File name: | DOC0711.vbe |
Full analysis: | https://app.any.run/tasks/a2c4422f-262f-4d88-9be9-463bde752173 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | November 08, 2018, 07:20:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 7223C5D3370D95F55683C1CE90926D06 |
SHA1: | 64EC7747A123106FB074D70410D652A54D40E8C7 |
SHA256: | 01A16A003BF97EAC618856B0372E3F49C2086322C2DA40CF6D114A052157179E |
SSDEEP: | 96:VHIdii0IJDlrbPtUrSU21xmYUcvvFceWwkx3zso7qJQ6AvgiUlN+VH4at2svjU7D:VokiFJDErixrJPxkxDso2e6CgiKq+ae9 |
.vbe | | | VBScript Encoded script (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\DOC0711.vbe" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | "C:\Windows\system32\cmd.exe" /c start C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe | C:\Windows\system32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2312 | C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe | C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe | cmd.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware NAT Service Version: 12.5.6 build-5528349 | ||||
2240 | TASKKILL /F /IM chrome.exe | C:\Windows\system32\TASKKILL.exe | — | ORCAJ4DHVCLXRS3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2016 | TASKKILL /F /IM firefox.exe | C:\Windows\system32\TASKKILL.exe | — | ORCAJ4DHVCLXRS3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3224 | TASKKILL /F /IM itauaplicativo.exe | C:\Windows\system32\TASKKILL.exe | — | ORCAJ4DHVCLXRS3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2108 | WScript.exe | C:\Users\Public\K8BA9BWJ2L7ERTFverbo.zip | compressed | |
MD5:CB45EDED7A3C087B951066C8B13AD6EE | SHA256:EE0FBB67D54C967A09A7FE735196F8B88B4C92104658973D1E787F6B18D70D71 | |||
2108 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\nv0711[1].zip | compressed | |
MD5:CB45EDED7A3C087B951066C8B13AD6EE | SHA256:EE0FBB67D54C967A09A7FE735196F8B88B4C92104658973D1E787F6B18D70D71 | |||
2108 | WScript.exe | C:\Users\Public\K8BA9BWJ2L7ERTF\shfolder.dll | executable | |
MD5:A8B90653B7E646F71A16D05BE060A041 | SHA256:B00103DF9854D08C4A566593C121B8E04F373874F521CEAE4F0FF399DE69EE55 | |||
2108 | WScript.exe | C:\Users\Public\K8BA9BWJ2L7ERTF\LWF3KP6HFGV37RYFEXQSD5CKZ08V | executable | |
MD5:A8B90653B7E646F71A16D05BE060A041 | SHA256:B00103DF9854D08C4A566593C121B8E04F373874F521CEAE4F0FF399DE69EE55 | |||
2108 | WScript.exe | C:\Users\Public\K8BA9BWJ2L7ERTF\SJIZ84IJKCGX558YVDE14SS1O41RQLCF2FM8 | executable | |
MD5:B2218DF5C3373A9A1B619E53281E9806 | SHA256:681CCC9E5BAB3A23B3CE31FDC1EB8DB268E79E1521E748D8F8C951D10A3A096C | |||
2108 | WScript.exe | C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe | executable | |
MD5:B2218DF5C3373A9A1B619E53281E9806 | SHA256:681CCC9E5BAB3A23B3CE31FDC1EB8DB268E79E1521E748D8F8C951D10A3A096C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2108 | WScript.exe | GET | 200 | 13.77.75.153:80 | http://13.77.75.153/sites/default/files/feeds/nv0711.zip | US | compressed | 3.28 Mb | whitelisted |
2312 | ORCAJ4DHVCLXRS3.exe | POST | 200 | 37.187.238.223:80 | http://reorienta45plus.com/wp-content/plugins/hello_dolly/ct/jov45.php | FR | text | 10 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2312 | ORCAJ4DHVCLXRS3.exe | 37.187.238.223:80 | reorienta45plus.com | OVH SAS | FR | suspicious |
2108 | WScript.exe | 13.77.75.153:80 | — | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
reorienta45plus.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2108 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Banload.WRI (Trojan.Agent.DDSA) Requesting Zip Archive |
2312 | ORCAJ4DHVCLXRS3.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
2312 | ORCAJ4DHVCLXRS3.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.Banker.BR HTTP POST Check-in v1 |
2312 | ORCAJ4DHVCLXRS3.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.Banker.BR HTTP POST Check-in v2 |
Process | Message |
---|---|
ORCAJ4DHVCLXRS3.exe | CodeSet_Init: no ICU
|