Analyze Malicious Powershell Scripts by Running Malware in ANY.RUN Sandbox

Hackers exploit PowerShell, a built-in scripting tool on Windows (and sometimes Linux), to launch various attacks. PowerShell scripts can download malware, bypass antivirus, steal data, and grant remote access.  

The scripts are attractive to attackers because they are easy to write, difficult to detect due to obfuscation techniques (like partial name matching), and leverage legitimate system resources for malicious actions (“living off the land”) but some tools can analyze these PowerShell scripts for safe detonation and step-by-step tracing. 

PowerShell scripts are a type of automation tool used on Windows systems that can be used for legitimate purposes like configuration management or for malicious purposes like installing malware.  

The new PowerShell Script Tracer helps analysts understand what a PowerShell script does by providing a detailed breakdown of the script’s functions and how they connect to each other, which can help analysts identify malicious behaviour in the script more easily. 

Hackers often use it to perform a variety of malicious actions, such as: 

• Download and execute malicious binaries from a separate source.
• Bypass antivirus software by executing the script in memory.
• Execute malicious scripts.
• Collect and exfiltrate system data.
• Remotely control the infected system.

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

ANY.RUN’s Script Tracer helps analyze PowerShell scripts used in malware and to access it, locate the process tree on the right side of the interface, which shows processes launched, including PowerShell commands.

For further investigation where you can see how this tracer works, click on the specific PowerShell process in the tree, which will display a process details tab at the bottom and within this tab, click “More Info” to access the Script Tracer and gain detailed insights into the deobfuscated script’s activities.  

The Advanced Details window replaces the general process information with a detailed view of what it is doing.

The Script Tracer tab focuses on PowerShell executions and shows the functions called by the process in order, from top to bottom.

This allows you to determine how the process is acting by examining the function calls and how they are executed.

A malicious program downloads data from a URL using the System.Net.WebClient class. The downloaded data are binary and encoded in Base64.

The program then decodes the data using the FromBase64String method and converts it to a Unicode string using System. Text.UnicodeEncoding.GetString. 

The MZ signature in the trace indicates that the string is the actual PowerShell command that the program wants to execute, which is most likely an encoded executable file. 

The provided PowerShell code exhibits several indicators of malicious intent and executes hidden, bypassing security measures (-windowstyle hidden, -executionpolicy bypass) by downloading data from image URLs ($links) and extracting a Base64-encoded command hidden within the downloaded content ($imageText.Substring). 

This retrieved command is then loaded directly into memory as a.NET assembly for execution ([System.Reflection.Assembly]::Load), bypassing traditional file-based detection methods suggesting the code aims to download and execute a hidden malicious payload (hidden) within an image. 

Analysis revealed the script’s malicious nature, where extracted URLs, https://uploaddeimagens[.]com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469 and https://uploaddeimagens[.]com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500, can be used as Indicators of Compromise (IOCs) for further investigation.

Analyze PowerShell Scripts in Malware in ANY.RUN - Register for Free

What is ANY RUN?

ANY.RUN is a renowned ally for over 400,000 cybersecurity experts globally. This interactive sandbox platform streamlines the malware analysis process for threats aimed at both Windows and Linux systems, equipping analysts with a sophisticated tool for their investigative work.

Additionally, ANY.RUN’s threat intelligence offerings, namely Lookup and Feeds, deliver precise indicators of compromise and contextual insights that enable users to detect threats and manage incident responses swiftly.

ANY.RUN enhances the speed and accuracy of threat analysis. The platform is adept at identifying common malware families using YARA and Suricata rules and can pinpoint malware behaviors through signatures when specific family detection is unfeasible.

Key Features of ANY.RUN:

• Rapid Malware Detection: ANY.RUN can detect malware in approximately 40 seconds following a file upload. It utilizes YARA and Suricata rules to recognize well-known malware families and employs behavioral signatures to identify malicious activities in new threats.
• Real-Time Interaction with Samples: Powered by VNC, ANY.RUN’s interactive cloud sandbox allows users to perform real-system activities such as browsing web pages, navigating through installers, and accessing password-protected archives.
• Cost-Effective and Maintenance-Free: As a cloud-based solution, ANY.RUN eliminates the need for initial setup or ongoing maintenance, saving time and resources for businesses.
• Comprehensive Malware Behavior Analysis: ANY.RUN offers an in-depth examination of malware behavior, tracking network traffic, system calls, and file system modifications.
• Enhanced Team Collaboration: The platform facilitates easy sharing of analysis results among team members. Senior analysts can also review the work of junior colleagues by accessing recordings of their analysis sessions.
• Scalability: ANY.RUN’s cloud service model allows for easy scaling of security operations by simply adding more licenses.

For a closer look at how ANY.RUN can benefit your security team, contact ANY.RUN for a personalized guided tour of the platform.