analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

10f6e38224c4ee39501fa379cfbdd68067c37c6c731fbe78ad03a24cc6b42e31.vbs

Full analysis: https://app.any.run/tasks/2890985d-3f1e-4b34-a9da-18247cec0e6a
Verdict: Malicious activity
Analysis date: May 20, 2019, 16:27:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

FD8C2477FB5E107414364E5AA07408B7

SHA1:

28307D7BB128DE103ABAA606B5BB346B8CA03386

SHA256:

BCEBF674B3F0515C8DD2E0F23D48B2A9B3E125EF277DF52EF14AAF9F5F35073F

SSDEEP:

12:rChQq4vKQbJaMzHVHYQenBnct9oVsE8yzcRhXdd+REBaGdpVmr/hIbv:rCHiKQbwqynZKE8yzcRhtd+EBfmbhIL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3144)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\10f6e38224c4ee39501fa379cfbdd68067c37c6c731fbe78ad03a24cc6b42e31.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
58
Read events
40
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3144WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\NCiPkXve[1].txt
MD5:
SHA256:
3144WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\understandknow_info[1].txt
MD5:
SHA256:
3144WScript.exeC:\Users\admin\124xtext
MD5:17DAF2B82DB5FF5DD240C31C7424A95E
SHA256:1D69B23BE923220FE79154E8498393E58B777184F286372EFDACDEC1200FB677
3144WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txttext
MD5:577B932E225069FC7C9D778C2F031E07
SHA256:CCB83123AAAF83CB1E993145C3714D424BCC6D00DC070E62CA20606CF4749957
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3144
WScript.exe
POST
200
107.180.28.146:80
http://understandknow.info/?tgow=shuraty3&6cJOngr3ZLNNt2CBaeqqTtf2X
US
text
3.56 Kb
malicious
3144
WScript.exe
POST
200
104.20.208.21:80
http://pastebin.com/raw/NCiPkXve?6cJOngr3ZLNNt2CBaeqqTtf2X
US
text
221 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3144
WScript.exe
104.20.208.21:80
pastebin.com
Cloudflare Inc
US
shared
3144
WScript.exe
107.180.28.146:80
understandknow.info
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
understandknow.info
  • 107.180.28.146
malicious

Threats

PID
Process
Class
Message
3144
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Download Obfuscated Malicious Script (cmd.exe/WScript.Shell)
3144
WScript.exe
Potentially Bad Traffic
ET WEB_CLIENT Obfuscated Javascript // ptth
No debug info