| File name: | file.ps1 |
| Full analysis: | https://app.any.run/tasks/6358967f-d09f-4729-87fb-93fedb6da0f0 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | January 27, 2024, 12:54:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | CDFC9543CAD1E63FC16D366433DE83E2 |
| SHA1: | 16D4B846156891D51F0967B3D19BAD5BAEF6A53D |
| SHA256: | 97D853D47BAA7C9ADBE2CC6D0A9B28FD07481B21E3505C06B27AC8CAB3927CC4 |
| SSDEEP: | 3072:6cqJS3oczTJprA9HerK88t2VRsl4NgRPtrwMIfQ8XKB2US1nkvaeyEKGRRjvnfyr:XuK |
MALICIOUS
Starts Visual C# compiler
- powershell.exe (PID: 2640)
- powershell.exe (PID: 3816)
- powershell.exe (PID: 1832)
Drops the executable file immediately after the start
- csc.exe (PID: 2692)
- csc.exe (PID: 3480)
- csc.exe (PID: 3556)
Bypass execution policy to execute commands
- powershell.exe (PID: 3816)
UAC/LUA settings modification
- powershell.exe (PID: 1832)
Steals credentials from Web Browsers
- RegSvcs.exe (PID: 1556)
Actions looks like stealing of personal data
- RegSvcs.exe (PID: 1556)
SUSPICIOUS
Using PowerShell to operate with local accounts
- powershell.exe (PID: 2640)
Reads the Internet Settings
- powershell.exe (PID: 2640)
- powershell.exe (PID: 1380)
- RegSvcs.exe (PID: 1556)
Uses .NET C# to load dll
- powershell.exe (PID: 2640)
- powershell.exe (PID: 3816)
- powershell.exe (PID: 1832)
Executable content was dropped or overwritten
- csc.exe (PID: 2692)
- csc.exe (PID: 3480)
- csc.exe (PID: 3556)
Uses NETSH.EXE to change the status of the firewall
- powershell.exe (PID: 2640)
- powershell.exe (PID: 3816)
- powershell.exe (PID: 1832)
The process executes Powershell scripts
- powershell.exe (PID: 1380)
Application launched itself
- powershell.exe (PID: 1380)
Starts POWERSHELL.EXE for commands execution
- powershell.exe (PID: 1380)
Checks for external IP
- RegSvcs.exe (PID: 1556)
Accesses Microsoft Outlook profiles
- RegSvcs.exe (PID: 1556)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- RegSvcs.exe (PID: 1556)
Reads browser cookies
- RegSvcs.exe (PID: 1556)
Reads settings of System Certificates
- RegSvcs.exe (PID: 1556)
INFO
Creates files in the program directory
- powershell.exe (PID: 2640)
- dw20.exe (PID: 2760)
- dw20.exe (PID: 2756)
Checks supported languages
- csc.exe (PID: 2692)
- cvtres.exe (PID: 2592)
- csc.exe (PID: 3480)
- cvtres.exe (PID: 2136)
- csc.exe (PID: 3556)
- cvtres.exe (PID: 3504)
- RegSvcs.exe (PID: 1556)
- RegSvcs.exe (PID: 2292)
- dw20.exe (PID: 2756)
- dw20.exe (PID: 2760)
- MSBuild.exe (PID: 2256)
Reads the machine GUID from the registry
- csc.exe (PID: 2692)
- cvtres.exe (PID: 2592)
- cvtres.exe (PID: 2136)
- csc.exe (PID: 3556)
- csc.exe (PID: 3480)
- RegSvcs.exe (PID: 1556)
- cvtres.exe (PID: 3504)
- dw20.exe (PID: 2760)
- dw20.exe (PID: 2756)
Create files in a temporary directory
- csc.exe (PID: 2692)
- cvtres.exe (PID: 2592)
- csc.exe (PID: 3480)
- cvtres.exe (PID: 2136)
- csc.exe (PID: 3556)
- cvtres.exe (PID: 3504)
Manual execution by a user
- explorer.exe (PID: 2112)
- powershell.exe (PID: 3816)
- powershell.exe (PID: 3536)
- powershell.exe (PID: 1380)
Reads the computer name
- RegSvcs.exe (PID: 1556)
- dw20.exe (PID: 2756)
- dw20.exe (PID: 2760)
Reads Environment values
- RegSvcs.exe (PID: 1556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
67
Monitored processes
20
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1380 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 3221225786 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1556 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 1832 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\file.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2024 | "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue | C:\Windows\System32\netsh.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2112 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2136 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3949.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE5BEE6CB13FD447F92B7B69403CCE79.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.10.25028.0 built by: VCTOOLSD15RTM Modules
| |||||||||||||||
| 2256 | "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" | C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Exit code: 3762507597 Version: 3.5.30729.4926 built by: NetFXw7 Modules
| |||||||||||||||
| 2292 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Exit code: 3762507597 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES9E32.tmp" "c:\Users\admin\AppData\Local\Temp\CSCFF36895D73184E979C603E17736183C7.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.10.25028.0 built by: VCTOOLSD15RTM Modules
| |||||||||||||||
| 2640 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\file.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 3221225786 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
15 338
Read events
14 890
Write events
444
Delete events
4
Modification events
| (PID) Process: | (2640) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2640) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2640) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2640) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2640) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2724) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3816) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3816) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
| Operation: | write | Name: | ExecutionPolicy |
Value: Bypass | |||
| (PID) Process: | (3816) powershell.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3816) powershell.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
3
Suspicious files
34
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2640 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDS2S4K09OBIHCGAYODW.temp | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 2592 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES9E32.tmp | binary | |
MD5:803B32B0EC3501311015F49B68E514DA | SHA256:0F2CF4B46F7CADC50373ACAA74EF484E5AE537E7EAA43F6A4A773CEBEE48F781 | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\i0qlzatn.3ih.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\wfrhb32y.raw.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2640 | powershell.exe | C:\ProgramData\MINGALIES\KAMASUTRAKIM.~!!@#!!!!!!!!!!!!!!!~ | text | |
MD5:421EA184D3C314B6BDBA4227D3F4830A | SHA256:B54F77F4C37E2DC38811FAE1F6BCB8D4978A0CBAA92621910E6FCD46F00B4A22 | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lzlgbigr.cmdline | text | |
MD5:3270C917762081E9BFE7469424A9BDC1 | SHA256:3E1736DEEB3AE73F3309A9D55DCECA5018DC4AA486C2A8684DE8BB55B02C9CD7 | |||
| 2692 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCFF36895D73184E979C603E17736183C7.TMP | binary | |
MD5:071DE31C06C08FCBFB45112A07480EC4 | SHA256:4DB7E80503B58F57F51A44515E57045377EE1B22935324245C1F131CD5ECF074 | |||
| 2692 | csc.exe | C:\Users\admin\AppData\Local\Temp\lzlgbigr.dll | executable | |
MD5:FC8768063589054498BD0C5D39E787B4 | SHA256:F03E29C0625FC20F36E219F602911EA1002E82D6E88BB9F3303A2FA553B47484 | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:DE3E389E155C6845D43C07185A11ACF1 | SHA256:6761E2D1F087BBAA8A8DB8B1294E66088FDBE0B9B7FC6E43476D8B2ABDB79E56 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1556 | RegSvcs.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | unknown | text | 6 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1556 | RegSvcs.exe | 173.231.16.75:443 | api.ipify.org | WEBNX | US | unknown |
1556 | RegSvcs.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
1556 | RegSvcs.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.ipify.org |
| shared |
ip-api.com |
| shared |
api.telegram.org |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
1556 | RegSvcs.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
1556 | RegSvcs.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1556 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
1556 | RegSvcs.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External Hosting Lookup by ip-api |
1080 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
1556 | RegSvcs.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
1556 | RegSvcs.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
1556 | RegSvcs.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Telegram |