Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

3.ps1

ASCII text, with very long lines (12594), with CRLF line terminators

initial sample

Details

Filetype:	ASCII text, with very long lines (12594), with CRLF line terminators
Entropy:	5.738857250711805
Filename:	3.ps1
Filesize:	412061
MD5:	69c80576e5413dc4d0d60de98439f649
SHA1:	2fe44c3f073e661eb0cd6dd2c5890b067743ea5d
SHA256:	85856010d3e63101c30a3d061dd55c758350030dd9b14794044a479860abb37f
SHA512:	87db764a6217f3a2c6b999122b440cf8dfd5cdbb08ec13147cc2cf1549c18fc0c0afb52d5003313fe1c0d97fb3f7d4ca51062a8e8a37eab564c65c3abcfd211f
SSDEEP:	6144:tgCjcsHxN7zWkV4mne5klEz1/rxiAsmwAJhcEstTHo84ZbxGdnuFmlgC5fe5QLPO:tgC4sRNvW5Oe+cVroAsEJCE38QKOq7bu
Preview:	Set-StrictMode -Version 2....function func_get_proc_address {...Param ($var_module, $var_procedure).....$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equal

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Yara signature match	System Summary
Sample is known by Antivirus	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Category:	modified
Dump:	ModuleAnalysisCache.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	4.928515784730612
Encrypted:	false
Ssdeep:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
Size:	9434
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5noeq2o4.gsw.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5noeq2o4.gsw.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_5noeq2o4.gsw.ps1.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngfgu5wb.msr.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngfgu5wb.msr.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_ngfgu5wb.msr.psm1.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Category:	dropped
Dump:	WMNT3I4XNG9Y59JGGE9M.temp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7293891251548903
Encrypted:	false
Ssdeep:	48:t/QToHLPr3C4U28zLjgukvhkvklCywCmdk6nQiWl15SogZoJ6YE6nQiWl15SogZS:NPH33CxHH1kvhkvCCtfQiW4HsQiW4HS
Size:	6221
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMNT3I4XNG9Y59JGGE9M.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMNT3I4XNG9Y59JGGE9M.temp
Category:	dropped
Dump:	WMNT3I4XNG9Y59JGGE9M.temp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7293891251548903
Encrypted:	false
Ssdeep:	48:t/QToHLPr3C4U28zLjgukvhkvklCywCmdk6nQiWl15SogZoJ6YE6nQiWl15SogZS:NPH33CxHH1kvhkvCCtfQiW4HsQiW4HS
Size:	6221
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1"

Details

Is windows:	true
Is dropped:	false
PID:	1900
Target ID:	0
Parent PID:	2580
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:57:56
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff788560000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected MetasploitPayload	Remote Access Functionality
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1456
Target ID:	1
Parent PID:	1900
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:57:56
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

3.78.244.11

http://3.78.244.11:8080/dot.gif

3.78.244.11

http://3.78.244.11:8080/dot.gifG

unknown

http://nuget.org/NuGet.exe

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://3.78.244.11:8080/dot.gif~

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

http://3.78.244.11:8080/dot.gif11:8080/dot.gif

unknown

https://contoso.com/License

unknown

http://3.78.244.11:8080/dot.gifD

unknown

https://contoso.com/Icon

unknown

http://3.78.244.11:8080/dot.gifllV

unknown

http://3.78.244.11:8080/dot.gifPDL

unknown

http://3.78.244.11:8080/dot.gifll

unknown

https://github.com/Pester/Pester

unknown

http://3.78.244.11:8080/dot.gifU

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

http://3.78.244.11:8080/dot.gife

unknown

http://3.78.244.11:8080/dot.gifystem32

unknown

http://3.78.244.11:8080/dot.gif9.0

unknown

https://aka.ms/pscore68

unknown

http://127.0.0.1:%u/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://3.78.244.11:8080/dot.gif1

unknown

http://crl.v

unknown

http://3.78.244.11:8080/dot.gif2

unknown

There are 18 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

3.78.244.11

unknown

United States

Details

IP:	3.78.244.11
TargetID:	0
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

22EF9EB0000

heap

page read and write

22EFA0B0000

direct allocation

page execute and read and write

22EF1AEF000

trusted library allocation

page read and write

22EF1952000

trusted library allocation

page read and write

22EE28B3000

trusted library allocation

page read and write

22EF9B10000

direct allocation

page execute and read and write

22EDFA90000

heap

page read and write

7FFD9B770000

trusted library allocation

page read and write

7FFD9B9C0000

trusted library allocation

page read and write

22EE2E6B000

trusted library allocation

page read and write

7FFD9B957000

trusted library allocation

page read and write

A30D8CC000

stack

page read and write

7FFD9BA60000

trusted library allocation

page read and write

22EF9CD3000

heap

page read and write

22EF98E4000

heap

page read and write

22EFA103000

direct allocation

page execute and read and write

7FFD9B774000

trusted library allocation

page read and write

22EFA0FE000

direct allocation

page execute and read and write

22EDF8C0000

heap

page read and write

7FFD9B92A000

trusted library allocation

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

22EE1966000

trusted library allocation

page read and write

22EF9D9D000

heap

page read and write

A30CCFF000

stack

page read and write

22EF9A2A000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

7FFD9B954000

trusted library allocation

page read and write

7FFD9B772000

trusted library allocation

page read and write

22EF9BA0000

heap

page execute and read and write

22EE12A0000

heap

page read and write

7FFD9B9D0000

trusted library allocation

page read and write

7FFD9BA20000

trusted library allocation

page read and write

7FFD9BA40000

trusted library allocation

page read and write

22EF9CE5000

heap

page read and write

22EDF964000

heap

page read and write

22EDF9AC000

heap

page read and write

22EDF942000

heap

page read and write

22EDF966000

heap

page read and write

22EF9BA7000

heap

page execute and read and write

A30D782000

stack

page read and write

22EF9D98000

heap

page read and write

22EDFAB0000

heap

page read and write

7FFD9BA70000

trusted library allocation

page read and write

7FFD9BAD0000

trusted library allocation

page read and write

7FFD9BA80000

trusted library allocation

page read and write

22EF9CE3000

heap

page read and write

7FFD9B921000

trusted library allocation

page read and write

22EF9A2F000

heap

page read and write

A30C8FE000

stack

page read and write

22EE1370000

trusted library allocation

page read and write

22EE13C5000

heap

page read and write

22EDF97E000

heap

page read and write

7FFD9B910000

trusted library allocation

page read and write

22EF9D9F000

heap

page read and write

7FFD9BA90000

trusted library allocation

page read and write

A30C2B5000

stack

page read and write

22EDF8C9000

heap

page read and write

22EF9CD6000

heap

page read and write

22EE1B08000

trusted library allocation

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

22EE1740000

trusted library allocation

page read and write

7FFD9BB00000

trusted library allocation

page read and write

22EDFC80000

heap

page read and write

22EF9DB2000

heap

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

22EF9BD0000

heap

page read and write

A30CC7F000

stack

page read and write

22EDFC85000

heap

page read and write

22EE301D000

trusted library allocation

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

22EDF96A000

heap

page read and write

7FFD9B990000

trusted library allocation

page read and write

22EF18F0000

trusted library allocation

page read and write

22EF9A73000

heap

page read and write

7FFD9BAB0000

trusted library allocation

page read and write

7FFD9B78B000

trusted library allocation

page read and write

22EF190A000

trusted library allocation

page read and write

22EE3A1D000

trusted library allocation

page read and write

22EF9BB0000

heap

page read and write

7FFD9B952000

trusted library allocation

page read and write

22EE18A3000

trusted library allocation

page read and write

22EE1360000

trusted library section

page read and write

7FFD9B780000

trusted library allocation

page read and write

22EF9AEE000

heap

page read and write

22EE13C0000

heap

page read and write

22EF18E1000

trusted library allocation

page read and write

22EF9D85000

heap

page read and write

22EF9CB0000

heap

page read and write

22EF9A7D000

heap

page read and write

22EE1340000

trusted library allocation

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

22EE18D0000

heap

page read and write

22EF9DA2000

heap

page read and write

7FFD9BAF0000

trusted library allocation

page read and write

7FFD9BAC0000

trusted library allocation

page read and write

7FFD9BAE0000

trusted library allocation

page read and write

22EE18A0000

trusted library allocation

page read and write

22EFA101000

direct allocation

page execute and read and write

22EE1350000

trusted library section

page read and write

7FFD9BA50000

trusted library allocation

page read and write

22EE1380000

heap

page readonly

22EDF9A6000

heap

page read and write

7FFD9B820000

trusted library allocation

page read and write

22EE1390000

trusted library allocation

page read and write

7DF4B5080000

trusted library allocation

page execute and read and write

22EDF95E000

heap

page read and write

22EDF8D2000

heap

page read and write

22EF1A27000

trusted library allocation

page read and write

22EF9CCC000

heap

page read and write

22EE2508000

trusted library allocation

page read and write

7FFD9BA00000

trusted library allocation

page read and write

22EFA0FB000

direct allocation

page execute and read and write

A30C97D000

stack

page read and write

7FFD9B960000

trusted library allocation

page execute and read and write

22EDF8A0000

heap

page read and write

22EE3019000

trusted library allocation

page read and write

A30D7CF000

stack

page read and write

7FFD9B773000

trusted library allocation

page execute and read and write

A30CDFB000

stack

page read and write

22EF99F0000

heap

page read and write

A30C77D000

stack

page read and write

22EE18E1000

trusted library allocation

page read and write

22EF9A86000

heap

page read and write

22EE1820000

heap

page execute and read and write

7FFD9B930000

trusted library allocation

page execute and read and write

7FFD9B970000

trusted library allocation

page read and write

22EE1800000

heap

page execute and read and write

22EE2F53000

trusted library allocation

page read and write

22EDF947000

heap

page read and write

22EF9DBA000

heap

page read and write

22EF9DB6000

heap

page read and write

A30CD7E000

stack

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

22EF9A6F000

heap

page read and write

7FFD9B9F0000

trusted library allocation

page read and write

22EE1310000

heap

page read and write

7FFD9BAA0000

trusted library allocation

page read and write

7FFD9BA30000

trusted library allocation

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

7FFD9B9E0000

trusted library allocation

page read and write

7FFD9B940000

trusted library allocation

page execute and read and write

22EE1710000

trusted library allocation

page read and write

7FFD9BA10000

trusted library allocation

page read and write

22EF9D96000

heap

page read and write

7FFD9B826000

trusted library allocation

page read and write

22EF9D4B000

heap

page read and write

22EFA0F8000

direct allocation

page execute and read and write

There are 137 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
3.ps1

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report3.ps1

Files

Processes

URLs

IPs

Memdumps

IOC Report
3.ps1