File name: | Quickbooks-52598NOV.wsf |
Full analysis: | https://app.any.run/tasks/9ce5148e-531b-415b-9cf4-a047c493ab06 |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 12:22:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text |
MD5: | 6BB5B8C68F8EDEE7CD10058D215364B2 |
SHA1: | 3DFC007972AF1E6F4D295844B071C5F0EEFFE475 |
SHA256: | 49895428F1A30131308022DD3AA56EAB6A1AA49B08A978EBC1520E289D3D6744 |
SSDEEP: | 192:wjmmU1717+a60d5qzhRTMpSqKOR1Z6tDA39V3jsBCFpb3BM3XTdkSN/TWyOqEH2V:N517+q8H+b6tUtV8sb3BMxbU3fYJCaB |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2820 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Quickbooks-52598NOV.wsf" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2700 | C:\Users\admin\AppData\Local\Temp\Realtek_Update.exe | C:\Users\admin\AppData\Local\Temp\Realtek_Update.exe | — | taskeng.exe |
User: admin Integrity Level: MEDIUM Description: ElectronB10 Version: 1.0.0.1 |
(PID) Process: | (2820) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2820) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 |
Operation: | write | Name: | Blob |
Value: 040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131D00000001000000100000004558D512EECB27464920897DE7B66053140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589100B000000010000001E000000440053005400200052006F006F00740020004300410020005800330000006200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C1900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510 | |||
(PID) Process: | (2820) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2820 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Realtek_Update.exe | executable | |
MD5:1E6BC9562395790226B8FB3EBEDE6BF2 | SHA256:2DF508247A4E739B086C9DE47D91A26EA7AEE4D5CF9BC5CC70B5AD2DC7F102C6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2820 | WScript.exe | 209.141.42.71:443 | sdidrichsen.com | FranTech Solutions | US | unknown |
Domain | IP | Reputation |
---|---|---|
sdidrichsen.com |
| unknown |