analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\Desktop\JyjdFUUgTB.vbs

Full analysis: https://app.any.run/tasks/7e8d02c0-244a-48e0-be9b-a8b3c637e7cf
Verdict: Malicious activity
Analysis date: April 25, 2019, 13:43:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

7D4B2FA4BE63522710A523705118B042

SHA1:

6388E03AC9F76B20DDF43D92460128208F654A1F

SHA256:

10CB2D3DFF3E21E3F4F7330B504787914DC9C75F3B8ABD09158C15FE89F4E074

SSDEEP:

384:R4sf7L3VIszaZHVhL3V3g4fkV+vLUFiH+JJ4P2ZfjTv6hPxt:Xf33msza5VhLF3g4yQUFiH+YP2Zv6hZt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 896)

    • Changes the Startup folder

      • REG.exe (PID: 3536)

    • Application was dropped or rewritten from another process

      • cmualrc.exe (PID: 4068)
      • i8WcTxGboU.exe (PID: 3152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 896)
      • i8WcTxGboU.exe (PID: 3152)

    • Starts itself from another location

      • i8WcTxGboU.exe (PID: 3152)

    • Creates files in the program directory

      • i8WcTxGboU.exe (PID: 3152)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 896)

    • Creates files in the user directory

      • WScript.exe (PID: 896)

    • Uses REG.EXE to modify Windows registry

      • cmualrc.exe (PID: 4068)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start wscript.exe i8wctxgbou.exe cmualrc.exe reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\JyjdFUUgTB.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3152C:\Users\admin\Desktop\i8WcTxGboU.exeC:\Users\admin\Desktop\i8WcTxGboU.exe
WmiPrvSE.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4068c:\programdata\f64a428dfd\cmualrc.exec:\programdata\f64a428dfd\cmualrc.exe
i8WcTxGboU.exe
User:
admin
Integrity Level:
MEDIUM
3536REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\f64a428dfdC:\Windows\system32\REG.exe
cmualrc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
96
Read events
61
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
896WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@file[1].txt
MD5:
SHA256:
3152i8WcTxGboU.exeC:\ProgramData\0
MD5:
SHA256:
3152i8WcTxGboU.exeC:\programdata\f64a428dfd\cmualrc.exe:Zone.Identifier
MD5:
SHA256:
4068cmualrc.exeC:\ProgramData\0
MD5:
SHA256:
896WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\400801441312-107-0_1.dom2.doc.hidden1[1].exeexecutable
MD5:FBE6D341C1B69975BE74616D01C6D273
SHA256:EC6097C4FDBE0736E416B58BE0A4DD042C46A9CF7EEF997B3EB72384609CBCA9
3152i8WcTxGboU.exeC:\programdata\f64a428dfd\cmualrc.exeexecutable
MD5:FBE6D341C1B69975BE74616D01C6D273
SHA256:EC6097C4FDBE0736E416B58BE0A4DD042C46A9CF7EEF997B3EB72384609CBCA9
896WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@file[2].txttext
MD5:4622976D730F2CC3D79FB9615B99D4C6
SHA256:B3172A6D47D8C87AA2314254E18316E860224E7D2BD7317AECAAFB5840B07D59
896WScript.exeC:\Users\admin\Desktop\i8WcTxGboU.exeexecutable
MD5:FBE6D341C1B69975BE74616D01C6D273
SHA256:EC6097C4FDBE0736E416B58BE0A4DD042C46A9CF7EEF997B3EB72384609CBCA9
896WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
896
WScript.exe
209.43.40.101:443
file.ac
IQuest Internet
US
suspicious
4068
cmualrc.exe
188.254.179.205:80
gohaiendo.com
Bulsatcom EAD
BG
malicious

DNS requests

Domain
IP
Reputation
file.ac
  • 209.43.40.101
whitelisted
gohaiendo.com
  • 188.254.179.205
  • 197.255.246.6
  • 78.40.139.73
  • 87.126.16.141
  • 89.17.225.163
  • 181.39.233.180
  • 151.251.23.210
  • 155.133.93.30
  • 196.20.111.10
  • 37.34.176.37
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\Desktop\JyjdFUUgTB.vbs