File name: | win32.ps1 |
Full analysis: | https://app.any.run/tasks/d622bb1c-8e41-4022-b779-c79153e9d40b |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 17:29:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 64C73E60D5A187921BD4304304B36AA7 |
SHA1: | 78EC6C4F8271B70FFB1654F82CA25F426A5129A6 |
SHA256: | 778A46CE198FDC471DDA17D9D940FDF39A522E0AA32E7A686EE9B54A9C7F13E6 |
SSDEEP: | 192:uitQNqXiD1CrjSkMUY91B895pybBgx9z6mlyiyQnVzX3Td4GK+rfLVFSCyu4o:PZEqS3U4eoq6ET6AYo |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2420 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Windows\win32.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1876 | "C:\Windows\system32\whoami.exe" | C:\Windows\system32\whoami.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: whoami - displays logged on user information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2532 | "C:\Windows\system32\HOSTNAME.EXE" | C:\Windows\system32\HOSTNAME.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Hostname APP Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | "C:\Windows\system32\whoami.exe" | C:\Windows\system32\whoami.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: whoami - displays logged on user information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3040 | "C:\Windows\system32\HOSTNAME.EXE" | C:\Windows\system32\HOSTNAME.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Hostname APP Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4068 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
2488 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Version: 4.1 | ||||
4000 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Windows\win32.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
792 | "C:\Windows\system32\whoami.exe" | C:\Windows\system32\whoami.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: whoami - displays logged on user information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3720 | "C:\Windows\system32\HOSTNAME.EXE" | C:\Windows\system32\HOSTNAME.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Hostname APP Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2420 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ECA7KSAPOI5ANBAY6UL.temp | — | |
MD5:— | SHA256:— | |||
4000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9NE2OTLWKNEZH9K2KOB9.temp | — | |
MD5:— | SHA256:— | |||
2420 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:1769741B324F9C059C2ED18B03ACEFD2 | SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99 | |||
4000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:1769741B324F9C059C2ED18B03ACEFD2 | SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99 | |||
4000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3cebd3.TMP | binary | |
MD5:1769741B324F9C059C2ED18B03ACEFD2 | SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99 | |||
2420 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a747.TMP | binary | |
MD5:1769741B324F9C059C2ED18B03ACEFD2 | SHA256:F1777E0C7472B4F584D458B5E3ED9818DF94E0E639630709C89D58E8C46E0F99 | |||
4068 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:A49B81574B8340303AAEE81C6DE27B9D | SHA256:BDCD5858EF143FDCAD7A4E62ABB6FFB42936B8A8BCB55FC68DCEAC590731F868 | |||
4068 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:F4AE6B5DBFE92EC52A99170941F94848 | SHA256:B5CC05086D746A1B6107086F4ECB0A950B808561C012CF75AFB8775D7C9E0314 | |||
4068 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml | text | |
MD5:AD21A64014891793DD9B21D835278F36 | SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F | |||
4068 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2488 | gup.exe | 2.57.89.199:443 | notepad-plus-plus.org | — | — | suspicious |
2420 | powershell.exe | 52.84.197.158:443 | slack.com | Amazon.com, Inc. | US | unknown |
4000 | powershell.exe | 52.84.197.158:443 | slack.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
slack.com |
| whitelisted |
notepad-plus-plus.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2420 | powershell.exe | Generic Protocol Command Decode | SURICATA STREAM TIMEWAIT ACK with wrong seq |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|