analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AE5748-PCT-201144.vbs

Full analysis: https://app.any.run/tasks/29073a4d-add6-4d2c-b098-5a2489f3ee4d
Verdict: Malicious activity
Analysis date: March 14, 2019, 16:19:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

4A4664EC6A78A1525B5484A52142FB4E

SHA1:

ECE2BC1E7FFA0F224D49E3849E534861A4F85FF7

SHA256:

10C56D774B9F2346890A01EEFE17F2A1DB2651BDE7CFF4B4F054A9AC204936C8

SSDEEP:

1536:WEO3NAx6oeWHCZfvoJs0+3E5CYoY8YgY0YpYNYBYlYbYWYEYAYDYUY6YpYaYJYLP:9qysqJD2gXfcYolcneFDCdDZvNObJK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 1792)
      • regsvr32.exe (PID: 3032)
    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2988)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • regsvr32.exe (PID: 3032)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2988)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe regsvr32.exe no specs rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\AE5748-PCT-201144.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3032"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp/jtLsgYy.dllC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1792C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\jtLsgYy.dll,f0C:\Windows\system32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
89
Read events
85
Write events
4
Delete events
0

Modification events

(PID) Process:(2988) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2988) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2988WScript.exeC:\Users\admin\AppData\Local\Temp\jtLsgYy.dllexecutable
MD5:9FD6B233E5BB053CE1213ABC33290C86
SHA256:E9CD6CC176F680917BF3651A0BA0F5E9DCF2856AD6DE87774F41740ED5B9366A
2988WScript.exeC:\Users\admin\AppData\Local\Temp\tempsbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1792
rundll32.exe
101.192.225.55:443
CN
suspicious
1792
rundll32.exe
202.195.217.62:443
China Education and Research Network Center
CN
malicious
1792
rundll32.exe
185.92.222.238:443
Choopa, LLC
NL
malicious
1792
rundll32.exe
71.168.174.7:443
MCI Communications Services, Inc. d/b/a Verizon Business
US
malicious
1792
rundll32.exe
1.112.55.23:443
Ymobile Corporation
JP
malicious
1792
rundll32.exe
126.39.235.151:443
Softbank BB Corp.
JP
malicious
1792
rundll32.exe
223.53.145.180:443
SK Telecom
KR
malicious
1792
rundll32.exe
158.174.67.20:443
Bahnhof Internet AB
SE
malicious
1792
rundll32.exe
89.144.25.104:443
GHOSTnet GmbH
DE
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1792
rundll32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1792
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
No debug info