Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

626a961800203.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\RESAFF5.tmp

Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols

dropped

C:\Users\user\AppData\Local\Temp\RESC0EC.tmp

Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grhpvd1u.qdq.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iappz0mc.xf1.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\boqgffzj\CSC6A71A2D878D54201A284CABB415B85EF.TMP

MSVC .res

dropped

C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.0.cs

UTF-8 Unicode (with BOM) text

dropped

C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.cmdline

UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.out

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators

modified

C:\Users\user\AppData\Local\Temp\yb3ge0m0\CSCCD644729527F4748ACD06F6743FBF148.TMP

MSVC .res

dropped

C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.0.cs

UTF-8 Unicode (with BOM) text

dropped

C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.cmdline

UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.out

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators

modified

C:\Users\user\Documents\20220428\PowerShell_transcript.609290.5b3sR3N3.20220428153620.txt

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

dropped

There are 8 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a961800203.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\626a961800203.dll",#1

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qbwe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qbwe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name elhthuju -value gp; new-alias -name fwiwawp -value iex; fwiwawp ([System.Text.Encoding]::ASCII.GetString((elhthuju "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))

C:\Windows\System32\control.exe

C:\Windows\system32\control.exe -h

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a961800203.dll

C:\Windows\System32\PING.EXE

ping localhost -n 5

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\92B2.bi1"

C:\Windows\System32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\626a961800203.dll"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.cmdline

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFF5.tmp" "c:\Users\user\AppData\Local\Temp\boqgffzj\CSC6A71A2D878D54201A284CABB415B85EF.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.cmdline

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC0EC.tmp" "c:\Users\user\AppData\Local\Temp\yb3ge0m0\CSCCD644729527F4748ACD06F6743FBF148.TMP"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 9 hidden processes, click here to show them.

URLs

Name

Malicious

http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfmFo0ukzJeDObjwSUDY/Htb97x6cm9qTp/tEkEvLrP/n0HksQRnfyb9faVq3lqt7w_/2FGj3GkMdb/gW3lDpUUG8UJpLQkT/d_2FWch36CgQ/Ms7kl6_2FQw/_2FYis_2FJuf4b/1W5qGDemarWZETpD245uj/A3G16gP5qOjvKH3G/vv5_2BVLbj8z6ts/CLUiAk4VGnKgZlEBPz/xZ0KblNF.jlk

94.140.115.8

http://94.140.115.8/drew/6wy5UyOmrJ6HQIq62A/VkrnX6r04/0fFrbYM4DFb5wAzrw_2B/FNzEWhK2WSNEE81GIZV/7J75XXRSaKXlPlnEWRIx2d/cgL4K_2BZrIVj/9osxFaDv/Lc0bZAFyY2PSeXZy5ftLnD9/al2n0BaRS9/SY2dQ9m8xRHbivY38/0pCnmgy_2Bef/l4rMGbb_2B_/2B4w0AfPWShYFd/4cpEVVLZL_2FDyp7NTbNc/rNxu0uITLsW428ao/71RUURUKbVQL7Cx/eCGP96f5gt/RxWMq4kdm/g.jlk

94.140.115.8

http://94.140.115.8/drew/Gv5Z0BH7gi4l/Xtbvn5vUJ8S/xOKV3qdD_2FR7k/HBHojg_2BImCG6h9pQAWJ/OLNLYJlFkOIbmlfx/xLBPPTo798kTGWF/uarevqL_2FqMq6GmJ9/Ff_2BWjst/_2BcRA9bYxr5hTBTuFyb/8zAPHcBPMbLfJl2Crow/FreBlXlshr_2FnJ_2FgWzv/h4GyHVjgDhcnY/ozdI4s6t/aG5qJQuNKTWUqUa97JxeXEE/v4CNuvvBlw/ItFnqFPJKxxqxJOlb/WVUcVG1SDD9B/T_2BjHrCJGz/H.jlk

94.140.115.8

http://https://file://USER.ID%lu.exe/upd

unknown

http://constitution.org/usdeclar.txt

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfm

unknown

https://github.com/Pester/Pester

unknown

http://constitution.org/usdeclar.txtC:

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
626a961800203.rar

Files

Processes

URLs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report626a961800203.rar

Files

Processes

URLs

IOC Report
626a961800203.rar