download: | uc |
Full analysis: | https://app.any.run/tasks/c88fdc8d-89f3-4561-81eb-4f50b08496a9 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 00:39:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 2565909D41ADF56BC2DFF3451C08288E |
SHA1: | 7673C90BEB9E3FD65B53EC4765AE8190BEBCAD57 |
SHA256: | 51E51CF41E417516B4CEB1E55B26A1AD5CD5B49BC208952E72E036DBD27A5500 |
SSDEEP: | 384:GzoPH2BuMRbBqg3dtQsH+wWX9PJbvCH5MkMMn6zkCEbv8p+E3p9RYu822n1:GzcI3QOQi3BmRwGEr8pTZ9l8221 |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2019:03:21 09:36:11 |
OperatingSystem: | Win32 |
UncompressedSize: | 56996 |
CompressedSize: | 23338 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
916 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1760 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa916.20916\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3444 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2804 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
4040 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs" | C:\Windows\System32\wscript.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1760 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs | text | |
MD5:E7594B8AE800382A6FEFA8D6EE121F31 | SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21 | |||
3444 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VtfLNmeEIR.vbs | text | |
MD5:67261E98D431847536482B6F5F773C5D | SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946 | |||
2804 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs | text | |
MD5:E7594B8AE800382A6FEFA8D6EE121F31 | SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21 | |||
1760 | WScript.exe | C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs | text | |
MD5:67261E98D431847536482B6F5F773C5D | SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946 | |||
916 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa916.20916\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs | text | |
MD5:E7594B8AE800382A6FEFA8D6EE121F31 | SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21 | |||
2804 | wscript.exe | C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs | text | |
MD5:67261E98D431847536482B6F5F773C5D | SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946 | |||
1760 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs | text | |
MD5:E7594B8AE800382A6FEFA8D6EE121F31 | SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3444 | wscript.exe | 194.5.98.150:7789 | brothersjoy.nl | — | FR | malicious |
2804 | wscript.exe | 186.85.86.77:6161 | houdini2019.duckdns.org | Telmex Colombia S.A. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
houdini2019.duckdns.org |
| malicious |
brothersjoy.nl |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |