File name:

dnscat2.ps1

Full analysis: https://app.any.run/tasks/9979e75b-fa88-4a96-ba6d-8339481fbbca
Verdict: Malicious activity
Analysis date: June 28, 2024, 20:27:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65438)
MD5:

16C140FE838340062B9A0D85EBC31F8E

SHA1:

8A7EA087C0FF3BD888C78126726EE3C5F098A8C4

SHA256:

2FB4CBC451908B1BF8A103DFB284917C045ADD6C47C3ACE1E22F65576F9B8302

SSDEEP:

6144:XjqvVvXD/5VqC5s/3cymAQf7ZpHZ8+3ltI78a4PgCSFKkqSK+/eS:XjqvVvDh9skfdp58E88a4GFtKk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3384)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3204)
      • csc.exe (PID: 680)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3384)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3204)
      • csc.exe (PID: 680)

    • Reads the Internet Settings

      • powershell.exe (PID: 3384)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3384)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3384)

  • INFO

    • Create files in a temporary directory

      • cvtres.exe (PID: 3212)
      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)
      • csc.exe (PID: 3204)

    • Reads the machine GUID from the registry

      • cvtres.exe (PID: 3212)
      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)
      • csc.exe (PID: 3204)

    • Checks supported languages

      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)
      • csc.exe (PID: 3204)
      • cvtres.exe (PID: 3212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\1ttujt2d.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
2748C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESECEC.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDF39A487663648A4A7BC8B8611D18317.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3204"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\42yj31kh.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3212C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESEC31.tmp" "c:\Users\admin\AppData\Local\Temp\CSC11654D9A98604873B89B208E499BF4CE.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3384"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" C:\Users\admin\AppData\Local\Temp\dnscat2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
6 274
Read events
6 212
Write events
62
Delete events
0

Modification events

(PID) Process:(3384) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
10
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3384powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4e079.TMPbinary
MD5:0268C3470C936E6FBAC2945B9E1C2099
SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9
3384powershell.exeC:\Users\admin\AppData\Local\Temp\bwd5qwyh.fqn.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
680csc.exeC:\Users\admin\AppData\Local\Temp\CSCDF39A487663648A4A7BC8B8611D18317.TMPres
MD5:6FADDA8DEEE7E08E0B43E74A1996BBED
SHA256:55C63DCEF56C034FB87F6492D543AF0A796A7C9C1C2DD84D9F4F932765A5D0A8
3204csc.exeC:\Users\admin\AppData\Local\Temp\CSC11654D9A98604873B89B208E499BF4CE.TMPres
MD5:5699E649E1E523D5B029A5C8CB521EBD
SHA256:72BD0420FA4CB363BBAB7071F206047F25C3188EE689AB0B28D3218A569753CE
3204csc.exeC:\Users\admin\AppData\Local\Temp\42yj31kh.outtext
MD5:66C4B935BA6BB4D276B01DA6226707F1
SHA256:C65065F619D54EDEAA03C76E75E0BCFDB111E297821FB1988877B73E999205EC
3384powershell.exeC:\Users\admin\AppData\Local\Temp\lf0idsb5.vls.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3384powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:20137D8E79E1A65520B42BE42C7AFF9F
SHA256:12C8214907BBBAB5B60255F939AEFD55B1ED8BC8E68F0E3BC7F15EE4944867D9
3384powershell.exeC:\Users\admin\AppData\Local\Temp\42yj31kh.cmdlinetext
MD5:6E61BEF7139124FA3D4C22B097146E23
SHA256:7769702444BB99674B755277DB8764EF29F7022F0057A8CB5E81C66C814F1326
3384powershell.exeC:\Users\admin\AppData\Local\Temp\1ttujt2d.0.cshtml
MD5:E99B8AF73F03DC05E083E3DB170EEA9A
SHA256:512254A4D6AB3B51872B625177BF966C6DDAD6D78DCDFBD98AAB567939A7DB14
3384powershell.exeC:\Users\admin\AppData\Local\Temp\1ttujt2d.cmdlinetext
MD5:C21186435CA182F6D5DA19507236F029
SHA256:FC70EFEE5A0B4A3F3CC95E82B69E53599CD3381BC91AD48F54E6F08F8DCD068E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.217:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.217:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
23.53.40.49:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.217
  • 23.50.131.215
  • 23.50.131.218
  • 23.50.131.222
  • 23.50.131.223
  • 23.53.40.49
  • 23.53.40.83
  • 23.53.40.40
  • 23.53.40.35
  • 23.53.40.56
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.177
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dnscat2.ps1