| File name: | Verdacrypt.ps1 |
| Full analysis: | https://app.any.run/tasks/b3923f30-d468-46b9-8d70-9857133ffa43 |
| Verdict: | Malicious activity |
| Analysis date: | March 24, 2025, 19:39:23 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (606), with CRLF line terminators |
| MD5: | BA81176FC20AFD8F6EE91900B6368172 |
| SHA1: | D41FEBA9353315BB6C184421300A845A9CF851CA |
| SHA256: | 63A1D5B90044E403C9DC116280638B62576A3BAB69C7AF10751369AF70BDE2DD |
| SSDEEP: | 384:tKSUBSzj5mMEEpi0D04eEMls/11AUfoUHKc1Y:AM5mME00xEbrlD1Y |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 7836)
SUSPICIOUS
CSC.EXE is used to compile C# code
- csc.exe (PID: 7992)
- csc.exe (PID: 7264)
Executable content was dropped or overwritten
- csc.exe (PID: 7992)
- csc.exe (PID: 7264)
Uses WEVTUTIL.EXE to get a list of log names
- powershell.exe (PID: 7836)
Uses WEVTUTIL.EXE to cleanup log
- powershell.exe (PID: 7836)
INFO
Checks supported languages
- csc.exe (PID: 7992)
- csc.exe (PID: 7264)
- cvtres.exe (PID: 2284)
- cvtres.exe (PID: 8012)
Reads the software policy settings
- slui.exe (PID: 6132)
Reads the machine GUID from the registry
- csc.exe (PID: 7992)
- csc.exe (PID: 7264)
Create files in a temporary directory
- csc.exe (PID: 7992)
- cvtres.exe (PID: 8012)
- csc.exe (PID: 7264)
- cvtres.exe (PID: 2284)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7836)
Checks proxy server information
- slui.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .html | | | HyperText Markup Language (100) |
|---|
Total processes
1 349
Monitored processes
1 227
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 208 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-ESE/IODiagnose | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 208 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 456 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-SVC-Events/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 496 | "C:\WINDOWS\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 496 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 496 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Shell-LockScreenContent/Diagnostic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 496 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl HardwareEvents | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution" | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
25 477
Read events
25 477
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
8
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:96FC2CF58B265E469C99D7B1B7B71C97 | SHA256:729C30E8975DA0B560621F46675643E8892553C7CFF7728FB95CEEF02343FCF2 | |||
| 7836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_axsxyyeo.i1k.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8012 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESFF13.tmp | binary | |
MD5:1EA0CAD80A01235FA0B9CCA1EFB0664C | SHA256:DE8FAE65BF5858485BBA0AB9DD814528583F6E915A1E10719C45B306F85A96D2 | |||
| 7836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10e820.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 7836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lhqdbp1i.f3y.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7992 | csc.exe | C:\Users\admin\AppData\Local\Temp\wktl0d35.out | text | |
MD5:61977977C18393C6AB41D22A7877FF69 | SHA256:1B493192C4930BB76285EF58F7D1538F6ADBE5887F1DBB1C50D2A530CF7B8C48 | |||
| 7836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\wktl0d35.cmdline | text | |
MD5:BFFA85933AA8F95BF48C38301E751130 | SHA256:47680CFA0175981FDF3E726D078D6FD12F253EB2F5B7D8107D8C22D843FB733C | |||
| 7992 | csc.exe | C:\Users\admin\AppData\Local\Temp\wktl0d35.dll | executable | |
MD5:CB5268D5F5DA57134EBB5C388F732926 | SHA256:65F18A1A4E73FA2E530467EC981B4AA69AA4C2BD50E342D1AAB695D64E34CED0 | |||
| 7836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ng0ndex0.0.cs | text | |
MD5:7DF2964601813E20EA90BC7ECA64B00B | SHA256:DAF8A1AE523190EF51054E143909966E01C3B6F531C72B9524D91254EACD6084 | |||
| 7264 | csc.exe | C:\Users\admin\AppData\Local\Temp\ng0ndex0.out | text | |
MD5:FCD2A9F17EE48EE5CCAC77B899A17884 | SHA256:EE371B6CBAA45908AB111BBB5B864DD7CA6DA01A7ED37716ECAA29F548AF3556 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
31
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7492 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6132 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |