Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Windows_Defender_Exclusion_Added.ps1

ASCII text, with very long lines (11794), with no line terminators

initial sample

Details

Filetype:	ASCII text, with very long lines (11794), with no line terminators
Entropy:	5.039486438933141
Filename:	Windows_Defender_Exclusion_Added.ps1
Filesize:	11794
MD5:	7b5aec6060411af6ea4a4ed12deb2532
SHA1:	963d70794a76af5569b4bfc93f1004dc84fae2d2
SHA256:	70d83168f00276503e31383c2668ef240bc644f27e51247a82fb889a720c065c
SHA512:	3b995ccd81a3dab46fe5b1d66bc36a391b8fff460840c26d1d2abf8f9711f860b198e0ddecab028eae676310f842a2fb670b7d2350ea2f9033d99150df8850cc
SSDEEP:	96:P2d9ddy6LRzRXsbsHO62YqdYTyTEoCo28T83pNNbRr8xbSzmINhINTIN/INGINTp:lA8xreheTe/eGele5exepeierV8+
Preview:	dletization.MethodParameter]@{Name = 'PUAProtection'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValu

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Extensible storage engine DataBase, version 0x620, checksum 0xc3cf3517, page size 16384, DirtyShutdown, Windows version 10.0

dropped

Details

File:	C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Category:	dropped
Dump:	qmgr.db.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\System32\svchost.exe
Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc3cf3517, page size 16384, DirtyShutdown, Windows version 10.0
Entropy:	0.7864664662433762
Encrypted:	false
Size:	1310720
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.387956514499815
Encrypted:	false
Size:	14512
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_du1dxwhg.b2j.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_du1dxwhg.b2j.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_du1dxwhg.b2j.psm1.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Size:	60
Whitelisted:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DAU02BGJC9UPG9UO3PHH.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DAU02BGJC9UPG9UO3PHH.temp
Category:	dropped
Dump:	DAU02BGJC9UPG9UO3PHH.temp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7215021934775216
Encrypted:	false
Size:	6220
Whitelisted:	false

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

JSON data

dropped

Details

File:	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Category:	dropped
Dump:	Download-1.tmp.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\System32\svchost.exe
Type:	JSON data
Entropy:	4.306461250274409
Encrypted:	false
Size:	55
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

IPs

Domain

Country

Malicious

184.28.90.27

unknown

United States

127.0.0.1

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Windows_Defender_Exclusion_Added.ps1

Files

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWindows_Defender_Exclusion_Added.ps1

Files

IPs

IOC Report
Windows_Defender_Exclusion_Added.ps1