File name: | BankTransfer.vbs |
Full analysis: | https://app.any.run/tasks/f4eb26c7-6562-4e9f-b2ea-c1bcf324b5ef |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 10:35:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators |
MD5: | 396B648B675B4276E99E5EF2DB674040 |
SHA1: | D9FB7C4320A04364E25F617B788E4D6B78BDE9E7 |
SHA256: | 50E6851BE4E55DF13ED58115A66EDBF385ECE7EEF08D1CA154DBC0F81884C4C9 |
SSDEEP: | 768:Lo/0G9ijh9asoER0wCZjuO8Oh6nNmAOg1pWJXc3zEzeqeP77qxZPiwbIqxZPMtxD:G0VnJh |
.txt | | | Text - UTF-16 (LE) encoded (66.6) |
---|---|---|
.mp3 | | | MP3 audio (33.3) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2872 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\BankTransfer.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2300 | "C:\Windows\System32\cmd.exe" /c ipconfig /release&C:\Users\admin\AppData\Local\Temp\kfvbn.js&ipconfig /renew | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2768 | "C:\Windows\System32\cmd.exe" /c ipconfig /release&C:\Users\admin\AppData\Local\Temp\qmK46746A2.vbs&ipconfig /renew | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
296 | ipconfig /release | C:\Windows\system32\ipconfig.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2328 | ipconfig /release | C:\Windows\system32\ipconfig.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\kfvbn.js" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2716 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\qmK46746A2.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2000 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\BankTransfer.vbs" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
1232 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 -px64 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 4294967295 Version: 4.1 | ||||
2840 | "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl", | C:\Windows\System32\control.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2716 | WScript.exe | C:\Users\admin\Pictures\ROOT2.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2872 | WScript.exe | C:\Users\admin\AppData\Local\Temp\kfvbn.js | text | |
MD5:E0B68C337349B5AD2EDEBA38CE0A1CD6 | SHA256:F5448738B75A62C489C1FD6D4FCB1B54C757871D8F82EE85C22FE5962BB4CEFA | |||
2716 | WScript.exe | C:\Users\admin\Downloads\ROOT2.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2872 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BankTransfer.vbs | text | |
MD5:396B648B675B4276E99E5EF2DB674040 | SHA256:50E6851BE4E55DF13ED58115A66EDBF385ECE7EEF08D1CA154DBC0F81884C4C9 | |||
2716 | WScript.exe | C:\Users\admin\AppData\Roaming\ROOT1.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2872 | WScript.exe | C:\Users\admin\AppData\Local\Temp\qmK46746A2.vbs | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2716 | WScript.exe | C:\Users\admin\Music\ROOT2.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2716 | WScript.exe | C:\Users\admin\Videos\ROOT2.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2716 | WScript.exe | C:\Users\admin\Pictures\ROOT1.VBS | text | |
MD5:F6E6E9883BAF9D9DB657CE9C51D7CE8F | SHA256:EF83C5E45F340DE085729A44694AA2FF80B3D57F70806BD7D1ED2961D358FEE5 | |||
2672 | WScript.exe | C:\Users\admin\AppData\Roaming\kfvbn.js | text | |
MD5:E0B68C337349B5AD2EDEBA38CE0A1CD6 | SHA256:F5448738B75A62C489C1FD6D4FCB1B54C757871D8F82EE85C22FE5962BB4CEFA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a709ef12e4d2d407 | US | compressed | 6.41 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1232 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
2672 | WScript.exe | 103.1.184.108:8897 | — | TPG Telecom Limited | AU | malicious |
— | — | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2716 | WScript.exe | 103.1.184.108:4448 | — | TPG Telecom Limited | AU | malicious |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|