File name:	Nuovo documento 2.vbs
Full analysis:	https://app.any.run/tasks/3606bbf1-9f62-42fe-9523-882fb54e395d
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 18, 2020, 09:32:34
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader opendir
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines
MD5:	834F9F8690B3A21D51088A2FD1B04344
SHA1:	762A473B3B05E5B7FE9B2D2D6DCA3B89C70E6517
SHA256:	7867EF48CF88BD6F3EC0F1C811623F90FB272AEF5376BEF616BC1946D3C0DA99
SSDEEP:	49152:pwmMC1UqYRkWPwUzM2rN63RKmhKwlbO9VRZhd4aPxlJlDVMu4JVg/aY/9ItIMQOM:m


(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8E4BF2-7AA8-4798-9BBB-3767F5B9E79A}
Operation:	write	Name:	Path
Value: \JqTsJFBtfxXlXEgXYaZlJqM
(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8E4BF2-7AA8-4798-9BBB-3767F5B9E79A}
Operation:	write	Name:	Hash
Value: CEE3F101B0006DBD26A3BC54FAC7718709E55D54ACCC846D5E188852E087E748
(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\JqTsJFBtfxXlXEgXYaZlJqM
Operation:	write	Name:	Id
Value: {0C8E4BF2-7AA8-4798-9BBB-3767F5B9E79A}
(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\JqTsJFBtfxXlXEgXYaZlJqM
Operation:	write	Name:	Index
Value: 3
(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8E4BF2-7AA8-4798-9BBB-3767F5B9E79A}
Operation:	write	Name:	Triggers
Value: 15000000000000000141A00100000000002D39C647E6D5010141A001000000000045465548E6D50178214100484848484659AF35484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000881744E889129CFD800D6733E8030000484848481C0000004848484855005300450052002D00500043005C00610064006D0069006E00000048484848380000004848484858020000100E000080F40300FFFFFFFF07000000000000000000000000000000000000000000000000000000000000000000000000000000DDDD0000000000000141A00100000000002D39C647E6D5010141A001000000000045465548E6D5010000000000000000000000000000000000000000000000002C01000000000000000000000000000000010000010000000000000000000000
(PID) Process:	(876) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8E4BF2-7AA8-4798-9BBB-3767F5B9E79A}
Operation:	write	Name:	DynamicInfo
Value: 03000000481F646A3EE6D50100000000000000000000000000000000
(PID) Process:	(3064) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000009822726D3EE6D501F80B00003C070000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1224) lpremove.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\Settings
Operation:	write	Name:	NextSQMCollection
Value: 00946DB8FF2CD601
(PID) Process:	(3064) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000E01CEE6D3EE6D501F80B00003C070000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3064) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 480000000000000048A6F76D3EE6D501F80B00003C070000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
3064	rundll32.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\System32\catroot2\edb.log		—
		MD5:—	SHA256:—
372	svchost.exe	C:\Windows\system32\CatRoot2\edb.log		—
		MD5:—	SHA256:—
3064	rundll32.exe	C:\System Volume Information\SPP\SppGroupCache\Temp_{17240B5A-7E57-4A52-A04C-7BE097032B15}_DriverPackageInfo		—
		MD5:—	SHA256:—
3064	rundll32.exe	Volume{4b10993c-02aa-11e8-b4df-806e6f6e6963}\System Volume Information\SPP\SppGroupCache\{17240B5A-7E57-4A52-A04C-7BE097032B15}_DriverPackageInfo		—
		MD5:—	SHA256:—
3064	rundll32.exe	C:\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{C95922F0-6297-4045-B573-221ED1AC5D3D}		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2524	WScript.exe	GET	200	193.233.78.26:80	http://tohomeroom.com/pagkit56.php	RU	executable	169 Kb	suspicious
1052	IEXPLORE.EXE	GET	200	205.185.216.10:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f5b9b13270df8749	US	compressed	55.4 Kb	whitelisted
1052	IEXPLORE.EXE	GET	200	205.185.216.10:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0690a4f73acfba96	US	compressed	55.4 Kb	whitelisted
1052	IEXPLORE.EXE	GET	200	192.35.177.64:80	http://apps.identrust.com/roots/dstrootcax3.p7c	US	cat	893 b	shared
1052	IEXPLORE.EXE	GET	200	192.35.177.64:80	http://apps.identrust.com/roots/dstrootcax3.p7c	US	cat	893 b	shared
1052	IEXPLORE.EXE	GET	200	205.185.216.10:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f5779c724ab95de	US	compressed	55.4 Kb	whitelisted

Domain	IP	Reputation
teredo.ipv6.microsoft.com	—	whitelisted
tohomeroom.com	193.233.78.26	suspicious
dns.msftncsi.com	131.107.255.255	shared
dungdoptiop.xyz	45.140.169.211	unknown
apps.identrust.com	192.35.177.64	shared
api.bing.com	13.107.5.80	whitelisted
www.bing.com	204.79.197.200	whitelisted
ctldl.windowsupdate.com	205.185.216.10	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

PID	Process	IP	Domain	ASN	CN	Reputation
2524	WScript.exe	193.233.78.26:80	tohomeroom.com	OOO FREEnet Group	RU	suspicious
1052	IEXPLORE.EXE	192.35.177.64:80	apps.identrust.com	IdenTrust	US	malicious
1052	IEXPLORE.EXE	45.140.169.211:443	dungdoptiop.xyz	—	—	unknown
1764	IEXPLORE.EXE	45.140.169.211:443	dungdoptiop.xyz	—	—	unknown
2188	iexplore.exe	45.140.169.211:443	dungdoptiop.xyz	—	—	unknown
2188	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2188	iexplore.exe	204.79.197.203:443	www.msn.com	Microsoft Corporation	US	malicious
2188	iexplore.exe	204.79.197.200:443	www.bing.com	Microsoft Corporation	US	whitelisted
1052	IEXPLORE.EXE	205.185.216.10:80	ctldl.windowsupdate.com	Highwinds Network Group, Inc.	US	whitelisted
2188	iexplore.exe	2.22.134.59:443	go.microsoft.com	Akamai Technologies, Inc.	GB	unknown

General Info

Nuovo documento 2.vbs

834F9F8690B3A21D51088A2FD1B04344

762A473B3B05E5B7FE9B2D2D6DCA3B89C70E6517

7867EF48CF88BD6F3EC0F1C811623F90FB272AEF5376BEF616BC1946D3C0DA99

49152:pwmMC1UqYRkWPwUzM2rN63RKmhKwlbO9VRZhd4aPxlJlDVMu4JVg/aY/9ItIMQOM:m

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads the Task Scheduler COM API

Downloads executable files from the Internet

Application was injected by another process

Runs injected code in another process

Application was dropped or rewritten from another process

Changes settings of System certificates

SUSPICIOUS

Reads the machine GUID from the registry

Executed as Windows Service

Creates files in the program directory

Executable content was dropped or overwritten

Searches for installed software

Creates files in the Windows directory

Executed via Task Scheduler

Executed via COM

Uses RUNDLL32.EXE to load library

Removes files from Windows directory

Adds / modifies Windows certificates

INFO

Manual execution by user

Low-level read access rights to disk partition

Reads settings of System Certificates

Reads Internet Cache Settings

Reads the machine GUID from the registry

Changes internet zones settings

Reads internet explorer settings

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings