File name:

Manuel.doc

Full analysis: https://app.any.run/tasks/5906d458-d473-44b9-b613-e5424ae3098d
Verdict: Malicious activity
Analysis date: March 18, 2024, 11:27:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

CC2DB35F43B4A12700C431811A463439

SHA1:

D838AAF8D656B7D8D0F48D13646E677EAAD35F20

SHA256:

FE9C78249937D57AAED2792238CAEEA298E715D9CF261ADD1FBFBAEEAB084D40

SSDEEP:

192:YoVivS9W9c1+YqNAmzCFFVCcVXowajgUWPeks8B4+0gXoOAcwLP3OUy8y40DXKl8:YK1U9tYHmzCFucVXdOgXPekXBD0wodcP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Changes appearance of the Explorer extensions

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 2408)
      • wscript.exe (PID: 1692)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 2408)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2408)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 2408)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Reads data from a file (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2408)

    • Gets a collection of all available drive names (SCRIPT)

      • wscript.exe (PID: 2408)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 2408)

    • Reads the Internet Settings

      • wscript.exe (PID: 1692)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 1692)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1692)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1692)

    • Checks whether the drive is ready (SCRIPT)

      • wscript.exe (PID: 2408)

    • Gets the drive type (SCRIPT)

      • wscript.exe (PID: 2408)

  • INFO

    • Manual execution by a user

      • explorer.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.vbe | VBScript Encoded script (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs wscript.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1692"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Manuel.doc.vbe"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2168"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2408wscript /e:VBScript.Encode C:\Users\admin\AppData\Local\Temp\SysinfY2X.dbC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4004"C:\Windows\System32\cmd.exe" /c start wscript /e:VBScript.Encode C:\Users\admin\AppData\Local\Temp\SysinfY2X.dbC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 593
Read events
1 490
Write events
72
Delete events
31

Modification events

(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SysinfY2X
Value:
C:\WINDOWS\system32\cmd.exe /c start wscript /e:VBScript.Encode %temp%\SysinfY2X.db
(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:Hidden
Value:
2
(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1692) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2408) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SysinfY2X
Value:
C:\WINDOWS\system32\cmd.exe /c start wscript /e:VBScript.Encode %temp%\SysinfY2X.db
(PID) Process:(2408) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:Hidden
Value:
2
(PID) Process:(2408) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:SysinfYhX
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1692wscript.exeC:\Users\admin\AppData\Local\Temp\SysinfY2X.dbvbe
MD5:CC2DB35F43B4A12700C431811A463439
SHA256:FE9C78249937D57AAED2792238CAEEA298E715D9CF261ADD1FBFBAEEAB084D40
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Manuel.doc