File name:

dnscat2.ps1

Full analysis: https://app.any.run/tasks/9979e75b-fa88-4a96-ba6d-8339481fbbca
Verdict: Malicious activity
Analysis date: June 28, 2024, 20:27:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65438)
MD5:

16C140FE838340062B9A0D85EBC31F8E

SHA1:

8A7EA087C0FF3BD888C78126726EE3C5F098A8C4

SHA256:

2FB4CBC451908B1BF8A103DFB284917C045ADD6C47C3ACE1E22F65576F9B8302

SSDEEP:

6144:XjqvVvXD/5VqC5s/3cymAQf7ZpHZ8+3ltI78a4PgCSFKkqSK+/eS:XjqvVvDh9skfdp58E88a4GFtKk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3384)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3384)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3204)
      • csc.exe (PID: 680)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 3384)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3384)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3384)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3204)
      • csc.exe (PID: 680)

  • INFO

    • Create files in a temporary directory

      • csc.exe (PID: 3204)
      • cvtres.exe (PID: 3212)
      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)

    • Checks supported languages

      • csc.exe (PID: 3204)
      • cvtres.exe (PID: 3212)
      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3204)
      • cvtres.exe (PID: 3212)
      • csc.exe (PID: 680)
      • cvtres.exe (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\1ttujt2d.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
2748C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESECEC.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDF39A487663648A4A7BC8B8611D18317.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3204"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\42yj31kh.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3212C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESEC31.tmp" "c:\Users\admin\AppData\Local\Temp\CSC11654D9A98604873B89B208E499BF4CE.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3384"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" C:\Users\admin\AppData\Local\Temp\dnscat2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
6 274
Read events
6 212
Write events
62
Delete events
0

Modification events

(PID) Process:(3384) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3384) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
10
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3204csc.exeC:\Users\admin\AppData\Local\Temp\42yj31kh.outtext
MD5:66C4B935BA6BB4D276B01DA6226707F1
SHA256:C65065F619D54EDEAA03C76E75E0BCFDB111E297821FB1988877B73E999205EC
3384powershell.exeC:\Users\admin\AppData\Local\Temp\bwd5qwyh.fqn.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3384powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3204csc.exeC:\Users\admin\AppData\Local\Temp\42yj31kh.dllexecutable
MD5:78C1024C77C2EEFAB021F5C68037E2EC
SHA256:2D3782855884646890A93B9627125136B877C36CD560AD7ACC48184CBB450A09
3212cvtres.exeC:\Users\admin\AppData\Local\Temp\RESEC31.tmpbinary
MD5:C33EC9D00FF69D3C49117A92B18A2281
SHA256:DA26DE23D205B4F3E0B397CDC5D6DF23FF19C17C2A84856B8314215B65B6F345
3384powershell.exeC:\Users\admin\AppData\Local\Temp\1ttujt2d.0.cshtml
MD5:E99B8AF73F03DC05E083E3DB170EEA9A
SHA256:512254A4D6AB3B51872B625177BF966C6DDAD6D78DCDFBD98AAB567939A7DB14
680csc.exeC:\Users\admin\AppData\Local\Temp\1ttujt2d.outtext
MD5:72E55A058F2D420CF0374A01DE5C2504
SHA256:D06CE61DF3C7851179E45118E760C28AD0714E6804975C8966D4AD88A41E8E9B
3384powershell.exeC:\Users\admin\AppData\Local\Temp\42yj31kh.cmdlinetext
MD5:6E61BEF7139124FA3D4C22B097146E23
SHA256:7769702444BB99674B755277DB8764EF29F7022F0057A8CB5E81C66C814F1326
3204csc.exeC:\Users\admin\AppData\Local\Temp\CSC11654D9A98604873B89B208E499BF4CE.TMPres
MD5:5699E649E1E523D5B029A5C8CB521EBD
SHA256:72BD0420FA4CB363BBAB7071F206047F25C3188EE689AB0B28D3218A569753CE
680csc.exeC:\Users\admin\AppData\Local\Temp\CSCDF39A487663648A4A7BC8B8611D18317.TMPres
MD5:6FADDA8DEEE7E08E0B43E74A1996BBED
SHA256:55C63DCEF56C034FB87F6492D543AF0A796A7C9C1C2DD84D9F4F932765A5D0A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.217:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.217:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
23.53.40.49:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.217
  • 23.50.131.215
  • 23.50.131.218
  • 23.50.131.222
  • 23.50.131.223
  • 23.53.40.49
  • 23.53.40.83
  • 23.53.40.40
  • 23.53.40.35
  • 23.53.40.56
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.177
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dnscat2.ps1