analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | toto.txt |
| Full analysis: | https://app.any.run/tasks/172eee8c-e532-4bbd-a682-2de2f79859ed |
| Verdict: | Malicious activity |
| Analysis date: | January 11, 2025 at 14:31:51 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | A54ADA657EFBBE1395598AAE1BDAC1F9 |
| SHA1: | A7887658EEBBA20BD97E43010AC5FFD5B972A273 |
| SHA256: | FA9CF901BD2C9359D2EFC09F8ADB1BAA12AE56B841BA06DD057CEFD58C778316 |
| SSDEEP: | 12:qrz69RqrrSuzlGp5BzGLp2AzG3PCt4K/oMntX:mz6Xqzzlf12A63PCtz/l |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 776)
SUSPICIOUS
Executable content was dropped or overwritten
- gezulik.exe (PID: 5872)
Process drops legitimate windows executable
- gezulik.exe (PID: 5872)
The process creates files with name similar to system file names
- gezulik.exe (PID: 5872)
Checks for external IP
- svchost.exe (PID: 2192)
- powershell.exe (PID: 776)
Potential Corporate Privacy Violation
- svchost.exe (PID: 2192)
- powershell.exe (PID: 776)
INFO
Creates files in the program directory
- powershell.exe (PID: 776)
Disables trace logs
- powershell.exe (PID: 776)
Reads the computer name
- gezulik.exe (PID: 5872)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 776)
Manual execution by a user
- gezulik.exe (PID: 5872)
Checks proxy server information
- powershell.exe (PID: 776)
Checks supported languages
- gezulik.exe (PID: 5872)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 776)
The sample compiled with czech language support
- gezulik.exe (PID: 5872)
The sample compiled with english language support
- gezulik.exe (PID: 5872)
The sample compiled with german language support
- gezulik.exe (PID: 5872)
The sample compiled with spanish language support
- gezulik.exe (PID: 5872)
Create files in a temporary directory
- gezulik.exe (PID: 5872)
The sample compiled with french language support
- gezulik.exe (PID: 5872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
119
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 776 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\toto.txt.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4724 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5872 | "C:\Users\admin\Desktop\gezulik.exe" | C:\Users\admin\Desktop\gezulik.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 409
Read events
5 409
Write events
0
Delete events
0
Modification events
Executable files
55
Suspicious files
4
Text files
74
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\authsspi.dll | executable | |
MD5:591A2C2DC7A2B4E95C92A0F71889E18E | SHA256:90E5C82F24AC0E0B7A1722E08823F5D645D0709E6273179CC83EA5CFC8BC97E6 | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\Asp.Net Core Module\V2\17.0.22116\aspnetcorev2_outofprocess.dll | executable | |
MD5:AF6F62F19D015485A11FE4074EBD15C8 | SHA256:E28A89660326DCB55D2C39BDC0B160B183BE4533E896891EA5A110A74E8AB565 | |||
| 776 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jjvlq5kk.ysm.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\aspnetcore.dll | executable | |
MD5:0C05B2C489B4C497114E39B9F6FFB8A8 | SHA256:452E8B9FC6069EDFDF47017BD523F2475BBA0AE3FAF60A00624B590514E55BED | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\browscap.dll | executable | |
MD5:70E8DB29AD129AE6005577FE5D5B18D0 | SHA256:34868CBB8EEDF3B21A24480A73699E83C3F11F1F6E9ACA876DDDCC22D9AC9DE7 | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\authbas.dll | executable | |
MD5:2E090136C1119E0B3A6994F57CD70702 | SHA256:7D0EA7A51175016616A15002F703FE23924DFC0D09A7CCC070C32E0DEEE791EA | |||
| 776 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vra3sqy4.54p.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\AppServer\applicationhost.config | xml | |
MD5:8D9BFB79F035D60F99CFD97C5425CB2B | SHA256:96BF370EAB41CE4042C6151F747B6B1C3A04278976E6E5F4FB18E6F83A7B9840 | |||
| 776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1361ea.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 5872 | gezulik.exe | C:\Users\admin\AppData\Local\Temp\snippingTool\authmap.dll | executable | |
MD5:D79648E5A92A1889A4D287672B3446C7 | SHA256:4CD4904E0DCD92E0A0E5BAC8789D5582B2E1D577756CCAC427123F9D6D51D089 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
8
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1460 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1460 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 147.45.47.123:443 | https://human-cldf.com/gamdos.zip | unknown | compressed | 14.5 Mb | — |
— | — | GET | 200 | 172.67.167.249:443 | https://iplogger.co/1EwuL4 | unknown | image | 116 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1460 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 92.123.104.31:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 92.123.104.34:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
1460 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1460 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
human-cldf.com |
| unknown |
iplogger.co |
| shared |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 23 |
2 ETPRO signatures available at the full report