analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bootstrap.js.ps1

Full analysis: https://app.any.run/tasks/3508ba5e-b920-496f-af2e-dc1dc16d7fcc
Verdict: Malicious activity
Analysis date: January 17, 2020, 19:48:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

0C50E7FA14B23B5E1BAD40B9A795CCFD

SHA1:

F66789D7F74A6E1AB674F8E5887C4E15ED8AAD90

SHA256:

308B2D478638C74F28729CC790678E150B4F58955595CE777445E22187CEB4A6

SSDEEP:

768:D6JEjFHNnyjSnrFxJaWJxNif60eeXxwo0mN3ZR8qOny6/4d/kW/2FRUyB:2JoHgy7aKii0eeBtR8Nnrgd/kWOFBB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 352)

    • Starts Visual C# compiler

      • powershell.exe (PID: 532)

    • Runs injected code in another process

      • powershell.exe (PID: 532)

    • Application was dropped or rewritten from another process

      • a6aa3e36.exe (PID: 2112)
      • a6aa3e36.exe (PID: 3156)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 532)

    • Creates files in the user directory

      • powershell.exe (PID: 532)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 352)

    • Application launched itself

      • a6aa3e36.exe (PID: 2112)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 352)

    • Reads the cookies of Google Chrome

      • a6aa3e36.exe (PID: 3156)

    • Reads the cookies of Mozilla Firefox

      • a6aa3e36.exe (PID: 3156)

    • Searches for installed software

      • a6aa3e36.exe (PID: 3156)

  • INFO

    • Reads settings of System Certificates

      • explorer.exe (PID: 352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ini | Generic INI configuration (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
inject start drop and start powershell.exe no specs csc.exe cvtres.exe no specs explorer.exe a6aa3e36.exe no specs a6aa3e36.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\bootstrap.js.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1252"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\9e37evmk.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
3272C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESAB4F.tmp" "c:\Users\admin\AppData\Local\Temp\CSCAB4E.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2112C:\Users\admin\AppData\Local\Temp\\a6aa3e36.exeC:\Users\admin\AppData\Local\Temp\a6aa3e36.exeexplorer.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Investment Inportant Products Raw
Exit code:
0
Version:
2.4.8.8
3156C:\Users\admin\AppData\Local\Temp\a6aa3e36.exeC:\Users\admin\AppData\Local\Temp\a6aa3e36.exea6aa3e36.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Investment Inportant Products Raw
Exit code:
0
Version:
2.4.8.8
Total events
405
Read events
298
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
532powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RYCIP9HZF8FPSU2Z80R.temp
MD5:
SHA256:
1252csc.exeC:\Users\admin\AppData\Local\Temp\CSCAB4E.tmp
MD5:
SHA256:
1252csc.exeC:\Users\admin\AppData\Local\Temp\9e37evmk.pdb
MD5:
SHA256:
3272cvtres.exeC:\Users\admin\AppData\Local\Temp\RESAB4F.tmp
MD5:
SHA256:
1252csc.exeC:\Users\admin\AppData\Local\Temp\9e37evmk.dll
MD5:
SHA256:
1252csc.exeC:\Users\admin\AppData\Local\Temp\9e37evmk.out
MD5:
SHA256:
352explorer.exeC:\Users\admin\AppData\Local\Temp\CabC250.tmp
MD5:
SHA256:
352explorer.exeC:\Users\admin\AppData\Local\Temp\TarC251.tmp
MD5:
SHA256:
352explorer.exeC:\Users\admin\AppData\Local\Temp\CabC262.tmp
MD5:
SHA256:
352explorer.exeC:\Users\admin\AppData\Local\Temp\TarC263.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
200
92.122.213.217:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
159.89.85.252:443
perplevax.org
US
unknown
352
explorer.exe
92.122.213.217:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
perplevax.org
  • 159.89.85.252
malicious
www.download.windowsupdate.com
  • 92.122.213.217
  • 92.122.213.201
whitelisted
mylovelyrose.info
malicious

Threats

PID
Process
Class
Message
352
explorer.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bootstrap.js.ps1