analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

29.vbs

Full analysis: https://app.any.run/tasks/f96f3882-3464-4739-ae0e-587174e4e294
Verdict: Malicious activity
Analysis date: August 08, 2020, 18:55:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

E93D7D9C3D8CB6063EAC1C26E186CBAD

SHA1:

B3158D7B33FA91E669E38DAE943BEFBBA72F362B

SHA256:

D1E1F9B21C8A423E86D51830AAE9D9EE67265BB7821A58A1E219AADA2C5822F7

SSDEEP:

6:dPtGT6RpbQN08HKQHcCCASsr6RpqFFN08HdHcCCASr:dPt1pbrMKQHzC5Q6Rpq2MdHzC5r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2712)
      • WScript.exe (PID: 928)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WScript.exe (PID: 928)
      • WScript.exe (PID: 2712)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 928)
      • WScript.exe (PID: 2712)
    • Creates files in the user directory

      • WScript.exe (PID: 2712)
      • WScript.exe (PID: 928)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\29.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
928"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\29.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
139
Read events
90
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2712WScript.exeC:\Users\admin\AppData\Local\Temp\Cab37E4.tmp
MD5:
SHA256:
2712WScript.exeC:\Users\admin\AppData\Local\Temp\Tar37E5.tmp
MD5:
SHA256:
2712WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HK5YVYY9.txt
MD5:
SHA256:
928WScript.exeC:\Users\admin\AppData\Local\Temp\CabC129.tmp
MD5:
SHA256:
928WScript.exeC:\Users\admin\AppData\Local\Temp\TarC12A.tmp
MD5:
SHA256:
928WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YKIHZ49U.txttext
MD5:0937FCBDFED3B10476E3AB4C06441629
SHA256:152E83BA85996E8895AD1EAA3782881E1D85DE3D3EFE40FC3E3C692BF6E92509
928WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5VVI1CCV.txttext
MD5:FBEFC94F5E2A92292BCC278824EEF506
SHA256:4BBB9E12FF3CA320A9A27596A4C5F3CB59F1ADFC08324AB26BBE47283C41FD9E
2712WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:2114B01B87E47B11BCF9F84A2CAE34B9
SHA256:052A130B3F4DA51C84B71CD741ED9CDC2D85AEC2D87E0C0E185B641FA2AC02D6
2712WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C954CE05407CAD0B91F1461CBC854DCEder
MD5:C774544D4141DB33740F292EB1CE1DEE
SHA256:88A48AF71537B2785C9503470D96854C9601910BD7D1BF0243D12DB1BF36DABD
2712WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:9E1EB3DDA03ED5B39D68CB26399E3C2E
SHA256:161399C3C4D0942A0AFE35D59B26D984D24C6E502253CDBDAECCDD9A0B53380E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2712
WScript.exe
GET
200
2.16.107.114:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgObfHHgHlsa0R7fVL2Sj72S7g%3D%3D
unknown
der
527 b
whitelisted
2712
WScript.exe
GET
200
2.16.107.80:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2712
WScript.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
2712
WScript.exe
2.16.107.80:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
2712
WScript.exe
2.16.107.114:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
suspicious
928
WScript.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
iplogger.org
  • 88.99.66.31
shared
isrg.trustid.ocsp.identrust.com
  • 2.16.107.80
  • 2.16.107.73
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.107.114
  • 2.16.107.43
whitelisted

Threats

PID
Process
Class
Message
2712
WScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
2712
WScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
928
WScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
928
WScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
5 ETPRO signatures available at the full report
No debug info