File name:

sport tv.vbs

Full analysis: https://app.any.run/tasks/f233a7e2-21d2-441f-ac03-c7f475b1fe62
Verdict: Malicious activity
Analysis date: March 02, 2024, 13:38:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
sinkhole
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65511), with CRLF line terminators
MD5:

85BB69BA630BF3416C244A292BCF4907

SHA1:

606A41597CC53B667D9AA603CE530A9B6FD6146C

SHA256:

2A5F2DE11A35132A654DA679E517F7A777C49A8BD28D6C3608659F6BC4950611

SSDEEP:

1536:AtsUipjDz+s5oTHecYKNSj87Ny1O7g7QcSeru4cliglPog7Sz24lw0UIvWA6Kr/n:SRvOsRq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Create files in the Startup directory

      • wscript.exe (PID: 2472)

    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Gets startup folder path (SCRIPT)

      • wscript.exe (PID: 3348)
      • wscript.exe (PID: 2472)

    • Reads the value of a key from the registry (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Checks whether a specified folder exists (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 3348)

    • Opens a text file (SCRIPT)

      • wscript.exe (PID: 3348)

    • Gets username (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses information about the status of the installed antivirus(Win32_AntivirusProduct) via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Unusual connection from system programs

      • wscript.exe (PID: 3348)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 3348)

    • Connects to the CnC server

      • wscript.exe (PID: 3348)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 3348)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Reads the Internet Settings

      • wscript.exe (PID: 2472)
      • wscript.exe (PID: 3348)

    • Application launched itself

      • wscript.exe (PID: 2472)

    • The process executes VB scripts

      • wscript.exe (PID: 2472)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2472)

    • Gets a collection of all available drive names (SCRIPT)

      • wscript.exe (PID: 3348)

    • Gets the drive type (SCRIPT)

      • wscript.exe (PID: 3348)

    • Checks whether the drive is ready (SCRIPT)

      • wscript.exe (PID: 3348)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 3348)

    • Gets disk free space (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses operating system name via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Connects to unusual port

      • wscript.exe (PID: 3348)

    • Accesses local storage devices (Win32_LogicalDisk) via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 3348)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 3348)

    • Accesses WMI object caption (SCRIPT)

      • wscript.exe (PID: 3348)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 3348)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 3348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\sport tv.vbs"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3348"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\sport tv.vbs"C:\Windows\System32\wscript.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 774
Read events
2 732
Write events
36
Delete events
6

Modification events

(PID) Process:(2472) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sport tv
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\sport tv.vbs"
(PID) Process:(2472) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sport tv
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\sport tv.vbs"
(PID) Process:(2472) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2472) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2472) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2472) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sport tv
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\sport tv.vbs"
(PID) Process:(3348) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sport tv
Value:
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\sport tv.vbs"
(PID) Process:(3348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sport tv.vbstext
MD5:85BB69BA630BF3416C244A292BCF4907
SHA256:2A5F2DE11A35132A654DA679E517F7A777C49A8BD28D6C3608659F6BC4950611
2472wscript.exeC:\Users\admin\AppData\Local\Temp\sport tv.vbstext
MD5:85BB69BA630BF3416C244A292BCF4907
SHA256:2A5F2DE11A35132A654DA679E517F7A777C49A8BD28D6C3608659F6BC4950611
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3348
wscript.exe
POST
204.95.99.86:4442
http://microsoftsystem.sytes.net:4442/is-ready
US
unknown
3348
wscript.exe
POST
204.95.99.86:4442
http://microsoftsystem.sytes.net:4442/is-ready
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3348
wscript.exe
204.95.99.86:4442
microsoftsystem.sytes.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
microsoftsystem.sytes.net
  • 204.95.99.86
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
1080
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
3348
wscript.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain
3348
wscript.exe
Malware Command and Control Activity Detected
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
3348
wscript.exe
Malware Command and Control Activity Detected
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sport tv.vbs