analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample1.ps1

Full analysis: https://app.any.run/tasks/087a303e-754d-43ff-a93b-9f2ae9d6cca6
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 15, 2019, 07:14:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

F34B72471A205C4EEE5221AB9A349C55

SHA1:

E8B58B9DB83B4902A607559301F6985763D2647A

SHA256:

A1F06D69BD6379E310B10A364D689F21499953FA1118EC699A25072779DE5D9B

SSDEEP:

384:B3pTvqF5z3lliRK4OuS7KMLeIMY3wDZo6qIflUsNYrqObYlUGmpI0fQ8sir2KLRW:B3pOfzHTvhhqIMY3yaIG72ObqmpI07r8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 620)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3864)
    • Creates files in the Windows directory

      • powershell.exe (PID: 3864)
    • Uses TASKLIST.EXE to query information about running processes

      • powershell.exe (PID: 3864)
    • Creates files in the user directory

      • powershell.exe (PID: 3864)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe tasklist.exe no specs cmd.exe no specs whoami.exe no specs findstr.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3864"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\sample1.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524"C:\Windows\system32\tasklist.exe"C:\Windows\system32\tasklist.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
620"C:\Windows\system32\cmd.exe" /c "whoami /groups | findstr /c:"S-1-5-32-544" | findstr /c:"Enabled group" && goto:isadministrator"C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1636whoami /groups C:\Windows\system32\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2188findstr /c:"S-1-5-32-544" C:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3384findstr /c:"Enabled group" C:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
240
Read events
169
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M71WGEE9U9A1QDA9VOAC.temp
MD5:
SHA256:
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF112911.TMPbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
3864powershell.exeC:\windows\temp\tmp0914.tmptext
MD5:BA3D56043B68F9C199E693C3F86491BD
SHA256:2CC22BBDDE56F4E94F99852BC4DDEDDDC62664ED8D3272FC66CFB93DB683C2AA
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
powershell.exe
104.227.146.249:443
ecombox.store
B2 Net Solutions Inc.
CA
unknown

DNS requests

Domain
IP
Reputation
ecombox.store
  • 104.227.146.249
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN PS/PowerRatankba CnC DNS Lookup
No debug info