: |
86ef41e44779b109e70b7d34c011b341c2d90654b149a718a380205287256bef
|
| SHA512: |
e1d4583f769c996b99787c662fe12575f4242ad5ac2251ed3bc9c4d6129794a716493342f9bc207bc4f3e0736ae351a5bbd7c03e36ea2d3fd6e5e51f0abf8a65
|
| SSDEEP: |
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZFB:+w1lEKOpuYxiwkkgjAN8ZFB
|
| Preview: |
MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Machine Learning detection for sample |
AV Detection |
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| Sample file is different than original file name gathered from version info |
System Summary |
|
| PE file contains an invalid checksum |
Data Obfuscation |
|
| Sample is known by Antivirus |
System Summary |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| PE file contains a debug data directory |
System Summary |
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5ae826728d25cb185b65052fe76417bde20f1c2_7cac0383_1a83caea\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5ae826728d25cb185b65052fe76417bde20f1c2_7cac0383_1a83caea\Report.wer
|
| Category: |
dropped
|
| Dump: |
Report.wer.16.dr
|
| ID: |
dr_11
|
| Target ID: |
16
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
0.8434196145811474
|
| Encrypted: |
false
|
| Ssdeep: |
96:8tXpFOdxnYymy9haOKzfopXIQcQOsc6OguQcE5cw3ap+a+z+HbHgDAS/YyNLLTWc:89pU7ntHbFDOBj+q/u7siS274ItW
|
| Size: |
65536
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_64868dc4c92d6a6e56598a58e1863903bd4390_7cac0383_19679841\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_64868dc4c92d6a6e56598a58e1863903bd4390_7cac0383_19679841\Report.wer
|
| Category: |
dropped
|
| Dump: |
Report.wer.12.dr
|
| ID: |
dr_7
|
| Target ID: |
12
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
0.847408015250028
|
| Encrypted: |
false
|
| Ssdeep: |
96:8mDXyFIxnYyHy9haoB7JnOpXIQcQGc6McE+cw3/7+a+z+HbHgDAS/YyNLLTWbSm8:8Cykn7HoIE/j+q/u7siS274ItW
|
| Size: |
65536
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d4707724df8dacf8df1a948061d31053afc578b_7cac0383_150f7325\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d4707724df8dacf8df1a948061d31053afc578b_7cac0383_150f7325\Report.wer
|
| Category: |
dropped
|
| Dump: |
Report.wer.5.dr
|
| ID: |
dr_3
|
| Target ID: |
5
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
0.8399487668753685
|
| Encrypted: |
false
|
| Ssdeep: |
96:xXZ5oxnYyly9haOK7ESZpXIQcQGc6McE+cw3/7+a+z+HbHgDAS/YyNLLTWbSm9nG:xJ5ynpHoIE/j+q/u7s9S274Itb
|
| Size: |
65536
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB9.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:14 2022, 0x1205a4 type
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB9.tmp.dmp
|
| Category: |
dropped
|
| Dump: |
WER6AB9.tmp.dmp.5.dr
|
| ID: |
dr_0
|
| Target ID: |
5
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:14 2022, 0x1205a4 type
|
| Entropy: |
1.943626314248008
|
| Encrypted: |
false
|
| Ssdeep: |
192:fJo8O50EyDeihOfMYGbGQkfLZC8Y7j9N6nZqxxm6cBrSB:xoWEWAfZYGQkfLZxY7jv6nZqTMrE
|
| Size: |
45310
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED1.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED1.tmp.WERInternalMetadata.xml
|
| Category: |
dropped
|
| Dump: |
WER6ED1.tmp.WERInternalMetadata.xml.5.dr
|
| ID: |
dr_1
|
| Target ID: |
5
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
3.6885815839758767
|
| Encrypted: |
false
|
| Ssdeep: |
192:Rrl7r3GLNiZl6b6YWvSU2FRjDgmfFSSCpNL89bII1flnYm:RrlsNib6b6YuSU2FxgmfFSAIyfv
|
| Size: |
8342
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7162.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7162.tmp.xml
|
| Category: |
dropped
|
| Dump: |
WER7162.tmp.xml.5.dr
|
| ID: |
dr_2
|
| Target ID: |
5
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
| Entropy: |
4.41806910678219
|
| Encrypted: |
false
|
| Ssdeep: |
48:cvIwSD8zsgJgtWI9cyWgc8sqYjhd8fm8M4J2+gFZYKK+q8vQ+jKcQIcQw0Md:uITfmnTgrsqY1qJUvKKnKkw0Md
|
| Size: |
4653
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E12.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:19 2022, 0x1205a4 type
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E12.tmp.dmp
|
| Category: |
dropped
|
| Dump: |
WER7E12.tmp.dmp.12.dr
|
| ID: |
dr_4
|
| Target ID: |
12
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:19 2022, 0x1205a4 type
|
| Entropy: |
1.9235552325255547
|
| Encrypted: |
false
|
| Ssdeep: |
192:SJozG50EyDwFOfMYlGrW8jyZC8Y779N62iwOqpr0T18cZ+:ioNEWwofZlGrW8jyZxY77v62ic
|
| Size: |
45110
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8518.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8518.tmp.WERInternalMetadata.xml
|
| Category: |
dropped
|
| Dump: |
WER8518.tmp.WERInternalMetadata.xml.12.dr
|
| ID: |
dr_5
|
| Target ID: |
12
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
3.6989921773934844
|
| Encrypted: |
false
|
| Ssdeep: |
192:Rrl7r3GLNiZjl6G6YW5SUTFlgmfLSSCprl89b/Isfk1m:RrlsNiNl6G6Y4SUTFlgmfLS4/7fb
|
| Size: |
8338
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER893F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER893F.tmp.xml
|
| Category: |
dropped
|
| Dump: |
WER893F.tmp.xml.12.dr
|
| ID: |
dr_6
|
| Target ID: |
12
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
| Entropy: |
4.470627968403778
|
| Encrypted: |
false
|
| Ssdeep: |
48:cvIwSD8zsgJgtWI9cyWgc8sqYjhhY8fm8M4J2+MZFlm+q84lB2KcQIcQw0td:uITfmnTgrsqY1bJGBmH2Kkw0td
|
| Size: |
4598
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB176.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:32 2022, 0x1205a4 type
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB176.tmp.dmp
|
| Category: |
dropped
|
| Dump: |
WERB176.tmp.dmp.16.dr
|
| ID: |
dr_8
|
| Target ID: |
16
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:32 2022, 0x1205a4 type
|
| Entropy: |
1.8151092865658691
|
| Encrypted: |
false
|
| Ssdeep: |
192:2JoQX/50EyD26hoNOfMY2GeeY7+9N6CnCzRqrpF9hrj:WoQWEWx1fZ2GeeY7+v6AN3
|
| Size: |
41686
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8E9.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8E9.tmp.WERInternalMetadata.xml
|
| Category: |
dropped
|
| Dump: |
WERB8E9.tmp.WERInternalMetadata.xml.16.dr
|
| ID: |
dr_9
|
| Target ID: |
16
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
| Entropy: |
3.6894428129568015
|
| Encrypted: |
false
|
| Ssdeep: |
192:Rrl7r3GLNiZn6G6YWWSUNyhrgmf6SADCpDC89blIsf1Xm:RrlsNip6G6YHSUNyNgmf6SPl7fI
|
| Size: |
8286
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC02E.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC02E.tmp.xml
|
| Category: |
dropped
|
| Dump: |
WERC02E.tmp.xml.16.dr
|
| ID: |
dr_10
|
| Target ID: |
16
|
| Process: |
C:\Windows\SysWOW64\WerFault.exe
|
| Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
| Entropy: |
4.428569707945006
|
| Encrypted: |
false
|
| Ssdeep: |
48:cvIwSD8zs3JgtWI9cyWgc8sqYjhA8fm8M4J2+bFAi+q84SuKcQIcQw0td:uITfZnTgrsqY19JIi9Kkw0td
|
| Size: |
4552
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
| Category: |
dropped
|
| Dump: |
ModuleAnalysisCache.21.dr
|
| ID: |
dr_15
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
data
|
| Entropy: |
4.883977562702998
|
| Encrypted: |
false
|
| Ssdeep: |
192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
|
| Size: |
11606
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\41kkxng4.0.cs
|
UTF-8 Unicode (with BOM) text
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\41kkxng4.0.cs
|
| Category: |
dropped
|
| Dump: |
41kkxng4.0.cs.21.dr
|
| ID: |
dr_13
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text
|
| Entropy: |
5.038440975503667
|
| Encrypted: |
false
|
| Ssdeep: |
6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
|
| Size: |
417
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
|
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
|
| Category: |
dropped
|
| Dump: |
41kkxng4.cmdline.21.dr
|
| ID: |
dr_14
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
|
| Entropy: |
5.307755680441488
|
| Encrypted: |
false
|
| Ssdeep: |
6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fJbUzxs7+AEszIWXp+N23fJv9n:p37Lvkmb6KHBbUWZE8Bv9
|
| Size: |
351
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Compiles C# or VB.Net code |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\41kkxng4.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\41kkxng4.dll
|
| Category: |
dropped
|
| Dump: |
41kkxng4.dll.29.dr
|
| ID: |
dr_26
|
| Target ID: |
29
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
|
| Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
2.650746474841338
|
| Encrypted: |
false
|
| Ssdeep: |
24:etGSlmMWWOJy853Ek0s2E7OgpjdWQzbtkZfKkItOWI+ycuZhNr8akSwRPNnq:6+vz5UkGE7vpRWQzqJKv11ulr8a3wjq
|
| Size: |
3584
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\41kkxng4.out
|
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
|
modified
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\41kkxng4.out
|
| Category: |
modified
|
| Dump: |
41kkxng4.out.21.dr
|
| ID: |
dr_16
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
|
| Entropy: |
5.343017693214738
|
| Encrypted: |
false
|
| Ssdeep: |
24:AId3ka6KHBb1E8BwKaM5DqBVKVrdFAMBJTH:Akka6ABb1E8BwKxDcVKdBJj
|
| Size: |
848
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP
|
MSVC .res
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP
|
| Category: |
dropped
|
| Dump: |
CSC9452DD6E90C74A5284F45229D37BC.TMP.25.dr
|
| ID: |
dr_23
|
| Target ID: |
25
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
|
| Type: |
MSVC .res
|
| Entropy: |
3.101674785919322
|
| Encrypted: |
false
|
| Ssdeep: |
12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryjal+ak7Ynqq4alfPN5Dlq5J:+RI+ycuZhNs+akSnfPNnqX
|
| Size: |
652
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP
|
MSVC .res
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP
|
| Category: |
dropped
|
| Dump: |
CSCE5529B6452BD443991E7FB86A88433C.TMP.29.dr
|
| ID: |
dr_25
|
| Target ID: |
29
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
|
| Type: |
MSVC .res
|
| Entropy: |
3.1070071339744105
|
| Encrypted: |
false
|
| Ssdeep: |
12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry58ak7YnqqwRPN5Dlq5J:+RI+ycuZhNr8akSwRPNnqX
|
| Size: |
652
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\RES3B19.tmp
|
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\RES3B19.tmp
|
| Category: |
dropped
|
| Dump: |
RES3B19.tmp.27.dr
|
| ID: |
dr_24
|
| Target ID: |
27
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
|
| Type: |
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols
|
| Entropy: |
3.978467147955079
|
| Encrypted: |
false
|
| Ssdeep: |
24:HCIS9Qigkg4s4hHJYhKdNWI+ycuZhNs+akSnfPNnq9Gd:7ig9woKd41uls+a3n9q92
|
| Size: |
1316
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\RES52D7.tmp
|
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\RES52D7.tmp
|
| Category: |
dropped
|
| Dump: |
RES52D7.tmp.31.dr
|
| ID: |
dr_27
|
| Target ID: |
31
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
|
| Type: |
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
|
| Entropy: |
3.9832080815912887
|
| Encrypted: |
false
|
| Ssdeep: |
24:HNnW9Q3HWxijhHThKdNWI+ycuZhNr8akSwRPNnq9hgd:Z5328NdKd41ulr8a3wjq9y
|
| Size: |
1320
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zn2pbeb.bx3.ps1
|
very short file (no magic)
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zn2pbeb.bx3.ps1
|
| Category: |
dropped
|
| Dump: |
__PSScriptPolicyTest_2zn2pbeb.bx3.ps1.21.dr
|
| ID: |
dr_18
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
very short file (no magic)
|
| Entropy: |
0.0
|
| Encrypted: |
false
|
| Ssdeep: |
3:U:U
|
| Size: |
1
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbxlwnt.njb.psm1
|
very short file (no magic)
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbxlwnt.njb.psm1
|
| Category: |
dropped
|
| Dump: |
__PSScriptPolicyTest_xkbxlwnt.njb.psm1.21.dr
|
| ID: |
dr_19
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
very short file (no magic)
|
| Entropy: |
0.0
|
| Encrypted: |
false
|
| Ssdeep: |
3:U:U
|
| Size: |
1
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\cweuuamv.0.cs
|
UTF-8 Unicode (with BOM) text
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\cweuuamv.0.cs
|
| Category: |
dropped
|
| Dump: |
cweuuamv.0.cs.21.dr
|
| ID: |
dr_20
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text
|
| Entropy: |
5.082169696837192
|
| Encrypted: |
false
|
| Ssdeep: |
6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
|
| Size: |
411
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
|
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
|
| Category: |
dropped
|
| Dump: |
cweuuamv.cmdline.21.dr
|
| ID: |
dr_21
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
|
| Entropy: |
5.233616509891766
|
| Encrypted: |
false
|
| Ssdeep: |
6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fOQcqzxs7+AEszIWXp+N23fOQcdx:p37Lvkmb6KHX9WZE8XY
|
| Size: |
351
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Compiles C# or VB.Net code |
Data Obfuscation |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Sigma detected: Suspicious Csc.exe Source File Folder |
System Summary |
|
| Sigma detected: Dynamic C Sharp Compile Artefact |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\cweuuamv.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\cweuuamv.dll
|
| Category: |
dropped
|
| Dump: |
cweuuamv.dll.25.dr
|
| ID: |
dr_22
|
| Target ID: |
25
|
| Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
|
| Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
2.6358141485539535
|
| Encrypted: |
false
|
| Ssdeep: |
24:etGSLm8+mUE7R853RY0kCGZ+4I4tkZffADZ0WI+ycuZhNs+akSnfPNnq:6LwXE7S50aJfOZX1uls+a3n9q
|
| Size: |
3584
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\cweuuamv.out
|
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
|
modified
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\cweuuamv.out
|
| Category: |
modified
|
| Dump: |
cweuuamv.out.21.dr
|
| ID: |
dr_12
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
|
| Entropy: |
5.3155037212616865
|
| Encrypted: |
false
|
| Ssdeep: |
12:xKIR37Lvkmb6KHX9WZE8XNKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHCE89KaM5DqBVKVrdFAMBJTH
|
| Size: |
848
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\Documents\20220422\PowerShell_transcript.210979.yN_Qw8z3.20220422153314.txt
|
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\Documents\20220422\PowerShell_transcript.210979.yN_Qw8z3.20220422153314.txt
|
| Category: |
dropped
|
| Dump: |
PowerShell_transcript.210979.yN_Qw8z3.20220422153314.txt.21.dr
|
| ID: |
dr_17
|
| Target ID: |
21
|
| Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
| Type: |
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
|
| Entropy: |
5.402564603202913
|
| Encrypted: |
false
|
| Ssdeep: |
24:BxSAqhxvBnD0x2DOXUWhpW0i5IPTLCHYt4qW+HjeTKKjX4CIym1ZJXi9pW0i5IPo:BZkvhD0oOBNi5I4Yt4t+qDYB1ZSNi5Iw
|
| Size: |
1359
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
