analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.gvgdevelopers.com/K2DevGuide/zip/cs-script.zip

Full analysis: https://app.any.run/tasks/b222d3c9-9a7e-431b-a2a2-eeac69b3e969
Verdict: Malicious activity
Analysis date: July 18, 2019, 08:33:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

587B2FF20BBFBEE13DDEAB371785D95C

SHA1:

2ED87FA523363EC16DF8DD25A816B808003E9243

SHA256:

FB0CE07C9AA96695B6722E2CBCAB644932957236C819CBDD96FB37200E6F8128

SSDEEP:

3:N1KJS4XaqGyGM2iQMtUo+V:Cc4qqGySCq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cswscript.exe (PID: 3548)
      • csws.exe (PID: 932)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2564)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1072)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3760)

    • Changes internet zones settings

      • iexplore.exe (PID: 3760)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3760)
      • iexplore.exe (PID: 3452)

    • Manual execution by user

      • cswscript.exe (PID: 3548)
      • csws.exe (PID: 932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe searchprotocolhost.exe no specs cswscript.exe no specs csws.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3760"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.gvgdevelopers.com/K2DevGuide/zip/cs-script.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3760 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1072"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\cs-script[1].zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2564"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3548"C:\Users\admin\Desktop\cs-script\cswscript.exe" C:\Users\admin\Desktop\cs-script\cswscript.exeexplorer.exe
User:
admin
Company:
Galos
Integrity Level:
MEDIUM
Description:
cswscript.exe
Exit code:
0
Version:
2.1.0.0
932"C:\Users\admin\Desktop\cs-script\csws.exe" C:\Users\admin\Desktop\cs-script\csws.exeexplorer.exe
User:
admin
Company:
Galos
Integrity Level:
MEDIUM
Description:
cswscript.exe
Exit code:
0
Version:
2.1.0.0
Total events
1 433
Read events
1 350
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
6
Text files
213
Unknown types
3

Dropped files

PID
Process
Filename
Type
3760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2333FB7900400E52.TMP
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF363219F1B756E699.TMP
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C2E1C0B9-A936-11E9-95C0-5254004A04AF}.dat
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071820190719\index.datdat
MD5:3D29C5F4771C193CC722D134FB859FEF
SHA256:30F55E1718C8B9273AEE52B7896E32072E3C349F5D62014F731647827FC53D09
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\cs-script[1].zipcompressed
MD5:87B20420F394C093E04B2788BB16DDAF
SHA256:59BB7EB8AC8197C63522ED11865CE8F474D6AEECEFEC5C4A50BF85604F9F541E
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:7E7145E388C6C94C81EFEF74FC28C028
SHA256:1D406949B7BE0B4E23DE8765F8F3C0692904CBDCA36112D42FAC549D8197EEDA
1072WinRAR.exeC:\Users\admin\Desktop\cs-script\Lib\asAdmin.cstext
MD5:D78B986FC1B55E477328B636F708B9C1
SHA256:97548CE3901867F619534D4CBA303818CD8BCB0CB738A84A9DF77918FE124363
3760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{C2E1C0BA-A936-11E9-95C0-5254004A04AF}.datbinary
MD5:76B24DC328D727E75481B89AE4FB5C31
SHA256:2D5D0330E6DAE6CA547DBD404778982780F1421438FC60CDB6C7832EDFD2A63C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
200
69.30.23.135:80
http://www.gvgdevelopers.com/K2DevGuide/zip/cs-script.zip
US
compressed
954 Kb
unknown
3760
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
69.30.23.135:80
www.gvgdevelopers.com
EasyStreet Online Services, Inc.
US
unknown
3760
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.gvgdevelopers.com
  • 69.30.23.135
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.gvgdevelopers.com/K2DevGuide/zip/cs-script.zip