File name: | formulario.vbs |
Full analysis: | https://app.any.run/tasks/692de6e5-b365-41fa-ae73-4d2d4fe65cb2 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 12:19:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 9666AE84E0388999E2DD0E5840AFB842 |
SHA1: | AD17346FE052CE2291A6405085457D01827B57A1 |
SHA256: | 2A41A1B251F51061CEE75D74F520159E29FD9A90663F1E8090CC7674542BDCC5 |
SSDEEP: | 48:UFES+lEX+0lIf5RC+0lIfp/+fnw+ChjjDpIllEf1DjZ0SKlfziVVVyfCjQddlIEo:Kuva3qyg |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3028 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\formulario.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1692 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | "C:\Windows\System32\Notepad.exe" C:\Users\admin\AppData\Local\Temp\salida.vbs | C:\Windows\System32\Notepad.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3960 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\salida.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4076 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\salida.vbs" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
(PID) Process: | (2528) Notepad.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosX |
Value: 66 | |||
(PID) Process: | (2528) Notepad.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosY |
Value: 66 | |||
(PID) Process: | (2528) Notepad.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosDX |
Value: 960 | |||
(PID) Process: | (2528) Notepad.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosDY |
Value: 501 | |||
(PID) Process: | (3960) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\salida |
Operation: | write | Name: | |
Value: false - 7/17/2019 | |||
(PID) Process: | (3960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | salida |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\salida.vbs" | |||
(PID) Process: | (3960) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | salida |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\salida.vbs" | |||
(PID) Process: | (3960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3960) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (4076) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | salida |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\salida.vbs" |
PID | Process | Filename | Type | |
---|---|---|---|---|
3028 | WScript.exe | C:\Users\admin\AppData\Local\Temp\salida.vbs | text | |
MD5:6F98E56A4E9113F1517FFBE04FB50A25 | SHA256:690B082D7951715C491BA9FF10AE1C6953AE9615BD1478CA2CDD55093C005238 | |||
3960 | WScript.exe | C:\Users\admin\AppData\Roaming\salida.vbs | text | |
MD5:6F98E56A4E9113F1517FFBE04FB50A25 | SHA256:690B082D7951715C491BA9FF10AE1C6953AE9615BD1478CA2CDD55093C005238 | |||
4076 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\salida.vbs | text | |
MD5:6F98E56A4E9113F1517FFBE04FB50A25 | SHA256:690B082D7951715C491BA9FF10AE1C6953AE9615BD1478CA2CDD55093C005238 | |||
3960 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\salida.vbs | text | |
MD5:6F98E56A4E9113F1517FFBE04FB50A25 | SHA256:690B082D7951715C491BA9FF10AE1C6953AE9615BD1478CA2CDD55093C005238 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4076 | wscript.exe | POST | — | 159.147.61.52:6444 | http://hiddenmyftp.duckdns.org:6444/is-ready | ES | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4076 | wscript.exe | 159.147.61.52:6444 | hiddenmyftp.duckdns.org | Vodafone Spain | ES | malicious |
Domain | IP | Reputation |
---|---|---|
hiddenmyftp.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |