File name: | 제목 없음1.ps1 |
Full analysis: | https://app.any.run/tasks/7683364f-f7e0-4629-9669-40007ab7f206 |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 02:06:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators |
MD5: | 7A53DB572C4F1E3EBBDCAF1FE84C1C4C |
SHA1: | 91E8291E63B9873D25F2ABA9470EC0EA9A80E69C |
SHA256: | 461B603777952B0F1D125D437AAC9827F22DB7EFE5AF2BCECE365F238CA83C89 |
SSDEEP: | 49152:5e0tgPuRiX3AUWgY+9Zy2NQqG1ohXrwS+Kp6gHej0BM+DhXzJ:u |
.txt | | | Text - UTF-8 encoded (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\제목 없음1.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3120 | "C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /f | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3744 | "C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2288 | "C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | "C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Windows\system32\NETSTAT.EXE" -anop tcp | C:\Windows\system32\NETSTAT.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3160 | "C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /f | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | "C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2308 | "C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | "C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3092) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3092) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SOKJ2254PFF120U1ASIL.temp | — | |
MD5:— | SHA256:— | |||
3092 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
3092 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1690db.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
3092 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | powershell.exe | 128.14.23.149:8000 | profetestruec.net | Zenlayer Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
profetestruec.net |
| malicious |