analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\Downloads\COMPARENDO ELECTRONICO.vbs

Full analysis: https://app.any.run/tasks/6e3461d0-3286-469d-a5b5-96348c73828e
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 15:55:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

52F462EBE87FE66B16D98E6AA4A791D5

SHA1:

F589BD1BDA76FC5110383C887387BF9CB06EABEB

SHA256:

B411D03C4AB1E5E899D595F9306670A88D2DBE27E045DD4293FE6BFD0784A61C

SSDEEP:

1536:aj/kbjcrn8y5VUNNvOXF9lauRAqLev1WW:czr8MUPSbOlWW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3516)
      • wscript.exe (PID: 3116)
      • wscript.exe (PID: 2668)

    • Writes to a start menu file

      • WScript.exe (PID: 3516)
      • wscript.exe (PID: 2668)
      • wscript.exe (PID: 3116)

    • Connects to CnC server

      • wscript.exe (PID: 2668)

  • SUSPICIOUS

    • Application launched itself

      • WScript.exe (PID: 3516)
      • wscript.exe (PID: 2668)

    • Creates files in the user directory

      • wscript.exe (PID: 3116)
      • WScript.exe (PID: 3516)

    • Executes scripts

      • WScript.exe (PID: 3516)
      • wscript.exe (PID: 2668)

    • Connects to unusual port

      • wscript.exe (PID: 3116)
      • wscript.exe (PID: 2668)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3388)

    • Creates files in the user directory

      • iexplore.exe (PID: 3704)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3388)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3388)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3704)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3388)

    • Changes internet zones settings

      • iexplore.exe (PID: 3388)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe wscript.exe wscript.exe wscript.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3516"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\COMPARENDO ELECTRONICO.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3116"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\GVvCQaDzCC.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2668"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\COMPARENDO ELECTRONICO.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3932"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\GVvCQaDzCC.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
3388"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3704"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3388 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 303
Read events
1 139
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
22
Unknown types
4

Dropped files

PID
Process
Filename
Type
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3388iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3704iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\751G98IA\old-browsers[1].txt
MD5:
SHA256:
3116wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVvCQaDzCC.vbstext
MD5:FDCBD4C5E1FF6458597B0A70C6017AE8
SHA256:255C281730A6B9AA18543DD4E09CB6F4FE4D353C2EC81A248AB4FB1572D2B5D6
3516WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COMPARENDO ELECTRONICO.vbstext
MD5:52F462EBE87FE66B16D98E6AA4A791D5
SHA256:B411D03C4AB1E5E899D595F9306670A88D2DBE27E045DD4293FE6BFD0784A61C
2668wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COMPARENDO ELECTRONICO.vbstext
MD5:52F462EBE87FE66B16D98E6AA4A791D5
SHA256:B411D03C4AB1E5E899D595F9306670A88D2DBE27E045DD4293FE6BFD0784A61C
2668wscript.exeC:\Users\admin\AppData\Roaming\GVvCQaDzCC.vbstext
MD5:FDCBD4C5E1FF6458597B0A70C6017AE8
SHA256:255C281730A6B9AA18543DD4E09CB6F4FE4D353C2EC81A248AB4FB1572D2B5D6
3516WScript.exeC:\Users\admin\AppData\Local\Temp\COMPARENDO ELECTRONICO.vbstext
MD5:52F462EBE87FE66B16D98E6AA4A791D5
SHA256:B411D03C4AB1E5E899D595F9306670A88D2DBE27E045DD4293FE6BFD0784A61C
3704iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\751G98IA\old-browsers[1].htmhtml
MD5:61C0713BCB0EA6B4BBF6CE88C4CD5A62
SHA256:47284C65F75D64F275BB108D724385FB786D6DE7FF2B90959050623CF640FE7F
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3704
iexplore.exe
GET
302
216.239.38.21:80
http://virustotal.com/
US
whitelisted
2668
wscript.exe
POST
181.58.133.70:8376
http://mozillamaintenanceservice.duckdns.org:8376/is-ready
CO
malicious
3388
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2668
wscript.exe
POST
200
181.58.133.70:8376
http://mozillamaintenanceservice.duckdns.org:8376/is-ready
CO
text
4 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2668
wscript.exe
181.58.133.70:8376
mozillamaintenanceservice.duckdns.org
Telmex Colombia S.A.
CO
malicious
3388
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3116
wscript.exe
194.5.98.150:7789
brothersjoy.nl
FR
malicious
3704
iexplore.exe
216.239.38.21:443
virustotal.com
Google Inc.
US
whitelisted
3704
iexplore.exe
216.239.38.21:80
virustotal.com
Google Inc.
US
whitelisted
3704
iexplore.exe
74.125.34.46:443
www.virustotal.com
Google Inc.
US
whitelisted
3388
iexplore.exe
74.125.34.46:443
www.virustotal.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
brothersjoy.nl
  • 194.5.98.150
unknown
mozillamaintenanceservice.duckdns.org
  • 181.58.133.70
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
virustotal.com
  • 216.239.38.21
  • 216.239.34.21
  • 216.239.32.21
  • 216.239.36.21
whitelisted
www.virustotal.com
  • 74.125.34.46
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2668
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\Downloads\COMPARENDO ELECTRONICO.vbs