analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO21784.vbs

Full analysis: https://app.any.run/tasks/5f2bc175-9822-47a6-ba11-69bc84966fcf
Verdict: Malicious activity
Analysis date: April 01, 2023, 07:34:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

F6102E107CE1871B1CF37ADE3F5462E0

SHA1:

FEB7B5A6689F667D3F6177DB11AB1B87FD8939A8

SHA256:

644BA0805C354CC940CAF1AA3EC0B62A1D9328FC214F84199ECB619093FCCE1F

SSDEEP:

12288:mcWIjpvyMr/Rp2YGRchrMNLXFvvfwyQNJzsQ9xmhqJJrotcXeVB:R93/aCZM3AVDsC+CJ2cXqB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Create files in the Startup directory

      • wscript.exe (PID: 1588)
    • Unusual connection from system programs

      • wscript.exe (PID: 1588)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1740)
    • Uses Task Scheduler to run other applications

      • jsc.exe (PID: 1072)
    • Application was dropped or rewritten from another process

      • jsc.exe (PID: 1072)
      • jsc.exe (PID: 2520)
      • jsc.exe (PID: 2544)
  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 1588)
      • jsc.exe (PID: 1072)
      • jsc.exe (PID: 2544)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2040)
    • Executing commands from ".cmd" file

      • wscript.exe (PID: 1588)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1588)
    • The process executes Powershell scripts

      • cmd.exe (PID: 2040)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 2704)
      • jsc.exe (PID: 1072)
    • Application launched itself

      • jsc.exe (PID: 1072)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • jsc.exe (PID: 2544)
    • Reads settings of System Certificates

      • jsc.exe (PID: 2544)
    • Connects to unusual port

      • jsc.exe (PID: 2544)
  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 1588)
    • Create files in a temporary directory

      • wscript.exe (PID: 1588)
      • powershell.exe (PID: 1740)
      • cvtres.exe (PID: 2904)
      • csc.exe (PID: 2704)
      • jsc.exe (PID: 1072)
    • The process checks LSA protection

      • powershell.exe (PID: 1740)
      • csc.exe (PID: 2704)
      • cvtres.exe (PID: 2904)
      • jsc.exe (PID: 1072)
      • jsc.exe (PID: 2544)
    • Checks supported languages

      • dw20.exe (PID: 2500)
      • jsc.exe (PID: 1072)
      • CasPol.exe (PID: 892)
      • MSBuild.exe (PID: 2160)
      • csc.exe (PID: 2704)
      • dw20.exe (PID: 2492)
      • cvtres.exe (PID: 2904)
      • jsc.exe (PID: 2544)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1740)
    • Reads the computer name

      • jsc.exe (PID: 1072)
      • dw20.exe (PID: 2500)
      • dw20.exe (PID: 2492)
      • jsc.exe (PID: 2544)
    • Reads the machine GUID from the registry

      • csc.exe (PID: 2704)
      • cvtres.exe (PID: 2904)
      • jsc.exe (PID: 1072)
      • jsc.exe (PID: 2544)
    • Creates files or folders in the user directory

      • jsc.exe (PID: 1072)
    • Reads Environment values

      • jsc.exe (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start wscript.exe cmd.exe no specs powershell.exe no specs jsc.exe caspol.exe msbuild.exe dw20.exe no specs dw20.exe no specs csc.exe cvtres.exe no specs schtasks.exe no specs jsc.exe no specs jsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1588"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\PO21784.vbs"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2040C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\WindowsServices\EIMBC.cmd" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
1740PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\admin\AppData\Roaming\WindowsServices\VKLHV.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1072"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\sspicli.dll
892"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework CAS Policy Manager
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\caspol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2160"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
3.5.30729.4926 built by: NetFXw7
Modules
Images
c:\windows\microsoft.net\framework\v3.5\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
2492dw20.exe -x -s 380C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeCasPol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2500dw20.exe -x -s 380C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2704"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5yac03qr.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8C72.tmp" "c:\Users\admin\AppData\Local\Temp\CSC587C20BF347C44E9B8243518F58493AE.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.52519.0 built by: VSWINSERVICING
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
Total events
9 206
Read events
9 128
Write events
78
Delete events
0

Modification events

(PID) Process:(1588) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1588) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1072) jsc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
12
Text files
14
Unknown types
12

Dropped files

PID
Process
Filename
Type
1588wscript.exeC:\Users\admin\AppData\Roaming\WindowsServices\VKLHV.ps1text
MD5:99B8AAB394401AEA0C8D90340710BF39
SHA256:F55B7FC6D6E63C57997B1AF93367C53C5361A60170E67856EE945EBEB5B12511
1588wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:24ACB4B63C9EECB9CDB00D1A9F78ADFC
SHA256:20A96E98DA6FFBE0371131DB64BF62AA70BB54A4EABFC2CAD78688D5CAEB4A92
1588wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.lnklnk
MD5:14F8C0E14F513A638111505D0016CEED
SHA256:D4363F7FCF4435F48FF297EB91C65F5F0C2852BBF332D8ACBDD031F2166CD8BF
1588wscript.exeC:\Users\admin\AppData\Roaming\WindowsServices\EIMBC.cmdtext
MD5:4214EA0816E30F2A51D9A0D68AACF5F0
SHA256:3DA6C92FE8B1A0A0051CB6B5820DA5C7DD60DC0F18A4FDF7AE1337AE6E80B432
2704csc.exeC:\Users\admin\AppData\Local\Temp\CSC587C20BF347C44E9B8243518F58493AE.TMPres
MD5:3C736D84433C655425ED974F4F34F25C
SHA256:D2E2620854C3C471E3146C7550401913A29DB3505389EC334AC803AD613C3665
1740powershell.exeC:\Users\admin\AppData\Local\Temp\5yac03qr.0.cstext
MD5:D05DB7CA65C16470A87F4C4007E9E026
SHA256:C1412A0D2269B59DF9D6B003B2F82F9479040DAE4C4E12629DB5845A6AC4C960
1588wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15Abinary
MD5:177BABB8173ABF1F9E3C774997794E5A
SHA256:48CA1DF8836B3B02128CC0CFBD3310D1B0C061C80D78EE768AE38FDFE3185F7D
2904cvtres.exeC:\Users\admin\AppData\Local\Temp\RES8C72.tmpo
MD5:68ECAC8B547D78318665D616872D5EA7
SHA256:4156B0973EBF4AFFBF447B0AB85C25133557E162B805A6F75F358EF43652BDFC
1740powershell.exeC:\Users\admin\AppData\Local\Temp\5yac03qr.cmdlinetext
MD5:88C4CDD032B404BAC31E1C3A8A380F70
SHA256:7D005A05B6C1EB8125F7862647E07E991FCCDD6861D2EBB9612E95671856BCE3
2704csc.exeC:\Users\admin\AppData\Local\Temp\5yac03qr.outtext
MD5:7DD88C35B6455625A47C01F93D64C612
SHA256:267D73991DC9E4049DC6B0AF42A3E2C6F4B2DA37A769BF5A16CA67B22DD985C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1588
wscript.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?7baa789e3f6f1095
US
der
1.36 Kb
whitelisted
1588
wscript.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9dbee7135befa074
US
compressed
61.1 Kb
whitelisted
1588
wscript.exe
GET
200
2.16.186.27:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
cat
893 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1588
wscript.exe
2.16.186.27:80
apps.identrust.com
Akamai International B.V.
DE
whitelisted
2544
jsc.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
malicious
1588
wscript.exe
185.157.81.233:443
pastebin.pl
S-NET Sp. z o.o.
PL
unknown
2544
jsc.exe
212.193.30.230:3363
Delis LLC
CZ
malicious
1588
wscript.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
pastebin.pl
  • 185.157.81.233
malicious
apps.identrust.com
  • 2.16.186.27
  • 2.16.186.10
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
1588
wscript.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Tofsee
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2544
jsc.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2544
jsc.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info