File name: | AE5748-PCT-201144.vbs |
Full analysis: | https://app.any.run/tasks/29073a4d-add6-4d2c-b098-5a2489f3ee4d |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 16:19:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 4A4664EC6A78A1525B5484A52142FB4E |
SHA1: | ECE2BC1E7FFA0F224D49E3849E534861A4F85FF7 |
SHA256: | 10C56D774B9F2346890A01EEFE17F2A1DB2651BDE7CFF4B4F054A9AC204936C8 |
SSDEEP: | 1536:WEO3NAx6oeWHCZfvoJs0+3E5CYoY8YgY0YpYNYBYlYbYWYEYAYDYUY6YpYaYJYLP:9qysqJD2gXfcYolcneFDCdDZvNObJK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\AE5748-PCT-201144.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3032 | "C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp/jtLsgYy.dll | C:\Windows\System32\regsvr32.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1792 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\jtLsgYy.dll,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2988) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2988) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WScript.exe | C:\Users\admin\AppData\Local\Temp\jtLsgYy.dll | executable | |
MD5:9FD6B233E5BB053CE1213ABC33290C86 | SHA256:E9CD6CC176F680917BF3651A0BA0F5E9DCF2856AD6DE87774F41740ED5B9366A | |||
2988 | WScript.exe | C:\Users\admin\AppData\Local\Temp\temps | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1792 | rundll32.exe | 101.192.225.55:443 | — | — | CN | suspicious |
1792 | rundll32.exe | 202.195.217.62:443 | — | China Education and Research Network Center | CN | malicious |
1792 | rundll32.exe | 185.92.222.238:443 | — | Choopa, LLC | NL | malicious |
1792 | rundll32.exe | 71.168.174.7:443 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
1792 | rundll32.exe | 1.112.55.23:443 | — | Ymobile Corporation | JP | malicious |
1792 | rundll32.exe | 126.39.235.151:443 | — | Softbank BB Corp. | JP | malicious |
1792 | rundll32.exe | 223.53.145.180:443 | — | SK Telecom | KR | malicious |
1792 | rundll32.exe | 158.174.67.20:443 | — | Bahnhof Internet AB | SE | malicious |
1792 | rundll32.exe | 89.144.25.104:443 | — | GHOSTnet GmbH | DE | malicious |
PID | Process | Class | Message |
---|---|---|---|
1792 | rundll32.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 4 |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
1792 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |