| File name: | Verdacrypt.ps1 |
| Full analysis: | https://app.any.run/tasks/20bf32c2-282f-437c-af83-d12930f2e22f |
| Verdict: | Malicious activity |
| Analysis date: | March 25, 2025, 04:20:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (606), with CRLF line terminators |
| MD5: | 1D2F8915568FB41D222541A0E4E7ECCC |
| SHA1: | 946EA6430491DFEE483BC29861F75D8CF8739A8F |
| SHA256: | C2488FBD9179BAA92E0597A4486BF0D163A0775C92658D789959111DF60CC138 |
| SSDEEP: | 384:tKSUBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYN2Y:AM5mME00xEbrl6Yq+40o2Y |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 7300)
SUSPICIOUS
CSC.EXE is used to compile C# code
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Executable content was dropped or overwritten
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Uses WEVTUTIL.EXE to get a list of log names
- powershell.exe (PID: 7300)
Uses WEVTUTIL.EXE to cleanup log
- powershell.exe (PID: 7300)
INFO
Create files in a temporary directory
- csc.exe (PID: 7704)
- cvtres.exe (PID: 7728)
- csc.exe (PID: 812)
- cvtres.exe (PID: 1660)
Checks supported languages
- csc.exe (PID: 7704)
- cvtres.exe (PID: 7728)
- cvtres.exe (PID: 1660)
- csc.exe (PID: 812)
Reads the machine GUID from the registry
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7300)
Checks proxy server information
- slui.exe (PID: 5352)
Reads the software policy settings
- slui.exe (PID: 5352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .html | | | HyperText Markup Language (100) |
|---|
Total processes
1 359
Monitored processes
1 229
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Debug | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl WMPSetup | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
25 642
Read events
25 642
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
8
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\2hd0t012.cmdline | text | |
MD5:7FFF2CDE370BAAE5008EA33A6E254B55 | SHA256:4554DB89FACE649A1F77F92320BE86AD216E898BA16D70D3822AD86F1FB8A637 | |||
| 7704 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5D40E1BFE2134FCBB77C6DE922A2BD9.TMP | binary | |
MD5:868B3DEC7617515DDEE98EEB0D37265C | SHA256:3FD0632BBBCC71CA3FFC491D1B32FB16245CECBBC644B3D537B3677236FE800C | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f30i2qcf.ibh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 812 | csc.exe | C:\Users\admin\AppData\Local\Temp\2hd0t012.out | text | |
MD5:5D4A6530C1C95012FBAB05C088A4C0F8 | SHA256:309BBAC831E30DF24D7CD223C17BABA84849917E13286A51CD06F1E474930B35 | |||
| 7300 | powershell.exe | C:\Users\admin\Desktop\ChaosLog.txt | text | |
MD5:B9154DCB38CCC90FCE3C02E237450D01 | SHA256:— | |||
| 7704 | csc.exe | C:\Users\admin\AppData\Local\Temp\taxqyaii.out | text | |
MD5:305D54BFEB9EE33BAEA57042BE315792 | SHA256:93F478655C5535B1DB4A538D1BB5E61C921334390E8BB4FF3D51EC4C674BA078 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\taxqyaii.0.cs | text | |
MD5:B794645974059BD125405F327C5ACE77 | SHA256:AFD81C914FE8FA7EE32BE6A797F46A2A829908B45D59100C1052A7BAF2A347DA | |||
| 7728 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESCEBC.tmp | binary | |
MD5:A014BB10C5B1EFB2EA4D1B8907A89117 | SHA256:FC48E1EDCF1460595B08516F64357A274833BE701004DDB731E07AC29C41CB04 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\2hd0t012.0.cs | text | |
MD5:7DF2964601813E20EA90BC7ECA64B00B | SHA256:DAF8A1AE523190EF51054E143909966E01C3B6F531C72B9524D91254EACD6084 | |||
| 1660 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES3A08.tmp | binary | |
MD5:82AD73DF7C93B6256E65669362D8E9F0 | SHA256:5D88A1284F8932AD0FC20B99EED3C3B6F60D090329D103E1823F256FBE1F9610 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
50
DNS requests
20
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.31.169.57:443 | https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250325T042023Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1573710259e9461e8ed1d19b9bbb6224&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968419&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358949&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2 | unknown | binary | 2.95 Kb | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.31.129:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 40.126.31.1:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7436 | backgroundTaskHost.exe | 20.31.169.57:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |