analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

제목 없음1.ps1

Full analysis: https://app.any.run/tasks/7683364f-f7e0-4629-9669-40007ab7f206
Verdict: Malicious activity
Analysis date: September 11, 2019, 02:06:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
MD5:

7A53DB572C4F1E3EBBDCAF1FE84C1C4C

SHA1:

91E8291E63B9873D25F2ABA9470EC0EA9A80E69C

SHA256:

461B603777952B0F1D125D437AAC9827F22DB7EFE5AF2BCECE365F238CA83C89

SSDEEP:

49152:5e0tgPuRiX3AUWgY+9Zy2NQqG1ohXrwS+Kp6gHej0BM+DhXzJ:u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3092)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3120)
      • schtasks.exe (PID: 3160)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3092)
    • Uses NETSTAT.EXE to discover network connections

      • powershell.exe (PID: 3092)
    • PowerShell script executed

      • powershell.exe (PID: 3092)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe schtasks.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs netstat.exe no specs schtasks.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs netstat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3092"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\제목 없음1.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3120"C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /fC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3744"C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2288"C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368"C:\Windows\system32\NETSTAT.EXE" -anop tcpC:\Windows\system32\NETSTAT.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3160"C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /fC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3772"C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2308"C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820"C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000C:\Windows\system32\powercfg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
261
Read events
190
Write events
71
Delete events
0

Modification events

(PID) Process:(3092) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3092) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3092) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3092powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SOKJ2254PFF120U1ASIL.temp
MD5:
SHA256:
3092powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
3092powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1690db.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/in3.ps1
US
text
3.31 Mb
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/in3.ps1
US
text
3.31 Mb
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/in3.ps1
US
text
3.31 Mb
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
3092
powershell.exe
GET
200
128.14.23.149:8000
http://profetestruec.net:8000/banner
US
text
14 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
powershell.exe
128.14.23.149:8000
profetestruec.net
Zenlayer Inc
US
malicious

DNS requests

Domain
IP
Reputation
profetestruec.net
  • 128.14.23.149
malicious

Threats

No threats detected
No debug info