analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FD5384-XPZ-467103.vbs

Full analysis: https://app.any.run/tasks/735ffd20-7bc2-4169-8d20-241c0c6afc76
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 15:59:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: Non-ISO extended-ASCII text, with very long lines
MD5:

A16A4117B54EFDD71B5B798759E0EBE5

SHA1:

822BE7C8D3939300251F1D33CC472DBE7CC9F77C

SHA256:

C66B09682692C30439BF481BB9175E456471DBB0236B4F5CCC862A183D419CD8

SSDEEP:

3072:sCdSv1/nFxXq9tw6xozhB6GJ200BmEv8Dk9aIwxgRw4bgYHHZgUUJjNoD9Ly:sGA1/nvXq9ts1Qwu8DkEBx2wDYHHGUUj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x.exe (PID: 2356)
      • x.exe (PID: 2420)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3004)

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 3764)
      • cmd.exe (PID: 3700)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 2364)

    • Known privilege escalation attack

      • DllHost.exe (PID: 2924)

    • Loads the Task Scheduler COM API

      • x.exe (PID: 2420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3004)
      • x.exe (PID: 2356)

    • Starts CMD.EXE for commands execution

      • x.exe (PID: 2356)
      • x.exe (PID: 2420)

    • Creates files in the user directory

      • x.exe (PID: 2356)
      • powershell.exe (PID: 3192)
      • powershell.exe (PID: 4052)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 2600)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
16
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start wscript.exe x.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs x.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FD5384-XPZ-467103.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2356C:\Users\admin\AppData\Local\Temp\x.exeC:\Users\admin\AppData\Local\Temp\x.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3700/c sc stop WinDefendC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3764/c sc delete WinDefendC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3848/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\system32\cmd.exex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2924sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3116sc delete WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3192powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2924C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2420"C:\Users\admin\AppData\Roaming\wnetwork\x.exe" C:\Users\admin\AppData\Roaming\wnetwork\x.exeDllHost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
912
Read events
796
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3192powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AOFH7153VHPN08R28S41.temp
MD5:
SHA256:
4052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YV2KM9Z593E52KFY9Y9C.temp
MD5:
SHA256:
4052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
4052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF21394f.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
2356x.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:AFFDB1E7CE8327F6B028F695E544C8DD
SHA256:3DAFED18A16D301018509039B0AA4AA0886DCCF5472DECA945B6594AE5DE6819
2420x.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:6E7EB915AD17E2E6DE77DD0D91DD98F2
SHA256:9C4C35EB029054BD7C3A79B9AFA9DE73530DC9E5D79E6AF1878B70839CF6F11B
3192powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
3192powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF210e67.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
3004WScript.exeC:\Users\admin\AppData\Local\Temp\x.exeexecutable
MD5:D9A5761FE60ED5A2D01CF6C6E1A84CBA
SHA256:F04B25C3587FF783DF76D4964BC2E7209FBC37602BD29A71CDE49F2538983FEB
2356x.exeC:\Users\admin\AppData\Roaming\wnetwork\x.exeexecutable
MD5:D9A5761FE60ED5A2D01CF6C6E1A84CBA
SHA256:F04B25C3587FF783DF76D4964BC2E7209FBC37602BD29A71CDE49F2538983FEB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
WScript.exe
GET
200
185.201.11.230:80
http://ministere-elshaddai.org/99208_929_991.php
DE
executable
495 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
WScript.exe
185.201.11.230:80
ministere-elshaddai.org
KVCHOSTING.COM LLC
DE
suspicious

DNS requests

Domain
IP
Reputation
ministere-elshaddai.org
  • 185.201.11.230
suspicious

Threats

PID
Process
Class
Message
3004
WScript.exe
Misc activity
ET INFO Packed Executable Download
3004
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3004
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3004
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FD5384-XPZ-467103.vbs