download: | powershell-script-for-disk-space-usage.html |
Full analysis: | https://app.any.run/tasks/021d9b12-a8c3-4f45-9306-b391e043eac6 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 15:31:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text |
MD5: | 2C12B1CEFF08CFF0569EBAD8C0981D53 |
SHA1: | 0332B5B20A6093E72C49F15CBE245757C9C516EB |
SHA256: | 0671C04107332BF45B12355E6A93A08E7B0FCF116656231A96CA0CCF25C10E58 |
SSDEEP: | 768:zxE50oclPUYVzxbaJ6W+UmkhYqsnMH0WZd/k3Qi:VEulZlbaJ6WKusnMH/d/6 |
.htm/html | | | HyperText Markup Language with DOCTYPE (80.6) |
---|---|---|
.html | | | HyperText Markup Language (19.3) |
Title: | Powershell Script For Disk Space Usage |
---|---|
viewport: | width=device-width, initial-scale=1, shrink-to-fit=no |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1324 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\powershell-script-for-disk-space-usage.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1324 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3224 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1324 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
Operation: | write | Name: | {B4FAC41D-EE97-11E9-AB41-5254004A04AF} |
Value: 0 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Type |
Value: 4 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Count |
Value: 2 | |||
(PID) Process: | (1324) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Time |
Value: E3070A0001000E000F001F0024005B03 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabC1C4.tmp | — | |
MD5:— | SHA256:— | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarC1D4.tmp | — | |
MD5:— | SHA256:— | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabC224.tmp | — | |
MD5:— | SHA256:— | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarC225.tmp | — | |
MD5:— | SHA256:— | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\image001_219[1].jpg | image | |
MD5:4C13C5FECC1414915E2E725D6871626D | SHA256:CCBD1F17845BF7D73581D9CC5BB933E5A42FFB21431C68BC48F4B853E5CA967E | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\starwind_powershell1[1].png | image | |
MD5:D2A256F6D7E0EE2D0BCC49CE07DBC486 | SHA256:6B56CED4C5CBCE7A73DCD8A81352A55A2EC5EBCF6CEBD7B16B4F876A3B0FF181 | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\overview_iopath-1024x722[1].png | image | |
MD5:B30958D7D121C9DD2EDC556DEF969199 | SHA256:576719CE03ABD65B7A449E97C5D27773CC8E114E36E5591889645A10199A544B | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\image-132[1].png | image | |
MD5:4F4478748DB255B02ECDC8D054698DE1 | SHA256:9E4FD000F3E1784567A7ADD3CFC34840C85EA57B46E69E0E3E2258D77CA3C5C4 | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\PythonScript_message[1].png | image | |
MD5:A6B156D6E7551A3DBEBA278936446EA5 | SHA256:E64A24311A8F3D133BD038E1C7B047B67B86C2E1F8D8F9A68BCB97B87B0F0033 | |||
2384 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\css[2].txt | text | |
MD5:16B39C622EF810E948530CDF6044F100 | SHA256:F1283064B0F118A6D67EE0FBF2521B2D086A25AFE0D68B33AC859282E3E17229 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2384 | iexplore.exe | GET | 200 | 185.119.173.92:80 | http://wragg.io/content/images/2018/02/Grafana-Example-2.png | GB | image | 482 Kb | unknown |
2384 | iexplore.exe | GET | 200 | 185.103.156.5:80 | http://www.darrylvanderpeijl.com/wp-content/uploads/overview_iopath-1024x722.png | NL | image | 77.2 Kb | suspicious |
2384 | iexplore.exe | GET | 200 | 217.160.0.125:80 | http://get-cmd.com/wp-content/uploads/2018/07/starwind_powershell1.png | DE | image | 104 Kb | malicious |
2384 | iexplore.exe | GET | 200 | 104.27.189.10:80 | http://cdn.techgenix.com/media/upls/image001_219.jpg | US | image | 41.3 Kb | suspicious |
2384 | iexplore.exe | GET | 200 | 68.171.216.220:80 | http://www.powershellneedfulthings.com/wp-content/gallery/eas2003/e2k3scrn.jpg | US | image | 140 Kb | unknown |
2384 | iexplore.exe | GET | 200 | 91.216.107.92:80 | http://www.luteus.biz/Download/LoriotPro_Doc/SMS_Manager_Documentation/img/PythonScript_message.png | FR | image | 24.0 Kb | unknown |
3224 | iexplore.exe | GET | 200 | 104.28.29.99:80 | http://umnz.garabato.fr/ | US | html | 10.6 Kb | suspicious |
3224 | iexplore.exe | GET | 200 | 104.24.122.82:80 | http://images.mini-ielts.com/images/1/18/evolution-tree_thumbpad.jpg | US | image | 7.60 Kb | suspicious |
3224 | iexplore.exe | GET | 200 | 199.34.228.44:80 | http://www.saint-david.net/uploads/1/0/4/3/10434103/businesswoman-career-corporate-39519_orig.jpg | US | image | 42.7 Kb | malicious |
3224 | iexplore.exe | GET | 200 | 104.24.122.82:80 | http://images.mini-ielts.com/images/1/2/scientific-english_thumbpad.jpeg | US | image | 6.80 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2384 | iexplore.exe | 108.161.188.153:443 | img.netwrix.com | netDNA | US | unknown |
2384 | iexplore.exe | 66.77.93.49:443 | redmondmag.com | Qwest Communications Company, LLC | US | unknown |
2384 | iexplore.exe | 66.77.93.35:443 | mcpmag.com | Qwest Communications Company, LLC | US | unknown |
2384 | iexplore.exe | 216.58.207.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2384 | iexplore.exe | 104.31.77.155:443 | jdhitsolutions.com | Cloudflare Inc | US | unknown |
2384 | iexplore.exe | 151.139.241.2:443 | static.techspot.com | netDNA | US | unknown |
2384 | iexplore.exe | 116.203.68.116:443 | codepad.co | — | IN | unknown |
1324 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2384 | iexplore.exe | 13.32.158.244:443 | communities.sas.com | Amazon.com, Inc. | US | unknown |
2384 | iexplore.exe | 173.201.247.99:443 | computerstepbystep.com | GoDaddy.com, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
fonts.googleapis.com |
| whitelisted |
communities.sas.com |
| malicious |
img.netwrix.com |
| suspicious |
www.itprotoday.com |
| unknown |
jdhitsolutions.com |
| unknown |
mcpmag.com |
| whitelisted |
cdn.pdq.com |
| malicious |
static.techspot.com |
| suspicious |
original.securityintelligence.com |
| unknown |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
2384 | iexplore.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |