analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

uc

Full analysis: https://app.any.run/tasks/c88fdc8d-89f3-4561-81eb-4f50b08496a9
Verdict: Malicious activity
Analysis date: March 22, 2019, 00:39:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2565909D41ADF56BC2DFF3451C08288E

SHA1:

7673C90BEB9E3FD65B53EC4765AE8190BEBCAD57

SHA256:

51E51CF41E417516B4CEB1E55B26A1AD5CD5B49BC208952E72E036DBD27A5500

SSDEEP:

384:GzoPH2BuMRbBqg3dtQsH+wWX9PJbvCH5MkMMn6zkCEbv8p+E3p9RYu822n1:GzcI3QOQi3BmRwGEr8pTZ9l8221

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 1760)
      • wscript.exe (PID: 3444)
      • wscript.exe (PID: 2804)
    • Writes to a start menu file

      • WScript.exe (PID: 1760)
      • wscript.exe (PID: 3444)
      • wscript.exe (PID: 2804)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 1760)
      • wscript.exe (PID: 3444)
    • Executes scripts

      • WinRAR.exe (PID: 916)
      • WScript.exe (PID: 1760)
      • wscript.exe (PID: 2804)
    • Application launched itself

      • WScript.exe (PID: 1760)
    • Connects to unusual port

      • wscript.exe (PID: 2804)
      • wscript.exe (PID: 3444)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs
PackingMethod: Normal
ModifyDate: 2019:03:21 09:36:11
OperatingSystem: Win32
UncompressedSize: 56996
CompressedSize: 23338
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1760"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa916.20916\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3444"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2804"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
4040"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
895
Read events
827
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1760WScript.exeC:\Users\admin\AppData\Local\Temp\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbstext
MD5:E7594B8AE800382A6FEFA8D6EE121F31
SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21
3444wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VtfLNmeEIR.vbstext
MD5:67261E98D431847536482B6F5F773C5D
SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946
2804wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbstext
MD5:E7594B8AE800382A6FEFA8D6EE121F31
SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21
1760WScript.exeC:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbstext
MD5:67261E98D431847536482B6F5F773C5D
SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946
916WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa916.20916\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbstext
MD5:E7594B8AE800382A6FEFA8D6EE121F31
SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21
2804wscript.exeC:\Users\admin\AppData\Roaming\VtfLNmeEIR.vbstext
MD5:67261E98D431847536482B6F5F773C5D
SHA256:2A36DCB7BDDE8A2C2684D96292244CF17EB6FC4BD0034111A14D0216D65A9946
1760WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ESTADO NUMERO 014 DEL 21 DE MARZO DE 2019.vbstext
MD5:E7594B8AE800382A6FEFA8D6EE121F31
SHA256:C3F25D2FAD4FFD23C8782A08B9FFEAF6127C57F10B2EAF2D1B4EBB49F9353D21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3444
wscript.exe
194.5.98.150:7789
brothersjoy.nl
FR
malicious
2804
wscript.exe
186.85.86.77:6161
houdini2019.duckdns.org
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
houdini2019.duckdns.org
  • 186.85.86.77
malicious
brothersjoy.nl
  • 194.5.98.150
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info