File name: | o115115293.PDF.vbs |
Full analysis: | https://app.any.run/tasks/8c886e0b-3240-40bf-b721-a56a6e2f789e |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 18:13:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | AA0B2033519A191434F4758B93B67B0F |
SHA1: | D1DD3AA0C27EAA130F3F386B60E4966097943FFD |
SHA256: | D43005DEFB5C89AB606BA78B1504BEB6AD673612A4AC5C0C8F2D3D4F55B5643B |
SSDEEP: | 3072:wClllllc2UKHx4/iqJ+jorSjwHghNvqrBiRmiH3eWh68qkSEc2NSt9Epnv4REjl9:eIGZhZm9PJ4Jy |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2176 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\o115115293.PDF.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
532 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\o115115293.PDF.vbs" | C:\Windows\System32\wscript.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2176 | WScript.exe | C:\Users\admin\AppData\Roaming\o115115293.PDF.vbs | binary | |
MD5:AA0B2033519A191434F4758B93B67B0F | SHA256:D43005DEFB5C89AB606BA78B1504BEB6AD673612A4AC5C0C8F2D3D4F55B5643B | |||
2176 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o115115293.PDF.vbs | binary | |
MD5:AA0B2033519A191434F4758B93B67B0F | SHA256:D43005DEFB5C89AB606BA78B1504BEB6AD673612A4AC5C0C8F2D3D4F55B5643B | |||
2176 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\json[1] | text | |
MD5:2C7F8E90B51D15304A8718840CF8D97A | SHA256:498BC88D738D2BD3413B87E26D5091B2F82CB44171EF2DD0BCA90D03E3C8957C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2176 | WScript.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 347 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2176 | WScript.exe | 105.112.16.207:2014 | akconsult.linkpc.net | Celtel Nigeria Limited t.a ZAIN | NG | unknown |
2176 | WScript.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
akconsult.linkpc.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2176 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2176 | WScript.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |