File name: | runme.ps1 |
Full analysis: | https://app.any.run/tasks/f6294631-633a-4a54-aeb1-20ebdb6f7577 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 08:46:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 1E37FCB71879AA31B326D6104B72402D |
SHA1: | 8EDCF0F632F8A829C0A452E5C6C3068195BC9293 |
SHA256: | 4E8FEAD76646878BE4EA42F5F8C89F081055D2CD65A127A1D865ACC8FBE2D23A |
SSDEEP: | 96:Wh7B2NTFh45fmn0c8WOJ/BF2zcx1Sjkk/YVVMNS5cyhYlUFh19lu5sBmP:EsFqmbpABF3akk/YVVASyCrrUP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3544 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\runme.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3220 | "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl | C:\Windows\System32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3396 | C:\Windows\system32\mctadmin.exe | C:\Windows\system32\mctadmin.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MCTAdmin Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3072 | "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll | C:\Windows\system32\rundll32.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3436 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\system32\verclsid.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3364 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\runme.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3544 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PJRG3OZIQSHL3DSEXZMW.temp | — | |
MD5:— | SHA256:— | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8VGRPV6PYLVLEVGODW5D.temp | — | |
MD5:— | SHA256:— | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3544 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18cadc.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3544 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17cf85.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | powershell.exe | 185.158.249.75:443 | woeiuyfgowe.xyz | easystores GmbH | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
woeiuyfgowe.xyz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3364 | powershell.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |