File name: | Microsoft.86.36.vbs |
Full analysis: | https://app.any.run/tasks/37a84a95-8233-41dd-9ea5-0f12150a24ed |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 20:24:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 989A436F3AB3C1BBA76674CF8180E7F8 |
SHA1: | 84668AC1149F325718D040CEA23805715021529A |
SHA256: | 037EDC9946D21B6DA0985C3E5F4743CDD54A38AEEFDB6938762233B0167CCA97 |
SSDEEP: | 24:wUFHZAg/SmJ22oF/i4bHZSgaacYwWglwjCa4Yw1G1HZmgn1glQgfkdCAfASnAHZD:ZRI9xNI26GL1jw/MuLyDY |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
868 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Microsoft.86.36.vbs" | C:\Windows\System32\WScript.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3604 | "C:\Windows\system32\cmd.exe" /c copy "C:\Users\admin/Documents\Microsoft.86.36.vbs" "C:\Users\admin/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.86.36.vbs" /Y | C:\Windows\system32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2276 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\run.vbs" | C:\Windows\System32\WScript.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3492 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\pp.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1664 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\new.vbs" | C:\Windows\System32\WScript.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
892 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\upload.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3296 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\update.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294770688 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
868 | WScript.exe | C:\Users\Public\pp.ps1 | text | |
MD5:EDE0A8EA93C52AC8970F7E29C1EB4AD6 | SHA256:C0ACC584A8621B09FC40C284DDC49F097D48D9BF3427B29A9146E53E26B38297 | |||
868 | WScript.exe | C:\Users\Public\new.vbs | text | |
MD5:D1C5764590A26C8AE9A8587E9410278D | SHA256:152CF191981404C078EA923AAA94E3D06467E09F66539D68D2367B7E0CA71547 | |||
868 | WScript.exe | C:\Users\Public\run.vbs | text | |
MD5:CFC5D7E83FB8546B3204AD03DEE063D3 | SHA256:6463055E8626D0CA6F21CA14E4D22F920BC6C706BF1E4F80C700CFCD574CE25B | |||
868 | WScript.exe | C:\Users\Public\upload.ps1 | text | |
MD5:098DDF8FA469EEAF8726C279C4B9BC16 | SHA256:699A4D44B7882E2D32AFBD8FAB46D938AC289CBE2118BD81DB78F9B43FECD72A | |||
892 | powershell.exe | C:\Users\Public\update.ps1 | html | |
MD5:D1CA9714621CA077D4BCFD3F78AA00A2 | SHA256:E86B78A2C59D53DCDB2D1762C67ECCDF7C2E4EA7766A17B7A97DBF771E1DFFA0 | |||
3492 | powershell.exe | C:\Users\admin\AppData\Local\Temp\uztpvpep.pjw.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\eau4cbzw.22y.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lezlc4ro.yyx.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3492 | powershell.exe | C:\Users\admin\AppData\Local\Temp\idha5kg5.glt.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3296 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
892 | powershell.exe | GET | 200 | 38.79.142.66:80 | http://onedrive.linkpc.net/Ahmad/255Ah.jpg | US | html | 2.11 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
892 | powershell.exe | 38.79.142.66:80 | onedrive.linkpc.net | UTL-42-36113 | US | malicious |
Domain | IP | Reputation |
---|---|---|
onedrive.linkpc.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) |