Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoke-noPac.ps1

Overview

General Information

Sample Name:Invoke-noPac.ps1
Analysis ID:1730306
MD5:468704b3c87e636b9b8c360f5623f729
SHA1:62fc35b64b5034064d75001288b9b1911ea28635
SHA256:4e37819484e865f8e20c2aaa94ec05f3bfe3bb6f36ea4bb6df376c8d4f1ffcca
Infos:

Detection

noPac
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Computer Account Name Change CVE-2021-42287
Yara detected noPac
Sigma detected: Suspicious Outbound Kerberos Connection
Yara signature match
Sigma detected: Suspicious Remote Logon with Explicit Credentials
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64_21h1_office_active_directory
  • powershell.exe (PID: 5580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Invoke-noPac.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Invoke-noPac.ps1JoeSecurity_noPacYara detected noPacJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmpINDICATOR_TOOL_PWS_RubeusDetects Rubeus kerberos defensive/offensive toolsetditekSHen
    • 0x559f9:$s1: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
    • 0x5661d:$s2: (!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
    • 0x55ff5:$s3: rc4opsec
    • 0x4ee2c:$s4: pwdlastset
    • 0x4fddc:$s4: pwdlastset
    • 0x56986:$s4: pwdlastset
    • 0x569a4:$s4: pwdlastset
    • 0x475e1:$s5: LsaEnumerateLogonSessions
    • 0x4493d:$s6: extractKerberoastHash
    • 0x46f66:$s7: ComputeAllKerberosPasswordHashes
    • 0x456c5:$s8: kerberoastDomain
    • 0x405c1:$s9: GetUsernamePasswordTGT
    00000000.00000003.16112649314.00000204B7F53000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_noPacYara detected noPacJoe Security
      00000000.00000002.16821259889.00000204AFF97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_noPacYara detected noPacJoe Security

        System Summary

        barindex
        Source: Event LogsAuthor: Florian Roth: Data: EventID: 4781, NewTargetUserName: dc-01, OldTargetUserName: dcadmin1$, PrivilegeList: -, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x16b8f4, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01, TargetSid: S-1-5-21-3384971621-2488082584-654606338-1106, data0: dcadmin1$, data1: dc-01, data2: AD01, data3: S-1-5-21-3384971621-2488082584-654606338-1106, data4: S-1-5-21-3384971621-2488082584-654606338-1105, data5: user, data6: AD01, data7: 0x16b8f4, data8: -
        Source: Network ConnectionAuthor: Ilyas Ochkov, oscd.community: Data: DestinationIp: 192.168.1.200, DestinationIsIpv6: false, DestinationPort: 88, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 5580, Protocol: tcp, SourceIp: 192.168.1.201, SourceIsIpv6: false, SourcePort: 62723
        Source: Event LogsAuthor: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st: Data: EventID: 4648, IpAddress: -, IpPort: -, LogonGuid: {00000000-0000-0000-0000-000000000000}, ProcessId: 0x15cc, ProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x5bfb9, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01.LOCAL, TargetInfo: ldap/DC-01.ad01.local, TargetLogonGuid: {0d7257f6-ead0-9c49-99fe-cda91a935390}, TargetServerName: DC-01.ad01.local, TargetUserName: user, data0: S-1-5-21-3384971621-2488082584-654606338-1105, data1: user, data10: 0x15cc, data11: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, data12: -, data13: -, data2: AD01, data3: 0x5bfb9, data4: {00000000-0000-0000-0000-000000000000}, data5: user, data6: AD01.LOCAL, data7: {0d7257f6-ead0-9c49-99fe-cda91a935390}, data8: DC-01.ad01.local, data9: ldap/DC-01.ad01.local
        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132881894112152451.5580.DefaultAppDomain.powershell

        Click to jump to signature section

        Show All Signature Results

        Exploits

        barindex
        Source: Yara matchFile source: Invoke-noPac.ps1, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000003.16112649314.00000204B7F53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.16821259889.00000204AFF97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: unknownDNS traffic detected: query: 254.141.248.8.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: 251.0.0.224.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: queries for: 252.0.0.224.in-addr.arpa
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

        System Summary

        barindex
        Source: 00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Rubeus kerberos defensive/offensive toolset Author: ditekSHen
        Source: 00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_TOOL_PWS_Rubeus author = ditekSHen, description = Detects Rubeus kerberos defensive/offensive toolset
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ty12fgxh.xxn.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\26a845b249aefca961715129e3e55539\mscorlib.ni.dllJump to behavior
        Source: classification engineClassification label: mal60.expl.winPS1@2/8@3/1
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Invoke-noPac.ps1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220201Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception1
        Process Injection
        1
        Masquerading
        OS Credential Dumping11
        Virtualization/Sandbox Evasion
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Non-Application Layer Protocol
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
        Virtualization/Sandbox Evasion
        LSASS Memory1
        File and Directory Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Process Injection
        Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files