| File name: | loader.ps1 |
| Full analysis: | https://app.any.run/tasks/b0d2ee70-57b2-4970-855b-55e7ecf48830 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 02, 2025, 22:50:52 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text |
| MD5: | 02C443A5157E35273D556AC8A8627FCA |
| SHA1: | A6F170812489E3B9DE5B9B0B448624C0A3AF204D |
| SHA256: | 7D3CC12A5FEEBA7A85C518EC2326B47BAF80CED6510146F97F99D9408D7554FE |
| SSDEEP: | 24:as4surourD6HDCcaXZDFiJOngqaCFCbfZbRzLb:as4sj0ejCjkOdLFCbf11 |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 4976)
SUSPICIOUS
Process drops legitimate windows executable
- powershell.exe (PID: 4976)
Process requests binary or script from the Internet
- powershell.exe (PID: 4976)
Executable content was dropped or overwritten
- powershell.exe (PID: 4976)
Connects to the server without a host name
- powershell.exe (PID: 4976)
Potential Corporate Privacy Violation
- powershell.exe (PID: 4976)
INFO
Disables trace logs
- powershell.exe (PID: 4976)
Checks proxy server information
- powershell.exe (PID: 4976)
- slui.exe (PID: 4244)
The sample compiled with english language support
- powershell.exe (PID: 4976)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 4976)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 4976)
Reads the software policy settings
- slui.exe (PID: 4244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
122
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2960 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4244 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4976 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\loader.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 440
Read events
8 440
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
4
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4976 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\78BFF7YOCSTT1YBUPLOV.temp | binary | |
MD5:768C62562B58F9C4090C852A323EC236 | SHA256:3776E6C91F99EA8D87CCA0108DE596DAF272377FF8081CA86C3FB0C284F2FF7F | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Acuerdo_de_Orden_de_Compra.exe | executable | |
MD5:72256F138063B9EEAC72EE741737B8E3 | SHA256:1CD644B750884906B707419C8F40598C04F1402E4E93CBF4A33F3254846DC870 | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:A320B760E2DAA06B5C9773058D76E512 | SHA256:BB1793742E8972128E35891CF45F960600EAEF8E0ABDC0AADAE38883BBCE1844 | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10bf3b.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_njllshux.ksf.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:768C62562B58F9C4090C852A323EC236 | SHA256:3776E6C91F99EA8D87CCA0108DE596DAF272377FF8081CA86C3FB0C284F2FF7F | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oslbp1fa.n2n.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4976 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mpclient.dll | executable | |
MD5:170F5DBDF69AF22D89EF3CBC5F7387C9 | SHA256:DAFB468C7451141290F6684CF4D1BB4962CF77CE6E6F5D59662431E750510F6F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
3
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4976 | powershell.exe | GET | 200 | 45.11.59.49:80 | http://45.11.59.49/Acuerdo_de_Orden_de_Compra.exe | unknown | — | — | unknown |
4976 | powershell.exe | GET | 200 | 45.11.59.49:80 | http://45.11.59.49/mpclient.dll | unknown | — | — | unknown |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4976 | powershell.exe | 45.11.59.49:80 | — | Virtual Systems LLC | US | unknown |
4628 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4244 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4976 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4976 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
4976 | powershell.exe | Misc activity | ET INFO Request for EXE via Powershell |
4976 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
4976 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
4976 | powershell.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
4976 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |