File name:

urus.vbs

Full analysis: https://app.any.run/tasks/eb2481af-3aef-4cd6-832d-484531de89cd
Verdict: Malicious activity
Analysis date: November 15, 2024, 18:29:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (6177), with CRLF line terminators
MD5:

25DE5FE745E57DB4651B5F94E304BDFA

SHA1:

4D9FA4D21D15CC0C03D854231BD70D282372BF8F

SHA256:

407E0C29AFA9D348AE940F3AF63265C1625C48E9A721DB9E8EBF152896747188

SSDEEP:

96:0aEGrT5eQzzLjhYiHsE6lH1CHeWO8gjRNtjOY8GmT:fE2TV/5YiRgHaeN8gjv7mT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 4060)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 4060)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4060)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 4060)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 4060)

    • Connects to unusual port

      • veZkNElXSz.exe (PID: 5400)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4060)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 4060)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4060)

    • Reads security settings of Internet Explorer

      • veZkNElXSz.exe (PID: 5400)

  • INFO

    • Checks supported languages

      • veZkNElXSz.exe (PID: 5400)

    • Reads the computer name

      • veZkNElXSz.exe (PID: 5400)

    • The process uses the downloaded file

      • wscript.exe (PID: 4060)

    • Checks proxy server information

      • veZkNElXSz.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe vezknelxsz.exe

Process information

PID
CMD
Path
Indicators
Parent process
4060"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\urus.vbsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5400"C:\Users\admin\AppData\Local\Temp\radB28EF.tmp\veZkNElXSz.exe" C:\Users\admin\AppData\Local\Temp\radB28EF.tmp\veZkNElXSz.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\radb28ef.tmp\vezknelxsz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wininet.dll
Total events
817
Read events
817
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4060wscript.exeC:\Users\admin\AppData\Local\Temp\radB28EF.tmp\veZkNElXSz.exeexecutable
MD5:08222BE7ADE4E01FE009AC64B3993A66
SHA256:FE16BC0DF484E6D013469CB08537AAF2B3D873AEFE66262B445C9B8429F73A49
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
37
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4292
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4292
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4292
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.204.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5400
veZkNElXSz.exe
89.197.154.116:7810
Virtual1 Limited
GB
unknown
5488
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4292
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.204.152
  • 2.16.204.146
  • 2.16.204.134
  • 2.16.204.160
  • 2.16.204.157
  • 2.16.204.158
  • 2.16.204.138
  • 2.16.204.145
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.50.201.201
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
urus.vbs