| File name: | lmao.ps1 |
| Full analysis: | https://app.any.run/tasks/d248d995-8630-4c79-9a90-5d34641010ca |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 07:30:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | 905784889AAECFD0087C8499F11E195C |
| SHA1: | 24AD3D269130BA4502484172B24D1DB8893A56F2 |
| SHA256: | 766BE1B2BB97BEC88B25F6B80FE2B148FAD1F9BA55CDD0C961F2AD0E7A6B08D9 |
| SSDEEP: | 96:l4j9wGnDFffzqeL7zWF9XjsvWCPJwKpsekPXlOOvRQAs0hs:l+5DFfvL7zWF9YusJwKlsXkOva0hs |
MALICIOUS
Drops the executable file immediately after the start
- csc.exe (PID: 3672)
Starts Visual C# compiler
- powershell.exe (PID: 564)
SUSPICIOUS
Powershell version downgrade attack
- powershell.exe (PID: 564)
Uses .NET C# to load dll
- powershell.exe (PID: 564)
Reads the Internet Settings
- powershell.exe (PID: 564)
The process creates files with name similar to system file names
- dw20.exe (PID: 2780)
INFO
Checks supported languages
- csc.exe (PID: 3672)
- cvtres.exe (PID: 1924)
- dw20.exe (PID: 2780)
Reads the machine GUID from the registry
- csc.exe (PID: 3672)
- cvtres.exe (PID: 1924)
- dw20.exe (PID: 2780)
Reads the computer name
- dw20.exe (PID: 2780)
Creates files or folders in the user directory
- dw20.exe (PID: 2780)
Create files in a temporary directory
- csc.exe (PID: 3672)
- cvtres.exe (PID: 1924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 564 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\lmao.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1924 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES6E8E.tmp" "c:\Users\admin\AppData\Local\Temp\CSC6E8D.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2780 | dw20.exe -x -s 1124 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 3672 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\sxw8mczc.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
Total events
1 975
Read events
1 909
Write events
66
Delete events
0
Modification events
| (PID) Process: | (564) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (564) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (564) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (564) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (564) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2780) dw20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles |
| Operation: | write | Name: | FirstLevelConsentDialog |
Value: 7603050000000000 | |||
| (PID) Process: | (2780) dw20.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles |
| Operation: | write | Name: | FirstLevelConsentDialog |
Value: 7603050000000000 | |||
| (PID) Process: | (2780) dw20.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug |
| Operation: | write | Name: | StoreLocation |
Value: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aga.exe_b1af04294ac80144576abfc50b4daa16fd011ca_cab_059b2052 | |||
| (PID) Process: | (2780) dw20.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug |
| Operation: | write | Name: | StoreLocation |
Value: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aga.exe_b1af04294ac80144576abfc50b4daa16fd011ca_cab_059b2052 | |||
Executable files
1
Suspicious files
6
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2780 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_powershell.exe_9e80d8b35ccb30aff4dc4c634c245adbe376f_0afc98aa\Report.wer | — | |
MD5:— | SHA256:— | |||
| 564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF206b9f.TMP | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
| 564 | powershell.exe | C:\Users\admin\AppData\Local\Temp\sxw8mczc.cmdline | text | |
MD5:8BDD29B37E9C7F9661B4772EFF921C95 | SHA256:DD1BD809B7C4F66C47F63BE7DD617E8539FAE48C1C66945D652ABFA3D2691794 | |||
| 3672 | csc.exe | C:\Users\admin\AppData\Local\Temp\sxw8mczc.dll | executable | |
MD5:C6DF994F603929887DC7DFD2D565A2FB | SHA256:1D98CF9A3254897FBA90F5B833055832EA11FFECB8547A7614ED6A613F0DDF64 | |||
| 1924 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES6E8E.tmp | binary | |
MD5:AAEEFBA13B24E16323E83BC816384D71 | SHA256:BEB6BF2F56C07B72D73BCBE319B3FEE1125EB94854C4DBB7CCCA36ED7E5702BC | |||
| 3672 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC6E8D.tmp | binary | |
MD5:D40808FBFB49D3F64DBCC25F555F9294 | SHA256:357C4B442A21C48577B4495D24767BD53984F0570DA2266FE9781B259BEC4637 | |||
| 3672 | csc.exe | C:\Users\admin\AppData\Local\Temp\sxw8mczc.pdb | binary | |
MD5:11DB260FAF47E241E8BEB7DDEECD03D0 | SHA256:B61801CB98D01B4986D04313437059A2102BD60C697707EDA91813890AB341EE | |||
| 564 | powershell.exe | C:\Users\admin\AppData\Local\Temp\sxw8mczc.0.cs | text | |
MD5:20E54C82B91BEA6791B6FC8541A3D3E3 | SHA256:5B6744980DC4F868A5B87A238891D5E965712E72A8DD95DAF0BD2E6C69D214BD | |||
| 564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RDJQ1AG4MH731SPDW66K.temp | binary | |
MD5:16F6D260068B85896C0EBB2E1B2A60D1 | SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Threats
Process | Message |
|---|---|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|