File name:	Listofrequireditemsandservicespdf.vbs
Full analysis:	https://app.any.run/tasks/0ad318d2-7890-4994-bded-2da034e460ce
Verdict:	Malicious activity
Analysis date:	December 09, 2024, 12:51:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (2809), with CRLF line terminators
MD5:	6A1532E54AB9FEDB82542F991006757B
SHA1:	65DA5DF89D4AB96B3CF60FB672AB95457D820F76
SHA256:	69B5E12BF204755BCA90DDD93646D41111E90C6FFC1E3B2F84D6070FA780C4AC
SSDEEP:	48:Ehw0jDA4iPqN4I4QdqFAg444dXAcOdu4d/Cku2OiQl:0IJQ42vRopsv


(PID) Process:	(3984) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(3984) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
Operation:	write	Name:	Excel.Sheet.12
Value:
(PID) Process:	(3984) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value: 0100000000000000C2D9C71B394ADB01
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	1
Value: 01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\1596
Operation:	write	Name:	0
Value: 0B0E10688B4C6DA7C4504B875400E102FE75B9230046D4B3F0FE91C7D2ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC0CD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(1596) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2

PID	Process	Filename		Type
5752	powershell.exe	C:\Users\admin\AppData\Roaming\Pharmacists201.Str		text
		MD5:DBC57B25AD339954CEB6C4FED816E2A1	SHA256:5F7AD2BAFBD491F7CD57D84B036CFA1A4DC1875FF66904FABB6DEE7FCD99A7A8
5752	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y1yullb0.vza.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3984	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uvowpgov.jqc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3984	powershell.exe	C:\Users\Public\o3mg9qzu.vbs		text
		MD5:8B310411B49580AE8D67A2ED916BAD17	SHA256:3CF4BCB55CD5A352B25C180ACCE977E652863D8ED09D07335AED81DBC56520F2
3984	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lay2l3g3.ynm.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1596	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\82EC0184-6B51-4F1D-9BFD-2997B36B3A07		xml
		MD5:4EDAD0FE264DFF95851824E3266DCCDA	SHA256:7DE1854ACC89E8835CC7D9F7F10DB7A0667638F4C313E5FAF7B25C729727686B
1596	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\vp2cdieg91bq58j.xlsx.LNK		binary
		MD5:35E1029FE6A783308A779D396386DD27	SHA256:4E0B3FA725C04E4247635B9C1055F3F9EEB2371598DE70CC105DF4EBB9A390D3
1596	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:8576C475F70564BF47A4E964C1028C4F	SHA256:D86F23D0DB736C01DD3658C3ACA6B4A275E1661E85E05FEE784E634C3C197451
1596	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:0A9DA8DEE916C714E76C011A6710BBE1	SHA256:FAFE9303E819236C47E4D02D2E50A48F6B03489BC8C4B02840C405DBF51893E7
1596	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:1E9F98CD8DA537DB507684D8C3F8BC17	SHA256:39C203D7B1AEA8CC6FA3E636A011BA26297AEEA2369D72636ED5723F619962EE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	13.89.179.11:443	https://self.events.data.microsoft.com/OneCollector/1.0/	US	—	—	whitelisted
—	—	GET	200	52.123.243.209:443	https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b6D4C8B68-C4A7-4B50-8754-00E102FE75B9%7d&LabMachine=false	US	binary	370 Kb	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
4308	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
—	—	GET	200	107.161.23.150:443	https://www.astenterprises.com.pk/it/it.vbs	US	—	—	unknown
—	—	POST	200	20.42.73.30:443	https://self.events.data.microsoft.com/OneCollector/1.0/	US	binary	10 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
—	—	GET	200	52.109.28.46:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	GB	xml	177 Kb	whitelisted
4308	svchost.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
—	—	GET	200	209.124.66.28:443	https://www.puneet.ae/it/Kontrastrigt.mso	US	text	429 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4308	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4308	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4308	svchost.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3984	powershell.exe	107.161.23.150:443	www.astenterprises.com.pk	RAMNODE	US	unknown

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	2.19.217.218	whitelisted
www.astenterprises.com.pk	107.161.23.150	unknown
settings-win.data.microsoft.com	20.73.194.208	whitelisted
www.puneet.ae	209.124.66.28	unknown
www.fornid.com	93.95.216.175	unknown
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.123.243.202 52.123.224.66 52.123.243.209	whitelisted
messaging.lifecycle.office.com	52.111.236.4	whitelisted

General Info

Listofrequireditemsandservicespdf.vbs

6A1532E54AB9FEDB82542F991006757B

65DA5DF89D4AB96B3CF60FB672AB95457D820F76

69B5E12BF204755BCA90DDD93646D41111E90C6FFC1E3B2F84D6070FA780C4AC

48:Ehw0jDA4iPqN4I4QdqFAg444dXAcOdu4d/Cku2OiQl:0IJQ42vRopsv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes malicious content triggered by hijacked COM objects (POWERSHELL)

SUSPICIOUS

Runs shell command (SCRIPT)

Uses WMIC.EXE to obtain physical disk drive information

Likely accesses (executes) a file from the Public directory

The process executes VB scripts

Downloads file from URI via Powershell

Reads data from a binary Stream object (SCRIPT)

Starts POWERSHELL.EXE for commands execution

Gets or sets the security protocol (POWERSHELL)

Starts process via Powershell

Uses base64 encoding (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Converts a specified value to a byte (POWERSHELL)

INFO

The process uses the downloaded file

Reads security settings of Internet Explorer

Disables trace logs

Creates or changes the value of an item property via Powershell

Uses string split method (POWERSHELL)

Checks proxy server information

Converts byte array into ASCII string (POWERSHELL)

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings