analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

QH5804-HEL-140039.vbs

Full analysis: https://app.any.run/tasks/33e5132a-e490-40b0-afde-95114ef37d3e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 16:05:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
Indicators:
MIME: text/plain
File info: Non-ISO extended-ASCII text, with very long lines
MD5:

AB35F39CA85C2F866251A2FBBE8B9D73

SHA1:

45A7DA529ACA82183B336C1E4CAAF16ED9934082

SHA256:

2CE8E6B82A9270B353757E5F2B36886EE3255A0513EFF843E00A0EFC734976BC

SSDEEP:

3072:sCdSv1/nFxXq9tw6xozhB6GJ20bb5gIi3KBd4AfIG2hfmLzumNAJGU6:sGA1/nvXq9ts1Qwh5P3BV2V1doU6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x.exe (PID: 2348)
      • x.exe (PID: 2220)
      • x.exe (PID: 2188)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3008)

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 3752)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 2304)
      • cmd.exe (PID: 2252)

    • Known privilege escalation attack

      • DllHost.exe (PID: 3180)

    • Loads the Task Scheduler COM API

      • x.exe (PID: 2220)
      • x.exe (PID: 2188)

    • Changes settings of System certificates

      • x.exe (PID: 2188)

  • SUSPICIOUS

    • Creates files in the user directory

      • x.exe (PID: 2348)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 3952)
      • x.exe (PID: 2188)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3008)
      • x.exe (PID: 2348)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 2464)

    • Starts CMD.EXE for commands execution

      • x.exe (PID: 2348)
      • x.exe (PID: 2220)

    • Checks for external IP

      • x.exe (PID: 2188)

    • Adds / modifies Windows certificates

      • x.exe (PID: 2188)

    • Creates files in the program directory

      • x.exe (PID: 2188)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
17
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start start wscript.exe x.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs x.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs x.exe

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\QH5804-HEL-140039.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2348C:\Users\admin\AppData\Local\Temp\x.exeC:\Users\admin\AppData\Local\Temp\x.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3688/c sc stop WinDefendC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3752/c sc delete WinDefendC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3836/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2996sc delete WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2988sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3180C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Users\admin\AppData\Roaming\wnetwork\x.exe" C:\Users\admin\AppData\Roaming\wnetwork\x.exeDllHost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
945
Read events
818
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H0HJPVDKQTN9Y1WO7LH5.temp
MD5:
SHA256:
3952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UDWJBTSWHL28764Q5RT1.temp
MD5:
SHA256:
3952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b3620.TMPbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b0a2e.TMPbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
2220x.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:81EAC72C86572C0D87B29F28794762DE
SHA256:D3952066B97F8EBE7E9FB5E9923ED89B1CFF5B4A8CC8EB17C58E7930F6EA3190
2188x.exeC:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:7C7D9BE3576493265BDDF90BA5DA1963
SHA256:ED8E8E411D530BB122DF9A806563B4A4C228893801EFABC603821379C921963B
3952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
2348x.exeC:\Users\admin\AppData\Roaming\wnetwork\x.exeexecutable
MD5:1B2AA570C6948FBF049CC46F814A4164
SHA256:77AA1C5B69B9514C852DDA17080B2DCEB725B5C9FE7D38D26AEC03BC3A5A99F4
3008WScript.exeC:\Users\admin\AppData\Local\Temp\x.exeexecutable
MD5:1B2AA570C6948FBF049CC46F814A4164
SHA256:77AA1C5B69B9514C852DDA17080B2DCEB725B5C9FE7D38D26AEC03BC3A5A99F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3008
WScript.exe
GET
200
185.201.11.230:80
http://ministere-elshaddai.org/99208_929_991.php
DE
executable
521 Kb
suspicious
2188
x.exe
GET
302
216.239.32.21:80
http://ipecho.net/plain
US
text
46 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2188
x.exe
216.239.32.21:80
ipecho.net
Google Inc.
US
whitelisted
2188
x.exe
216.239.32.21:443
ipecho.net
Google Inc.
US
whitelisted
2188
x.exe
195.123.246.121:443
UA
suspicious
3008
WScript.exe
185.201.11.230:80
ministere-elshaddai.org
KVCHOSTING.COM LLC
DE
suspicious

DNS requests

Domain
IP
Reputation
ministere-elshaddai.org
  • 185.201.11.230
suspicious
ipecho.net
  • 216.239.32.21
  • 216.239.34.21
  • 216.239.36.21
  • 216.239.38.21
shared

Threats

PID
Process
Class
Message
3008
WScript.exe
Misc activity
ET INFO Packed Executable Download
3008
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3008
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2188
x.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - ipecho.net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
QH5804-HEL-140039.vbs