analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

temp.vbs

Full analysis: https://app.any.run/tasks/cffc1599-4892-4b13-85a9-7719eb1e24db
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 11, 2019, 14:34:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
netsupport
unwanted
Indicators:
MIME: text/plain
File info: UTF-8 Unicode text, with CRLF line terminators
MD5:

B4A5EDCF8BBD2415F41E412CC72DA63C

SHA1:

63E1419BF665FF621E2C7F149A32CC84DDD71728

SHA256:

590AB0DAE68CE55E1551B1227ADE50B16EAE76059A49B3EEAE05AD4C793AE791

SSDEEP:

192:UsVJ7dgJYI34bNx/gsY49gQm/729g32bjeikHIBkVKokCxo4kIWRkFn7vvvtvrve:5VJ76J734pxTfeikHIBkVKokio4kIWR/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • temp50.exe (PID: 3016)
      • WinSupport.exe (PID: 2596)
      • KB24115436.exe (PID: 2460)
      • client32.exe (PID: 3776)
    • Loads dropped or rewritten executable

      • client32.exe (PID: 3776)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3028)
    • Downloads executable files from IP

      • WScript.exe (PID: 3028)
    • Writes to a start menu file

      • WinSupport.exe (PID: 2596)
    • Connects to CnC server

      • client32.exe (PID: 3776)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • temp50.exe (PID: 3016)
      • KB24115436.exe (PID: 2460)
      • WScript.exe (PID: 3028)
      • WinSupport.exe (PID: 2596)
    • Uses ATTRIB.EXE to modify file attributes

      • temp50.exe (PID: 3016)
    • Reads Internet Cache Settings

      • client32.exe (PID: 3776)
    • Creates files in the user directory

      • KB24115436.exe (PID: 2460)
      • WinSupport.exe (PID: 2596)
    • Connects to server without host name

      • client32.exe (PID: 3776)
  • INFO

    • Drop NetSupport executable file

      • WinSupport.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start wscript.exe temp50.exe attrib.exe no specs kb24115436.exe winsupport.exe client32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\temp.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3016"C:\Users\admin\AppData\Local\Temp\temp50.exe" C:\Users\admin\AppData\Local\Temp\temp50.exe
WScript.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
4, 11, 00, 4619
3492attrib +h +s C:\TempC:\Windows\system32\attrib.exetemp50.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2460"C:\Temp\KB24115436.exe"C:\Temp\KB24115436.exe
temp50.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
360 Total Security
Exit code:
0
Version:
10,0,0,1160
2596"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe" -pjf74idDC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe
KB24115436.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3776"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe" C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
WinSupport.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V12.10
Total events
2 779
Read events
2 717
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
8
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\clhook4.dllexecutable
MD5:6F787B2A2930EF76C468EE410ADC86A3
SHA256:47E7C7C11B8A8FAB19F4F30C2F023B741E6057190B80A928E48D37AF0E08AD16
3028WScript.exeC:\Users\admin\AppData\Local\Temp\temp50.exeexecutable
MD5:B4C837B395483E5F430D00000B1D4C31
SHA256:3F47F2175F27C02C36E7AA9FD485EF30BB03531E3C0F5D176F727E46B3A80C72
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.sysexecutable
MD5:85ED5E4FA9A8B4776FA82B8BEF5F2791
SHA256:044F4A62B98A132DE1F752FB33D654640D09221E74EBE1C062E6A276D22E5B69
2460KB24115436.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exeexecutable
MD5:94CC7202EE76E7D650414EDE964EBD9B
SHA256:195E3D2424AB364EDCE6F54CCC3D21641CC6B3323CE01358951E98A064D8E85D
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPCTL32.DLLexecutable
MD5:67184A4406F5ECB71C21583987038708
SHA256:E70CB83658B4FB9F7266CCF528219C835F0EFBE5E06872D4F5FAD8CD496B71F2
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\CryptPak.dllexecutable
MD5:92FD46BD92D218EE3F1E800C1C5DAEF8
SHA256:7E6616F762AB9F9850090D1C89507D2851222CFA1FF66982F84AC214C6FDE570
3016temp50.exeC:\Temp\KB24115436.exeexecutable
MD5:29B47D1F3D4417B4E50E5B1C0005298B
SHA256:AACADF7B3BFC2AC8A9A342E5372C77218EFA9C67602C3A15441094170A5F52D4
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.dllexecutable
MD5:367A4E8F632F0F1D05B8AB9922DAB331
SHA256:8423C1BE72387638C0143B8BC0EDC91A9F4AD7262AF8BAEC1C2464EC45BE98A0
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.initext
MD5:182318FA51DB5DAA7008F8ED91F3FDA9
SHA256:00C60D416C139F841E1BE8A1F5469C7747A62A78CCAC4AFF82B4B9EE4B2BEF33
2596WinSupport.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\DBI.EXEexecutable
MD5:5D64121AB6415EC11EFFBD6D6761D46A
SHA256:689FACAF0E03034C42BE4A4473E806BCD5272A40D7CF4E8B09083FFF8744F278
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/2.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/2.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/4.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/2.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/3.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
200
45.12.215.157:80
http://45.12.215.157/images/1.jpg
unknown
executable
2.64 Mb
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/3.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/2.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/5.jpg
unknown
html
716 b
suspicious
3028
WScript.exe
GET
404
45.12.215.157:80
http://45.12.215.157/images/4.jpg
unknown
html
716 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3776
client32.exe
195.171.92.116:80
geo.netsupportsoftware.com
British Telecommunications PLC
GB
suspicious
3016
temp50.exe
185.212.130.9:443
avheaven.icu
Virtual Trade Ltd
NL
malicious
3776
client32.exe
5.45.73.63:4151
Serverius Holding B.V.
NL
suspicious
3028
WScript.exe
45.12.215.157:80
suspicious

DNS requests

Domain
IP
Reputation
avheaven.icu
  • 185.212.130.9
malicious
geo.netsupportsoftware.com
  • 195.171.92.116
  • 62.172.138.35
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3028
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3028
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3028
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3028
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3028
WScript.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3028
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3016
temp50.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
3016
temp50.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
3776
client32.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] NetSupport Remote Admin
15 ETPRO signatures available at the full report
No debug info