File name: | linkopen.ps1 |
Full analysis: | https://app.any.run/tasks/2fd7608c-8213-4900-ac33-b6546aa2da6b |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 15:55:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | E76570D2CE4D41188A5B93911008C050 |
SHA1: | D5EB186398E31B6334D86238C3E2A713CBF5425E |
SHA256: | 3EB11EA0713393383402AA12365E2A03AB4B219BF6649E4E676683C883CCC745 |
SSDEEP: | 6:yoI5Phn23fLTuOmuLFnAdcP/a2VJjjAgG:yoY2DqOmuLV4cqyRjZG |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2200 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\linkopen.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1004 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2284 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\AppData\Local\Temp\linkopen.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell ISE Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3656 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | — | powershell_ise.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Pen and Touch Input Component Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2144 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | powershell_ise.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Pen and Touch Input Component Exit code: 24 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2320 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1888 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\linkopen.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3100 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3980 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3100 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1312 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3100 CREDAT:3937546 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2320 | notepad.exe | C:\Users\admin\AppData\Local\Temp\urls.txt | text | |
MD5:1ECD8CA3F9B5BDF2C591814FDFFA1AB0 | SHA256:C340252D840EEE2FD684EF2E2C9C333323DB1127E25B9CA4FE508296F7BC6527 | |||
1888 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1348d4.TMP | binary | |
MD5:4073CAF812E4177CDB31D67565569AC3 | SHA256:B8DA5247386DFB5CB8242B9E02D47A28F1BB5212BC39843C415F439108728074 | |||
2284 | powershell_ise.exe | C:\Users\admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\4doauuka.newcfg | xml | |
MD5:8FF308361167C670D2C17F4958C7F152 | SHA256:A6B0DF6E3B2EF88AD8F6A0B923C9E1C968F05116EB914FD4194E19BCA82259C6 | |||
1888 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GDR740HGAE14R5MNO30L.temp | binary | |
MD5:4073CAF812E4177CDB31D67565569AC3 | SHA256:B8DA5247386DFB5CB8242B9E02D47A28F1BB5212BC39843C415F439108728074 | |||
2200 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4073CAF812E4177CDB31D67565569AC3 | SHA256:B8DA5247386DFB5CB8242B9E02D47A28F1BB5212BC39843C415F439108728074 | |||
2200 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UPGHTF20LVD5KE8ZJDWX.temp | binary | |
MD5:4073CAF812E4177CDB31D67565569AC3 | SHA256:B8DA5247386DFB5CB8242B9E02D47A28F1BB5212BC39843C415F439108728074 | |||
1888 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4073CAF812E4177CDB31D67565569AC3 | SHA256:B8DA5247386DFB5CB8242B9E02D47A28F1BB5212BC39843C415F439108728074 | |||
2284 | powershell_ise.exe | C:\Users\admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config | xml | |
MD5:8FF308361167C670D2C17F4958C7F152 | SHA256:A6B0DF6E3B2EF88AD8F6A0B923C9E1C968F05116EB914FD4194E19BCA82259C6 | |||
2200 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF112e21.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
2284 | powershell_ise.exe | C:\Users\admin\AppData\Local\Temp\mnovv5kl.daj.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2896 | iexplore.exe | GET | 200 | 23.45.103.152:80 | http://ocsp.entrust.net/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCDA7pTMMAAAAAUdN3hQ%3D%3D | NL | der | 1.55 Kb | whitelisted |
1232 | iexplore.exe | GET | 304 | 108.156.253.131:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA7zckiTobF32DYPEen3xMk%3D | US | — | — | whitelisted |
1312 | iexplore.exe | GET | 302 | 44.239.215.242:80 | http://scysvr03.r.us-west-2.awstrack.me/L0/http:%2F%2Fwww.luckybeanmi.com/1/0101017e82be37d6-767ae297-1172-4715-9f67-a576472bcf4a-000000/9IFohPuojNNETBzikJhuc4qkPUw=255 | US | — | — | unknown |
3980 | iexplore.exe | GET | 200 | 23.45.103.152:80 | http://ocsp.entrust.net/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCDA7pTMMAAAAAUdN3hQ%3D%3D | NL | der | 1.55 Kb | whitelisted |
3980 | iexplore.exe | GET | 200 | 44.239.215.242:80 | http://scysvr03.r.us-west-2.awstrack.me/I0/0101017e82be37d6-767ae297-1172-4715-9f67-a576472bcf4a-000000/HtWr39GbOR02BkYVmQtOSu4xyos=255 | US | image | 43 b | unknown |
2600 | iexplore.exe | GET | 200 | 23.45.103.152:80 | http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTMbSIc9rRVLC%2BHkV9a%2FvDh7s6DzAQUgqJwdN28Uz%2FPe9T3zX%2BnYMYKTL8CEEmuXEkUe%2BmNeEGlr9E1UFw%3D | NL | der | 1.55 Kb | whitelisted |
2600 | iexplore.exe | GET | 200 | 23.45.103.152:80 | http://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBQsSqZpWQuWOxHU9pAda%2B7Lf6V20AQUaJDkZ6SmU4DHhmak8fdLQ%2FuEvW0CBFHTQEQ%3D | NL | der | 1.53 Kb | whitelisted |
2896 | iexplore.exe | GET | 200 | 143.204.101.74:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2896 | iexplore.exe | GET | 200 | 143.204.101.99:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
1232 | iexplore.exe | GET | 200 | 143.204.101.99:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2896 | iexplore.exe | 151.101.1.49:443 | images-production-s.squarecdn.com | Fastly | US | suspicious |
3980 | iexplore.exe | 151.101.1.49:443 | images-production-s.squarecdn.com | Fastly | US | suspicious |
444 | iexplore.exe | 151.101.1.49:443 | images-production-s.squarecdn.com | Fastly | US | suspicious |
3100 | iexplore.exe | 44.239.215.242:80 | scysvr03.r.us-west-2.awstrack.me | University of California, San Diego | US | unknown |
1312 | iexplore.exe | 44.239.215.242:80 | scysvr03.r.us-west-2.awstrack.me | University of California, San Diego | US | unknown |
2896 | iexplore.exe | 23.45.103.152:80 | ocsp.entrust.net | Akamai International B.V. | NL | suspicious |
3980 | iexplore.exe | 44.239.215.242:80 | scysvr03.r.us-west-2.awstrack.me | University of California, San Diego | US | unknown |
2896 | iexplore.exe | 67.27.233.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
444 | iexplore.exe | 67.27.233.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3980 | iexplore.exe | 23.45.103.152:80 | ocsp.entrust.net | Akamai International B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
scysvr03.r.us-west-2.awstrack.me |
| unknown |
images-production-s.squarecdn.com |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.entrust.net |
| whitelisted |
profile.squareup.com |
| unknown |
www.luckybeanmi.com |
| malicious |
buyerportal-fe-production-f.squarecdn.com |
| suspicious |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
o.ss2.us |
| whitelisted |