File name: | 10f6e38224c4ee39501fa379cfbdd68067c37c6c731fbe78ad03a24cc6b42e31.vbs |
Full analysis: | https://app.any.run/tasks/2890985d-3f1e-4b34-a9da-18247cec0e6a |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 16:27:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | FD8C2477FB5E107414364E5AA07408B7 |
SHA1: | 28307D7BB128DE103ABAA606B5BB346B8CA03386 |
SHA256: | BCEBF674B3F0515C8DD2E0F23D48B2A9B3E125EF277DF52EF14AAF9F5F35073F |
SSDEEP: | 12:rChQq4vKQbJaMzHVHYQenBnct9oVsE8yzcRhXdd+REBaGdpVmr/hIbv:rCHiKQbwqynZKE8yzcRhtd+EBfmbhIL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3144 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\10f6e38224c4ee39501fa379cfbdd68067c37c6c731fbe78ad03a24cc6b42e31.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3144 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\NCiPkXve[1].txt | — | |
MD5:— | SHA256:— | |||
3144 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\understandknow_info[1].txt | — | |
MD5:— | SHA256:— | |||
3144 | WScript.exe | C:\Users\admin\124x | text | |
MD5:17DAF2B82DB5FF5DD240C31C7424A95E | SHA256:1D69B23BE923220FE79154E8498393E58B777184F286372EFDACDEC1200FB677 | |||
3144 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:577B932E225069FC7C9D778C2F031E07 | SHA256:CCB83123AAAF83CB1E993145C3714D424BCC6D00DC070E62CA20606CF4749957 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3144 | WScript.exe | POST | 200 | 107.180.28.146:80 | http://understandknow.info/?tgow=shuraty3&6cJOngr3ZLNNt2CBaeqqTtf2X | US | text | 3.56 Kb | malicious |
3144 | WScript.exe | POST | 200 | 104.20.208.21:80 | http://pastebin.com/raw/NCiPkXve?6cJOngr3ZLNNt2CBaeqqTtf2X | US | text | 221 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3144 | WScript.exe | 104.20.208.21:80 | pastebin.com | Cloudflare Inc | US | shared |
3144 | WScript.exe | 107.180.28.146:80 | understandknow.info | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
understandknow.info |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3144 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Download Obfuscated Malicious Script (cmd.exe/WScript.Shell) |
3144 | WScript.exe | Potentially Bad Traffic | ET WEB_CLIENT Obfuscated Javascript // ptth |