| File name: | Verdacrypt.ps1 |
| Full analysis: | https://app.any.run/tasks/20bf32c2-282f-437c-af83-d12930f2e22f |
| Verdict: | Malicious activity |
| Analysis date: | March 25, 2025, 04:20:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (606), with CRLF line terminators |
| MD5: | 1D2F8915568FB41D222541A0E4E7ECCC |
| SHA1: | 946EA6430491DFEE483BC29861F75D8CF8739A8F |
| SHA256: | C2488FBD9179BAA92E0597A4486BF0D163A0775C92658D789959111DF60CC138 |
| SSDEEP: | 384:tKSUBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYN2Y:AM5mME00xEbrl6Yq+40o2Y |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 7300)
SUSPICIOUS
Uses WEVTUTIL.EXE to get a list of log names
- powershell.exe (PID: 7300)
CSC.EXE is used to compile C# code
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Executable content was dropped or overwritten
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Uses WEVTUTIL.EXE to cleanup log
- powershell.exe (PID: 7300)
INFO
Checks supported languages
- cvtres.exe (PID: 7728)
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
- cvtres.exe (PID: 1660)
Create files in a temporary directory
- csc.exe (PID: 7704)
- cvtres.exe (PID: 7728)
- csc.exe (PID: 812)
- cvtres.exe (PID: 1660)
Reads the machine GUID from the registry
- csc.exe (PID: 7704)
- csc.exe (PID: 812)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7300)
Checks proxy server information
- slui.exe (PID: 5352)
Reads the software policy settings
- slui.exe (PID: 5352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .html | | | HyperText Markup Language (100) |
|---|
Total processes
1 359
Monitored processes
1 229
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Debug | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\WINDOWS\system32\wevtutil.exe" cl WMPSetup | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | "C:\WINDOWS\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational | C:\Windows\System32\wevtutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
25 642
Read events
25 642
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
8
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CFQLETIQCE357WWOVVF6.temp | binary | |
MD5:290169061233E7A0115182E217C50594 | SHA256:1E92989EE32B406211FF88858BF32922937CEFA4A36278B4FF2921FCC25C1687 | |||
| 7704 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5D40E1BFE2134FCBB77C6DE922A2BD9.TMP | binary | |
MD5:868B3DEC7617515DDEE98EEB0D37265C | SHA256:3FD0632BBBCC71CA3FFC491D1B32FB16245CECBBC644B3D537B3677236FE800C | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c3cf.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ck1eypl4.3fj.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7704 | csc.exe | C:\Users\admin\AppData\Local\Temp\taxqyaii.dll | executable | |
MD5:23E47EF62BE4F517B141E32210A5088F | SHA256:CE423207089E8F224BF301C1B322654597115C0C484556EDEBA35E9660D4AAFA | |||
| 1660 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES3A08.tmp | binary | |
MD5:82AD73DF7C93B6256E65669362D8E9F0 | SHA256:5D88A1284F8932AD0FC20B99EED3C3B6F60D090329D103E1823F256FBE1F9610 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:290169061233E7A0115182E217C50594 | SHA256:1E92989EE32B406211FF88858BF32922937CEFA4A36278B4FF2921FCC25C1687 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\taxqyaii.cmdline | text | |
MD5:E0E7B748B5DB071528864173DE98AC51 | SHA256:7DBC3CE758074604B02285138A0C53249370D5EDF8B2118BAEC38DC18C058B44 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f30i2qcf.ibh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\taxqyaii.0.cs | text | |
MD5:B794645974059BD125405F327C5ACE77 | SHA256:AFD81C914FE8FA7EE32BE6A797F46A2A829908B45D59100C1052A7BAF2A347DA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
50
DNS requests
20
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
2980 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.31.129:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 40.126.31.67:443 | https://login.live.com/RST2.srf | unknown | xml | 1.35 Kb | whitelisted |
2980 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 40.126.31.1:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7436 | backgroundTaskHost.exe | 20.31.169.57:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |