File name:

vss.exe

Full analysis: https://app.any.run/tasks/792d4254-d59c-4cdd-bbf4-02f5581dc03f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 08, 2024, 12:37:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

53A26C5BBCE6F21CA769B19B29F27DB7

SHA1:

96F063F12B0259A79BBD353A656EBA7820679F78

SHA256:

949C4D643819C553DC0BAF604AB0C3104ADBF46B5AB1A92380089E054F4DAC02

SSDEEP:

96:Sq1qZNor3pD+XI/d6BMteraKTvVpwpaudk5q8/L8qN1PxyZ4cG/idhtp1XKE25QO:PpyIe/QpgdDPLqjF2eJdFne55tfl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 5700)
      • cmd.exe (PID: 5344)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 2520)

    • Deletes shadow copies

      • cmd.exe (PID: 3316)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • vss.exe (PID: 7052)

    • Application launched itself

      • vss.exe (PID: 7052)

    • Reads the date of Windows installation

      • vss.exe (PID: 7052)

    • Starts CMD.EXE for commands execution

      • vss.exe (PID: 4880)

    • Uses WEVTUTIL.EXE to cleanup log

      • cmd.exe (PID: 3268)

    • Executes as Windows Service

      • VSSVC.exe (PID: 508)

  • INFO

    • Checks supported languages

      • vss.exe (PID: 7052)
      • vss.exe (PID: 4880)

    • Reads the computer name

      • vss.exe (PID: 7052)

    • The process uses the downloaded file

      • vss.exe (PID: 7052)

    • Process checks computer location settings

      • vss.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:08 12:37:25+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 4096
InitializedDataSize: 6144
UninitializedDataSize: -
EntryPoint: 0x153c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
21
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vss.exe no specs vss.exe cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
508C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
2096vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
2520cmd.exe /C del /s /f /q C:\*.bakC:\Windows\System32\cmd.exe
vss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2820\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2892wevtutil cl SystemC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3112wevtutil cl Application C:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3268cmd.exe /C wevtutil cl Application && wevtutil cl Security && wevtutil cl SystemC:\Windows\System32\cmd.exevss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3316cmd.exe /C vssadmin delete shadows /all /quietC:\Windows\System32\cmd.exevss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
3584\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3852bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
Total events
604
Read events
570
Write events
16
Delete events
18

Modification events

(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Boot\Loader.efi
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:delete keyName:(default)
Value:
(PID) Process:(5164) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6652
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6412
RUXIMICS.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6652
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6412
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6652
svchost.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6412
RUXIMICS.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6652
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vss.exe