File name: | nouvyop.txt |
Full analysis: | https://app.any.run/tasks/6270ca52-6e7c-4669-930e-1a5d9f4bacca |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 16:33:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ISO-8859 text, with very long lines, with CRLF line terminators |
MD5: | FB35AADED9F509F54D2FBD9422774913 |
SHA1: | 1BBD7DE58F80924CBD5827D52AA705951B381EED |
SHA256: | 6F2FAD7E98D8DDF3D2D4AEC65913FF6C3D286FA82268C8AE38B78818ABD7DB42 |
SSDEEP: | 384:szp0ObZfwfLBC9nMjKOQxw1+9Sv6J3c3d3jrWIqnk5O:szp0ObZfwfLBC9nMjKOQxwU9w6JYdzKf |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1420 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\nouvyop.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3764 | "C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\juif.bat" | C:\Windows\System32\cmd.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
480 | takeown /f C:\*.* | C:\Windows\system32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2316 | Icacls C:\*.* /C /G admin:F | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 87 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1964 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
484 | reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
688 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\21616.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
2932 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4561.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3184 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\15976.vbs" 7002.bat | C:\Windows\System32\WScript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3472 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\8361.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1420 | NOTEPAD.EXE | C:\Users\admin\Desktop\juif.bat | text | |
MD5:FB35AADED9F509F54D2FBD9422774913 | SHA256:6F2FAD7E98D8DDF3D2D4AEC65913FF6C3D286FA82268C8AE38B78818ABD7DB42 | |||
3764 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | text | |
MD5:D0260EF86DD3C37A5BA023320DE22D98 | SHA256:3F54F3E33EE249305F79A9980468B685F1CE59E976616F199066914038548181 | |||
2500 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:953BBBF2C62EB6DFC48AAC1AA78AA47F | SHA256:FB2030E7F3083D281DA52246BD5AD19971B1A2A7B9FA91F8ACDD1C4E0F43AF3C | |||
2500 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2FFDB881A786D5E63F3C3FCD2E2B6955 | SHA256:525927F6790B1BAB1950724C9C1DC0017DAABBE5F3D21DD0C1E104A3EF1EE68D | |||
2500 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA | |||
3764 | cmd.exe | C:\Users\admin\AppData\Local\Temp\23083.bat | text | |
MD5:BC949EA893A9384070C31F083CCEFD26 | SHA256:6BDF66B5BF2A44E658BEA2EE86695AB150A06E600BF67CD5CCE245AD54962C61 | |||
2500 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\lachancla[1].mp3 | — | |
MD5:— | SHA256:— | |||
3764 | cmd.exe | C:\Users\admin\AppData\Local\Temp\21616.vbs | text | |
MD5:86651BC7504417E7EF5AA1FC46B5A111 | SHA256:2C3A7E0025A743BB10E97EBB7B2E1FF27530D007646ACA6FD3B06A31FD4F0652 | |||
3764 | cmd.exe | C:\Users\admin\AppData\Local\Temp\4947.vbs | text | |
MD5:DB07B3C9C42DF80BC7F2DA2984A61716 | SHA256:3A0BFDED5CC4679468764AF6E5D8E0457547F93C9BFF8911ABE02CA05E03134E | |||
460 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7AA54AA41F3847BB90B1B420E2264D1E.dat | binary | |
MD5:C34FA1C94889A9AFE3B43C4DDAB7A187 | SHA256:925387F7C1BD1CF475927E4219E2DCB31C86AC189F1955775498F6839AD8B369 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2500 | WScript.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2500 | WScript.exe | GET | 200 | 67.26.139.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a314ee569637a8bd | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2500 | WScript.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2500 | WScript.exe | 67.26.139.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3472 | WScript.exe | 193.36.45.15:443 | image.noelshack.com | L'Odyssee Interactive Jeuxvideo.com, SAS | FR | unknown |
2932 | WScript.exe | 162.159.135.232:443 | discord.com | Cloudflare Inc | — | malicious |
3472 | WScript.exe | 217.65.97.74:443 | ddl8.data.hu | Magyar Telekom plc. | HU | suspicious |
2500 | WScript.exe | 162.159.134.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
Domain | IP | Reputation |
---|---|---|
discord.com |
| whitelisted |
image.noelshack.com |
| suspicious |
ddl8.data.hu |
| suspicious |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
theshitposter78.github.io |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2932 | WScript.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) |
2500 | WScript.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
2500 | WScript.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |