File name: | beacon.ps1 |
Full analysis: | https://app.any.run/tasks/09d834d3-cf40-4e82-8b0b-3f6d0859747d |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 15:05:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | ED9D08107E4D236C9DF74D8EA56B19C3 |
SHA1: | 15ADEE8B275A71327364F09CF4210F69FE9FCC37 |
SHA256: | A444D5B737747C9F5F5CDAEFFE5F2B139D99A742B54F231A72E9BFE8B2705CE8 |
SSDEEP: | 6144:RPfDAJeqCzqdF13o5MpDjUTd/L7rz5BonMr/W+XskRH1mDr:RPfDnqCz4FdXFUxT/V2nw5Xe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\beacon.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LUL4GQKBT24NLO97NO31.temp | — | |
MD5:— | SHA256:— | |||
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A4A2A9FD05FAE4B5A98AF9A593F981AE | SHA256:47ED91B1B78B086262ADF1016099190E42C0B622002E04E72F8CFE50AE18DB4A | |||
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfc990.TMP | binary | |
MD5:A4A2A9FD05FAE4B5A98AF9A593F981AE | SHA256:47ED91B1B78B086262ADF1016099190E42C0B622002E04E72F8CFE50AE18DB4A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2580 | powershell.exe | 52.14.18.129:14635 | 2.tcp.ngrok.io | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
2.tcp.ngrok.io |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |