analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_malware.ps1

Full analysis: https://app.any.run/tasks/1bd6d953-49f8-4380-b39f-b52fea5d8e2c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 22:42:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

7BE97544D635A98FD54E82E542564BDD

SHA1:

D94C61D6D787FE97C00329F76DB3697CE3376AFB

SHA256:

EA002750B213DB2B6EE7BD1C8D57BACC6E2478694AE4C0B316B83613330A2A30

SSDEEP:

96:QPX/9MX/9YX/9rUxVdrPX/BJdX/B5X/Bk1gdFkiPX/KlX/KnX/KkTvckku:aqaMbrR/D0w7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3160)

    • Creates files in the user directory

      • powershell.exe (PID: 3160)

    • Executed as Windows Service

      • PresentationFontCache.exe (PID: 3264)

  • INFO

    • Manual execution by user

      • powershell_ise.exe (PID: 1680)
      • explorer.exe (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe explorer.exe no specs powershell_ise.exe presentationfontcache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\phish_malware.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3128"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1680"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\phish_malware.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3264C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Version:
3.0.6920.4902 built by: NetFXw7
Total events
333
Read events
245
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3160powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YY9HMXW0SMP8WJNL31E9.temp
MD5:
SHA256:
1680powershell_ise.exeC:\Users\admin\Desktop\phish_malware.ps1text
MD5:066B3A566FB127301A42826A1D25F125
SHA256:465E35A74565354A9D2B646D90B66F28995B9EAC1D7093CE5CE1C7828A677F2F
3160powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3160powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11f6f0.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
1680powershell_ise.exeC:\Users\admin\AppData\Local\microsoft\powershell_ise\S-1-5-5-0-65741\PowerShellISEPipeName_0_de2842eb-fab4-4973-a271-8e76367cc3b1text
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3160
powershell.exe
GET
200
192.185.41.190:80
http://angels.tastywienersonwheels.com/stigma.png
US
malicious
3160
powershell.exe
GET
200
192.186.224.8:80
http://qwerty.tastywieners.com/acrimony.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
HEAD
200
192.185.41.190:80
http://diesel.nhgreenscapes.com/brogue.png
US
malicious
3160
powershell.exe
GET
200
192.185.41.190:80
http://angels.tastywienersonwheels.com/stigma.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
HEAD
200
192.186.224.8:80
http://qwerty.tastywieners.com/acrimony.png
US
malicious
3160
powershell.exe
GET
200
192.186.224.8:80
http://qwerty.tastywieners.com/acrimony.png
US
malicious
HEAD
200
192.185.41.190:80
http://angels.tastywienersonwheels.com/stigma.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
HEAD
200
192.186.224.8:80
http://qwerty.tastywieners.com/acrimony.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
HEAD
200
192.185.41.190:80
http://angels.tastywienersonwheels.com/stigma.png
US
malicious
HEAD
200
192.185.41.190:80
http://diesel.nhgreenscapes.com/brogue.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.186.224.8:80
qwerty.tastywieners.com
GoDaddy.com, LLC
US
malicious
3160
powershell.exe
192.185.41.190:80
diesel.nhgreenscapes.com
CyrusOne LLC
US
suspicious
3160
powershell.exe
192.186.224.8:80
qwerty.tastywieners.com
GoDaddy.com, LLC
US
malicious
192.185.41.190:80
diesel.nhgreenscapes.com
CyrusOne LLC
US
suspicious
1680
powershell_ise.exe
192.186.224.8:80
qwerty.tastywieners.com
GoDaddy.com, LLC
US
malicious
1680
powershell_ise.exe
192.185.41.190:80
diesel.nhgreenscapes.com
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
qwerty.tastywieners.com
  • 192.186.224.8
malicious
diesel.nhgreenscapes.com
  • 192.185.41.190
malicious
angels.tastywienersonwheels.com
  • 192.185.41.190
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
12 ETPRO signatures available at the full report
Process
Message
powershell_ise.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phish_malware.ps1