File name: | file.ps1 |
Full analysis: | https://app.any.run/tasks/a4adf9b2-76fb-437e-a1d4-432c1e949a4b |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 17:59:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 15E251DF54AC9FE193642CC2CDDED518 |
SHA1: | EE6588E680D91A894B6E706C51413EED713BB9B7 |
SHA256: | C0C39205B4CD5A1CEC172AAF979602FA4F13CBCD0036102E0CBC5FA83E2026D5 |
SSDEEP: | 192:ZbawLYtvt7jktbdtGDHATqtCou7siSUKhqht+t+JL5453:ZbauYtvt7jktbdtGDgutCou71SUKyt+X |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\file.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1256 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5I8B30Z0YBS6U2HN0EZ8.temp | — | |
MD5:— | SHA256:— | |||
2824 | powershell.exe | C:\Users\Public\Java_qahbxy4_\pp.png | — | |
MD5:— | SHA256:— | |||
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
2824 | powershell.exe | C:\users\public\Java_qahbxy4_\Java_qahbxy4_.LNS | executable | |
MD5:D66208DE7F9C6A6CE07242F96C55EEA8 | SHA256:7C2F4D3DB220CA5FABCC746C0867895ACA39F5E4A0EB0606C82C51CC0C4ECC8C | |||
2824 | powershell.exe | C:\users\public\Java_qahbxy4_\Java_qahbxy4_.zip | compressed | |
MD5:91AD5E72E197373753D193E189C07145 | SHA256:27F7C3059FA051DA825EF62599EB9A1889BB71C15EB2C2ED887434C7EFF51363 | |||
2824 | powershell.exe | C:\users\public\c.lnk | lnk | |
MD5:C478C826AE21A9121203CC602DA19084 | SHA256:CDE24B1BDAFABF74DE28BF82E02EEFE4037322063A163416DFAA75C2FC3EB365 | |||
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java_qahbxy4_.lnk | lnk | |
MD5:2EDE4D9B596BCBA844E29E61BD7E5A54 | SHA256:2D6FF1905DB951DF0610F7BC83940FBCD0D086C8555F24F5C68D69589E8378A1 | |||
2824 | powershell.exe | C:\users\public\Java_qahbxy4_\Java_qahbxy4_.exe | executable | |
MD5:C56B5F0201A3B3DE53E561FE76912BFD | SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D | |||
2824 | powershell.exe | C:\Users\Public\Java_qahbxy4_\ssleay32.dll | executable | |
MD5:CF2C57DDA3766C204C398430DA23693D | SHA256:492F045643354C8B9FA11673B6C32CDBB33779826A729CE55DE5901279C1F6D5 | |||
2824 | powershell.exe | C:\Users\Public\Java_qahbxy4_\libeay32.dll | executable | |
MD5:905ED724736240737EF98E62917A3BC7 | SHA256:963B313EB11D5EA78D9D5F4E03DF9265E472DB892A4B406EE73F0216FD4D6F38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2824 | powershell.exe | GET | 200 | 144.202.68.139:80 | http://144.202.68.139/mds25/kk/md.zip | US | compressed | 11.4 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | powershell.exe | 144.202.68.139:80 | — | Baltimore Technology Park, LLC | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2824 | powershell.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |