File name: | PO21784.vbs |
Full analysis: | https://app.any.run/tasks/5f2bc175-9822-47a6-ba11-69bc84966fcf |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 07:34:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | F6102E107CE1871B1CF37ADE3F5462E0 |
SHA1: | FEB7B5A6689F667D3F6177DB11AB1B87FD8939A8 |
SHA256: | 644BA0805C354CC940CAF1AA3EC0B62A1D9328FC214F84199ECB619093FCCE1F |
SSDEEP: | 12288:mcWIjpvyMr/Rp2YGRchrMNLXFvvfwyQNJzsQ9xmhqJJrotcXeVB:R93/aCZM3AVDsC+CJ2cXqB |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1588 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\PO21784.vbs" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2040 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\WindowsServices\EIMBC.cmd" " | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1740 | PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\admin\AppData\Roaming\WindowsServices\VKLHV.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1072 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: jsc.exe Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 Modules
| |||||||||||||||
892 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Framework CAS Policy Manager Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
2160 | "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" | C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 3.5.30729.4926 built by: NetFXw7 Modules
| |||||||||||||||
2492 | dw20.exe -x -s 380 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | CasPol.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
2500 | dw20.exe -x -s 380 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | MSBuild.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
2704 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5yac03qr.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.7.2558.0 built by: NET471REL1 Modules
| |||||||||||||||
2904 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8C72.tmp" "c:\Users\admin\AppData\Local\Temp\CSC587C20BF347C44E9B8243518F58493AE.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.52519.0 built by: VSWINSERVICING Modules
|
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1588) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1072) jsc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1588 | wscript.exe | C:\Users\admin\AppData\Roaming\WindowsServices\VKLHV.ps1 | text | |
MD5:99B8AAB394401AEA0C8D90340710BF39 | SHA256:F55B7FC6D6E63C57997B1AF93367C53C5361A60170E67856EE945EBEB5B12511 | |||
1588 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:24ACB4B63C9EECB9CDB00D1A9F78ADFC | SHA256:20A96E98DA6FFBE0371131DB64BF62AA70BB54A4EABFC2CAD78688D5CAEB4A92 | |||
1588 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.lnk | lnk | |
MD5:14F8C0E14F513A638111505D0016CEED | SHA256:D4363F7FCF4435F48FF297EB91C65F5F0C2852BBF332D8ACBDD031F2166CD8BF | |||
1588 | wscript.exe | C:\Users\admin\AppData\Roaming\WindowsServices\EIMBC.cmd | text | |
MD5:4214EA0816E30F2A51D9A0D68AACF5F0 | SHA256:3DA6C92FE8B1A0A0051CB6B5820DA5C7DD60DC0F18A4FDF7AE1337AE6E80B432 | |||
2704 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC587C20BF347C44E9B8243518F58493AE.TMP | res | |
MD5:3C736D84433C655425ED974F4F34F25C | SHA256:D2E2620854C3C471E3146C7550401913A29DB3505389EC334AC803AD613C3665 | |||
1740 | powershell.exe | C:\Users\admin\AppData\Local\Temp\5yac03qr.0.cs | text | |
MD5:D05DB7CA65C16470A87F4C4007E9E026 | SHA256:C1412A0D2269B59DF9D6B003B2F82F9479040DAE4C4E12629DB5845A6AC4C960 | |||
1588 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A | binary | |
MD5:177BABB8173ABF1F9E3C774997794E5A | SHA256:48CA1DF8836B3B02128CC0CFBD3310D1B0C061C80D78EE768AE38FDFE3185F7D | |||
2904 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES8C72.tmp | o | |
MD5:68ECAC8B547D78318665D616872D5EA7 | SHA256:4156B0973EBF4AFFBF447B0AB85C25133557E162B805A6F75F358EF43652BDFC | |||
1740 | powershell.exe | C:\Users\admin\AppData\Local\Temp\5yac03qr.cmdline | text | |
MD5:88C4CDD032B404BAC31E1C3A8A380F70 | SHA256:7D005A05B6C1EB8125F7862647E07E991FCCDD6861D2EBB9612E95671856BCE3 | |||
2704 | csc.exe | C:\Users\admin\AppData\Local\Temp\5yac03qr.out | text | |
MD5:7DD88C35B6455625A47C01F93D64C612 | SHA256:267D73991DC9E4049DC6B0AF42A3E2C6F4B2DA37A769BF5A16CA67B22DD985C3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1588 | wscript.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?7baa789e3f6f1095 | US | der | 1.36 Kb | whitelisted |
1588 | wscript.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9dbee7135befa074 | US | compressed | 61.1 Kb | whitelisted |
1588 | wscript.exe | GET | 200 | 2.16.186.27:80 | http://apps.identrust.com/roots/dstrootcax3.p7c | unknown | cat | 893 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1588 | wscript.exe | 2.16.186.27:80 | apps.identrust.com | Akamai International B.V. | DE | whitelisted |
2544 | jsc.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | malicious |
1588 | wscript.exe | 185.157.81.233:443 | pastebin.pl | S-NET Sp. z o.o. | PL | unknown |
2544 | jsc.exe | 212.193.30.230:3363 | — | Delis LLC | CZ | malicious |
1588 | wscript.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
pastebin.pl |
| malicious |
apps.identrust.com |
| shared |
api.telegram.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1588 | wscript.exe | Unknown Traffic | ET JA3 Hash - [Abuse.ch] Possible Tofsee |
— | — | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
2544 | jsc.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
2544 | jsc.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |