File name: | 4367890.vbs |
Full analysis: | https://app.any.run/tasks/09dffa73-6c4e-4e45-8c17-953fd93b13ba |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 11:33:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | E1C6D573CEBA72B370AF196E1A101C74 |
SHA1: | 22AFE80B7EA144156C6ADF495066A3A8C4177186 |
SHA256: | 309507165C7176DE0C8866B422FC4567EFF8541B9E34B9717EE34C538A31AE08 |
SSDEEP: | 192:2D/+o4XMLoUNF4pfAwb8MSaVN8fItX7P61yOe8ss/tUnh/K2Z4fyO:2LroUNSrSm2md5dQwtK26fyO |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3876 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4367890.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
608 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\salida.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3016 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3556 | "C:\Windows\system32\ntvdm.exe" -i2 | C:\Windows\system32\ntvdm.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1708 | "C:\Windows\System32\Notepad.exe" C:\Users\admin\AppData\Local\Temp\salida.vbs | C:\Windows\System32\Notepad.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3876) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3876) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3016 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFB0A.tmp | — | |
MD5:— | SHA256:— | |||
3016 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFB0B.tmp | — | |
MD5:— | SHA256:— | |||
3556 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7F7C.tmp | — | |
MD5:— | SHA256:— | |||
3556 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7F7D.tmp | — | |
MD5:— | SHA256:— | |||
3876 | WScript.exe | C:\Users\admin\AppData\Local\Temp\salida.vbs | text | |
MD5:C001E502D34EB0059B9EA59923607538 | SHA256:F38713A735799DCDA7750B7271FE8C4020700D23766CBA50F4E8B1ED70691C06 | |||
608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ouwrj.exe | html | |
MD5:535563F2390BBDEC35A96E3B7E26D327 | SHA256:589FC031A88A92DE318718377A07BD28F86A9FC8D8754CE57C0A9FE50AADBE22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
608 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://aminvali.ca/FB_counterADC28675BA.php | US | html | 10.3 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
608 | WScript.exe | 67.23.226.159:80 | aminvali.ca | HostDime.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
aminvali.ca |
| malicious |