IOC Report
626a961800203.rar

loading gif

Files

File Path
Type
Category
Malicious
626a961800203.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\RESAFF5.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\RESC0EC.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grhpvd1u.qdq.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iappz0mc.xf1.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\boqgffzj\CSC6A71A2D878D54201A284CABB415B85EF.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.0.cs
UTF-8 Unicode (with BOM) text
dropped
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\AppData\Local\Temp\yb3ge0m0\CSCCD644729527F4748ACD06F6743FBF148.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.0.cs
UTF-8 Unicode (with BOM) text
dropped
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\Documents\20220428\PowerShell_transcript.609290.5b3sR3N3.20220428153620.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a961800203.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\626a961800203.dll",#1
malicious
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qbwe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qbwe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name elhthuju -value gp; new-alias -name fwiwawp -value iex; fwiwawp ([System.Text.Encoding]::ASCII.GetString((elhthuju "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a961800203.dll
malicious
C:\Windows\System32\PING.EXE
ping localhost -n 5
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\System32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\92B2.bi1"
malicious
C:\Windows\System32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\626a961800203.dll"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFF5.tmp" "c:\Users\user\AppData\Local\Temp\boqgffzj\CSC6A71A2D878D54201A284CABB415B85EF.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC0EC.tmp" "c:\Users\user\AppData\Local\Temp\yb3ge0m0\CSCCD644729527F4748ACD06F6743FBF148.TMP"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 9 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfmFo0ukzJeDObjwSUDY/Htb97x6cm9qTp/tEkEvLrP/n0HksQRnfyb9faVq3lqt7w_/2FGj3GkMdb/gW3lDpUUG8UJpLQkT/d_2FWch36CgQ/Ms7kl6_2FQw/_2FYis_2FJuf4b/1W5qGDemarWZETpD245uj/A3G16gP5qOjvKH3G/vv5_2BVLbj8z6ts/CLUiAk4VGnKgZlEBPz/xZ0KblNF.jlk
94.140.115.8
malicious
http://94.140.115.8/drew/6wy5UyOmrJ6HQIq62A/VkrnX6r04/0fFrbYM4DFb5wAzrw_2B/FNzEWhK2WSNEE81GIZV/7J75XXRSaKXlPlnEWRIx2d/cgL4K_2BZrIVj/9osxFaDv/Lc0bZAFyY2PSeXZy5ftLnD9/al2n0BaRS9/SY2dQ9m8xRHbivY38/0pCnmgy_2Bef/l4rMGbb_2B_/2B4w0AfPWShYFd/4cpEVVLZL_2FDyp7NTbNc/rNxu0uITLsW428ao/71RUURUKbVQL7Cx/eCGP96f5gt/RxWMq4kdm/g.jlk
94.140.115.8
malicious
http://94.140.115.8/drew/Gv5Z0BH7gi4l/Xtbvn5vUJ8S/xOKV3qdD_2FR7k/HBHojg_2BImCG6h9pQAWJ/OLNLYJlFkOIbmlfx/xLBPPTo798kTGWF/uarevqL_2FqMq6GmJ9/Ff_2BWjst/_2BcRA9bYxr5hTBTuFyb/8zAPHcBPMbLfJl2Crow/FreBlXlshr_2FnJ_2FgWzv/h4GyHVjgDhcnY/ozdI4s6t/aG5qJQuNKTWUqUa97JxeXEE/v4CNuvvBlw/ItFnqFPJKxxqxJOlb/WVUcVG1SDD9B/T_2BjHrCJGz/H.jlk
94.140.115.8
malicious
http://https://file://USER.ID%lu.exe/upd
unknown
http://constitution.org/usdeclar.txt
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfm
unknown
https://github.com/Pester/Pester
unknown
http://constitution.org/usdeclar.txtC:
unknown