File name: | 29.vbs |
Full analysis: | https://app.any.run/tasks/f96f3882-3464-4739-ae0e-587174e4e294 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 18:55:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | E93D7D9C3D8CB6063EAC1C26E186CBAD |
SHA1: | B3158D7B33FA91E669E38DAE943BEFBBA72F362B |
SHA256: | D1E1F9B21C8A423E86D51830AAE9D9EE67265BB7821A58A1E219AADA2C5822F7 |
SSDEEP: | 6:dPtGT6RpbQN08HKQHcCCASsr6RpqFFN08HdHcCCASr:dPt1pbrMKQHzC5Q6Rpq2MdHzC5r |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2712 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\29.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
928 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\29.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2712 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Cab37E4.tmp | — | |
MD5:— | SHA256:— | |||
2712 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Tar37E5.tmp | — | |
MD5:— | SHA256:— | |||
2712 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HK5YVYY9.txt | — | |
MD5:— | SHA256:— | |||
928 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabC129.tmp | — | |
MD5:— | SHA256:— | |||
928 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarC12A.tmp | — | |
MD5:— | SHA256:— | |||
928 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YKIHZ49U.txt | text | |
MD5:0937FCBDFED3B10476E3AB4C06441629 | SHA256:152E83BA85996E8895AD1EAA3782881E1D85DE3D3EFE40FC3E3C692BF6E92509 | |||
928 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5VVI1CCV.txt | text | |
MD5:FBEFC94F5E2A92292BCC278824EEF506 | SHA256:4BBB9E12FF3CA320A9A27596A4C5F3CB59F1ADFC08324AB26BBE47283C41FD9E | |||
2712 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | binary | |
MD5:2114B01B87E47B11BCF9F84A2CAE34B9 | SHA256:052A130B3F4DA51C84B71CD741ED9CDC2D85AEC2D87E0C0E185B641FA2AC02D6 | |||
2712 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C954CE05407CAD0B91F1461CBC854DCE | der | |
MD5:C774544D4141DB33740F292EB1CE1DEE | SHA256:88A48AF71537B2785C9503470D96854C9601910BD7D1BF0243D12DB1BF36DABD | |||
2712 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | der | |
MD5:9E1EB3DDA03ED5B39D68CB26399E3C2E | SHA256:161399C3C4D0942A0AFE35D59B26D984D24C6E502253CDBDAECCDD9A0B53380E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2712 | WScript.exe | GET | 200 | 2.16.107.114:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgObfHHgHlsa0R7fVL2Sj72S7g%3D%3D | unknown | der | 527 b | whitelisted |
2712 | WScript.exe | GET | 200 | 2.16.107.80:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2712 | WScript.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
2712 | WScript.exe | 2.16.107.80:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | suspicious |
2712 | WScript.exe | 2.16.107.114:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | suspicious |
928 | WScript.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
iplogger.org |
| shared |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2712 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
2712 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
928 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
928 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |