analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC0711.vbe

Full analysis: https://app.any.run/tasks/a2c4422f-262f-4d88-9be9-463bde752173
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 08, 2018, 07:20:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
banload
Indicators:
MIME: application/octet-stream
File info: data
MD5:

7223C5D3370D95F55683C1CE90926D06

SHA1:

64EC7747A123106FB074D70410D652A54D40E8C7

SHA256:

01A16A003BF97EAC618856B0372E3F49C2086322C2DA40CF6D114A052157179E

SSDEEP:

96:VHIdii0IJDlrbPtUrSU21xmYUcvvFceWwkx3zso7qJQ6AvgiUlN+VH4at2svjU7D:VokiFJDErixrJPxkxDso2e6CgiKq+ae9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 716)
      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • Application was dropped or rewritten from another process

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • BANLOAD was detected

      • WScript.exe (PID: 2108)
    • Changes the autorun value in the registry

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • Connects to CnC server

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2108)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2108)
    • Disables Form Suggestion in IE

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • Reads Environment values

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • Uses TASKKILL.EXE to kill Browsers

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
    • Uses TASKKILL.EXE to kill process

      • ORCAJ4DHVCLXRS3.exe (PID: 2312)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.vbe | VBScript Encoded script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BANLOAD wscript.exe searchprotocolhost.exe no specs cmd.exe no specs orcaj4dhvclxrs3.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\DOC0711.vbe"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
716"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3044"C:\Windows\system32\cmd.exe" /c start C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe C:\Windows\system32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2312C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe C:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exe
cmd.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware NAT Service
Version:
12.5.6 build-5528349
2240TASKKILL /F /IM chrome.exeC:\Windows\system32\TASKKILL.exeORCAJ4DHVCLXRS3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2016TASKKILL /F /IM firefox.exeC:\Windows\system32\TASKKILL.exeORCAJ4DHVCLXRS3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3224TASKKILL /F /IM itauaplicativo.exeC:\Windows\system32\TASKKILL.exeORCAJ4DHVCLXRS3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
514
Read events
490
Write events
24
Delete events
0

Modification events

(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2108) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
4
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108WScript.exeC:\Users\Public\K8BA9BWJ2L7ERTFverbo.zipcompressed
MD5:CB45EDED7A3C087B951066C8B13AD6EE
SHA256:EE0FBB67D54C967A09A7FE735196F8B88B4C92104658973D1E787F6B18D70D71
2108WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\nv0711[1].zipcompressed
MD5:CB45EDED7A3C087B951066C8B13AD6EE
SHA256:EE0FBB67D54C967A09A7FE735196F8B88B4C92104658973D1E787F6B18D70D71
2108WScript.exeC:\Users\Public\K8BA9BWJ2L7ERTF\shfolder.dllexecutable
MD5:A8B90653B7E646F71A16D05BE060A041
SHA256:B00103DF9854D08C4A566593C121B8E04F373874F521CEAE4F0FF399DE69EE55
2108WScript.exeC:\Users\Public\K8BA9BWJ2L7ERTF\LWF3KP6HFGV37RYFEXQSD5CKZ08Vexecutable
MD5:A8B90653B7E646F71A16D05BE060A041
SHA256:B00103DF9854D08C4A566593C121B8E04F373874F521CEAE4F0FF399DE69EE55
2108WScript.exeC:\Users\Public\K8BA9BWJ2L7ERTF\SJIZ84IJKCGX558YVDE14SS1O41RQLCF2FM8executable
MD5:B2218DF5C3373A9A1B619E53281E9806
SHA256:681CCC9E5BAB3A23B3CE31FDC1EB8DB268E79E1521E748D8F8C951D10A3A096C
2108WScript.exeC:\Users\Public\K8BA9BWJ2L7ERTF\ORCAJ4DHVCLXRS3.exeexecutable
MD5:B2218DF5C3373A9A1B619E53281E9806
SHA256:681CCC9E5BAB3A23B3CE31FDC1EB8DB268E79E1521E748D8F8C951D10A3A096C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2108
WScript.exe
GET
200
13.77.75.153:80
http://13.77.75.153/sites/default/files/feeds/nv0711.zip
US
compressed
3.28 Mb
whitelisted
2312
ORCAJ4DHVCLXRS3.exe
POST
200
37.187.238.223:80
http://reorienta45plus.com/wp-content/plugins/hello_dolly/ct/jov45.php
FR
text
10 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2312
ORCAJ4DHVCLXRS3.exe
37.187.238.223:80
reorienta45plus.com
OVH SAS
FR
suspicious
2108
WScript.exe
13.77.75.153:80
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
reorienta45plus.com
  • 37.187.238.223
malicious

Threats

PID
Process
Class
Message
2108
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Banload.WRI (Trojan.Agent.DDSA) Requesting Zip Archive
2312
ORCAJ4DHVCLXRS3.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2312
ORCAJ4DHVCLXRS3.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spy.Banker.BR HTTP POST Check-in v1
2312
ORCAJ4DHVCLXRS3.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spy.Banker.BR HTTP POST Check-in v2
2 ETPRO signatures available at the full report
Process
Message
ORCAJ4DHVCLXRS3.exe
CodeSet_Init: no ICU