analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4367890.vbs

Full analysis: https://app.any.run/tasks/09dffa73-6c4e-4e45-8c17-953fd93b13ba
Verdict: Malicious activity
Analysis date: July 17, 2019, 11:33:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

E1C6D573CEBA72B370AF196E1A101C74

SHA1:

22AFE80B7EA144156C6ADF495066A3A8C4177186

SHA256:

309507165C7176DE0C8866B422FC4567EFF8541B9E34B9717EE34C538A31AE08

SSDEEP:

192:2D/+o4XMLoUNF4pfAwb8MSaVN8fItX7P61yOe8ss/tUnh/K2Z4fyO:2LroUNSrSm2md5dQwtK26fyO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executes scripts

      • WScript.exe (PID: 3876)
    • Application launched itself

      • WScript.exe (PID: 3876)
    • Executes application which crashes

      • WScript.exe (PID: 608)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3796)
      • ntvdm.exe (PID: 3556)
      • Notepad.exe (PID: 1708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs wscript.exe ntvdm.exe no specs explorer.exe no specs ntvdm.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3876"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4367890.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
608"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\salida.vbs" C:\Windows\System32\WScript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3016"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3796"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3556"C:\Windows\system32\ntvdm.exe" -i2 C:\Windows\system32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1708"C:\Windows\System32\Notepad.exe" C:\Users\admin\AppData\Local\Temp\salida.vbsC:\Windows\System32\Notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
497
Read events
493
Write events
4
Delete events
0

Modification events

(PID) Process:(3876) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3876) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3016ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsFB0A.tmp
MD5:
SHA256:
3016ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsFB0B.tmp
MD5:
SHA256:
3556ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs7F7C.tmp
MD5:
SHA256:
3556ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs7F7D.tmp
MD5:
SHA256:
3876WScript.exeC:\Users\admin\AppData\Local\Temp\salida.vbstext
MD5:C001E502D34EB0059B9EA59923607538
SHA256:F38713A735799DCDA7750B7271FE8C4020700D23766CBA50F4E8B1ED70691C06
608WScript.exeC:\Users\admin\AppData\Local\Temp\ouwrj.exehtml
MD5:535563F2390BBDEC35A96E3B7E26D327
SHA256:589FC031A88A92DE318718377A07BD28F86A9FC8D8754CE57C0A9FE50AADBE22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
608
WScript.exe
GET
404
67.23.226.159:80
http://aminvali.ca/FB_counterADC28675BA.php
US
html
10.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
608
WScript.exe
67.23.226.159:80
aminvali.ca
HostDime.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
aminvali.ca
  • 67.23.226.159
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info