analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

R000_24531.vbe

Full analysis: https://app.any.run/tasks/b2eb0152-45d3-42c9-b6d8-2cb8445453f3
Verdict: Malicious activity
Analysis date: June 19, 2019, 15:30:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

762B7643CC3E1B676D9DDBF7AADC10D3

SHA1:

6C1CC7AFBC6DCF01FC4A896D4E609F8481B96990

SHA256:

39EA694ED35A2A1CC6E9CDF37006827A9EAF60199ABF8FE8EE0CFAA19FA9E1F8

SSDEEP:

48:WyMUmw7jawbkAMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMToHoHW:WTY7ObZjvVa4AS7KKeHt8Xre

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 3948)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3948)

    • Executed via COM

      • DllHost.exe (PID: 940)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 1520)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1520)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe winword.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
3948"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\R000_24531.vbe"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
1520"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\stepmoving.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
940C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
808
Read events
713
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
1520WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7BAB.tmp.cvr
MD5:
SHA256:
1520WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{18D980B0-D195-4D45-BFDB-5A393359AFD9}.tmp
MD5:
SHA256:
1520WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EFEFE9E5-428B-4056-BE86-56BF44E89CA4}.tmp
MD5:
SHA256:
1520WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:01517419910BD256AB3C31C6F7FF9296
SHA256:BD978BF5CECF2AEE6ED2555CF916AEF55E03CBAED122D42692CA10D9D1C5B002
1520WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\stepmoving.rtf.LNKlnk
MD5:DB36391065E12F63427995B384F853D1
SHA256:0B92EBE39A5B49D2A1A444B6ADAF1E63406F966E606A536D4D568AB485C78F41
1520WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:CB5B106B51FF82107C3A059442617598
SHA256:6C753DB35AFFF1D1C50CA93ADA65EC8AC3B29735E9CDDCA69257A93AD28877C4
1520WINWORD.EXEC:\Users\admin\Desktop\~$epmoving.rtfpgc
MD5:0B147BB4CEB983EA42D749BCB1018A58
SHA256:036E6907973A12B8F7B98BE35AA52BD800FB4B7E153F96F2A432F79EAF601554
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3948
WScript.exe
185.101.93.178:443
lulipcxulci.info
Mike Kaldig
DE
unknown

DNS requests

Domain
IP
Reputation
lulipcxulci.info
  • 185.101.93.178
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
R000_24531.vbe