analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

win32.ps1

Full analysis: https://app.any.run/tasks/d622bb1c-8e41-4022-b779-c79153e9d40b
Verdict: Malicious activity
Analysis date: October 14, 2019, 17:29:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

64C73E60D5A187921BD4304304B36AA7

SHA1:

78EC6C4F8271B70FFB1654F82CA25F426A5129A6

SHA256:

778A46CE198FDC471DDA17D9D940FDF39A522E0AA32E7A686EE9B54A9C7F13E6

SSDEEP:

192:uitQNqXiD1CrjSkMUY91B895pybBgx9z6mlyiyQnVzX3Td4GK+rfLVFSCyu4o:PZEqS3U4eoq6ET6AYo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2420)
      • notepad++.exe (PID: 4068)
      • powershell.exe (PID: 4000)
    • PowerShell script executed

      • powershell.exe (PID: 2420)
      • powershell.exe (PID: 4000)
    • Uses WHOAMI.EXE to obtaining logged on user information

      • powershell.exe (PID: 2420)
      • powershell.exe (PID: 4000)
  • INFO

    • Manual execution by user

      • notepad++.exe (PID: 4068)
      • powershell.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
12
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe whoami.exe no specs hostname.exe no specs whoami.exe no specs hostname.exe no specs notepad++.exe gup.exe powershell.exe whoami.exe no specs hostname.exe no specs whoami.exe no specs hostname.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Windows\win32.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1876"C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2532"C:\Windows\system32\HOSTNAME.EXE"C:\Windows\system32\HOSTNAME.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2180"C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3040"C:\Windows\system32\HOSTNAME.EXE"C:\Windows\system32\HOSTNAME.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4068"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2488"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Version:
4.1
4000"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Windows\win32.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
792"C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3720"C:\Windows\system32\HOSTNAME.EXE"C:\Windows\system32\HOSTNAME.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
652
Read events
495
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2420powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ECA7KSAPOI5ANBAY6UL.temp
MD5:
SHA256:
4000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9NE2OTLWKNEZH9K2KOB9.temp
MD5:
SHA256:
2420powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:1769741B324F9C059C2ED18B03ACEFD2
SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99
4000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:1769741B324F9C059C2ED18B03ACEFD2
SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99
4000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3cebd3.TMPbinary
MD5:1769741B324F9C059C2ED18B03ACEFD2
SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99
2420powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a747.TMPbinary
MD5:1769741B324F9C059C2ED18B03ACEFD2
SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99
4068notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:A49B81574B8340303AAEE81C6DE27B9D
SHA256:BDCD5858EF143FDCAD7A4E62ABB6FFB42936B8A8BCB55FC68DCEAC590731F868
4068notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:F4AE6B5DBFE92EC52A99170941F94848
SHA256:B5CC05086D746A1B6107086F4ECB0A950B808561C012CF75AFB8775D7C9E0314
4068notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
4068notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2488
gup.exe
2.57.89.199:443
notepad-plus-plus.org
suspicious
2420
powershell.exe
52.84.197.158:443
slack.com
Amazon.com, Inc.
US
unknown
4000
powershell.exe
52.84.197.158:443
slack.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
slack.com
  • 52.84.197.158
whitelisted
notepad-plus-plus.org
  • 2.57.89.199
whitelisted

Threats

PID
Process
Class
Message
2420
powershell.exe
Generic Protocol Command Decode
SURICATA STREAM TIMEWAIT ACK with wrong seq
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093