File name: | ffabcdef-2015-0630-1821-aaa040384214.vbs |
Full analysis: | https://app.any.run/tasks/cfb322a7-cde0-492a-8638-2fd7f99a5725 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 03:22:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ISO-8859 text, with very long lines |
MD5: | C07CC77EF2C07594542F77069E12702E |
SHA1: | C0B53A9288F51C89AA14DD052AA2472E856E29DC |
SHA256: | 64C6959B89FE7A76815026DD592081FCBBE328CB61CCDF427F6B0C429CEAB860 |
SSDEEP: | 768:+j2uG5pYwaKkLLVE1X2XixekYdk8r0tu/xgYM471iWXWM1i2XqHnV:+j2w8V |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\ffabcdef-2015-0630-1821-aaa040384214.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3008 | "C:\Windows\System32\cmd.exe" /c secedit /export /cfg C:\Users\admin\AppData\Local\Temp\sec.log | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 740 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
792 | secedit /export /cfg C:\Users\admin\AppData\Local\Temp\sec.log | C:\Windows\system32\SecEdit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Security Configuration Editor Command Tool Exit code: 740 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1784 | "C:\Windows\System32\cmd.exe" /c wmic computersystem get domainrole | find /i /v "domainrole" > C:\Users\admin\AppData\Local\Temp\domainrole.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2612 | wmic computersystem get domainrole | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | find /i /v "domainrole" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1708 | "C:\Windows\System32\cmd.exe" /c echo SCNameSpace = "" > C:\Users\admin\AppData\Local\Temp\wmiav.vbs | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3132 | "C:\Windows\System32\cmd.exe" /c echo Set objWMIServiceOS = GetObject("winmgmts:\\.\root\CIMV2") >> C:\Users\admin\AppData\Local\Temp\wmiav.vbs | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1012 | "C:\Windows\System32\cmd.exe" /c echo Set colItemsOS = objWMIServiceOS.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) >> C:\Users\admin\AppData\Local\Temp\wmiav.vbs | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
940 | "C:\Windows\System32\cmd.exe" /c echo For Each objItem in colItemsOS >> C:\Users\admin\AppData\Local\Temp\wmiav.vbs | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2108) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2108) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2504 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:A12EB9AE0DFFD31ADAC7C3B49882AC5E | SHA256:689C5B4E9396FC6731AFE6129148C18F814F758909624EF8CD59BCFD8B064673 | |||
1024 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:9288F94687E10BFC091FD833D73614CE | SHA256:E7E1EA7FF34B023C9F7B944DECE5F1A671F6ABFD9DCDAFFF5E325AE1974EDB39 | |||
3132 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:9288F94687E10BFC091FD833D73614CE | SHA256:E7E1EA7FF34B023C9F7B944DECE5F1A671F6ABFD9DCDAFFF5E325AE1974EDB39 | |||
3816 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:26590A6336C144342C603A9C6A082E1D | SHA256:00841D9142B3E73D25C4ED2422B43DA5A6F5BA42DFE7A1CC87E1DEB98B0C3477 | |||
2880 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:A12EB9AE0DFFD31ADAC7C3B49882AC5E | SHA256:689C5B4E9396FC6731AFE6129148C18F814F758909624EF8CD59BCFD8B064673 | |||
1956 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:26590A6336C144342C603A9C6A082E1D | SHA256:00841D9142B3E73D25C4ED2422B43DA5A6F5BA42DFE7A1CC87E1DEB98B0C3477 | |||
2760 | find.exe | C:\Users\admin\AppData\Local\Temp\domainrole.txt | text | |
MD5:B2E89836C8C89FFFFB14C1CB86559A26 | SHA256:47F28FF4DA1895129C5EF6524BE86395D37A969DEF23C656B67B975616BE8A8A | |||
3408 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:A12EB9AE0DFFD31ADAC7C3B49882AC5E | SHA256:689C5B4E9396FC6731AFE6129148C18F814F758909624EF8CD59BCFD8B064673 | |||
328 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:A12EB9AE0DFFD31ADAC7C3B49882AC5E | SHA256:689C5B4E9396FC6731AFE6129148C18F814F758909624EF8CD59BCFD8B064673 | |||
3748 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wmiav.vbs | text | |
MD5:A12EB9AE0DFFD31ADAC7C3B49882AC5E | SHA256:689C5B4E9396FC6731AFE6129148C18F814F758909624EF8CD59BCFD8B064673 |