analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ffb6ee6635710ed30075e61311ecb73e.js

Full analysis: https://app.any.run/tasks/88d8b60b-3597-48cc-9b44-01cb3244d1cb
Verdict: Malicious activity
Analysis date: February 18, 2019, 18:39:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

FFB6EE6635710ED30075E61311ECB73E

SHA1:

A49AA6158EA68E1F352CCE7A3CB21A487E03DB43

SHA256:

6564DE7C3594DBD54C4178BF3804FF052C4B35F133E11F56FCF318237BCB6BA7

SSDEEP:

768:9r+ec4Ws9hvkQHT401iqRfxIuG+JslmtbqpbJp5rdsQ2OJGpjm0rIB:tHrW+v380EWfxIgWotWplLlQxaB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • powershell.exe (PID: 3844)
    • Writes to a start menu file

      • powershell.exe (PID: 3844)
    • Loads dropped or rewritten executable

      • wmplayer.exe (PID: 2316)
      • nvsmartmaxapp.exe (PID: 2836)
      • iexplore.exe (PID: 280)
      • gup.exe (PID: 3652)
    • Application was dropped or rewritten from another process

      • nvsmartmaxapp.exe (PID: 2836)
      • gup.exe (PID: 3652)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • WScript.exe (PID: 2800)
    • Creates files in the user directory

      • powershell.exe (PID: 3844)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3844)
    • Checks for external IP

      • wmplayer.exe (PID: 2316)
    • Starts Internet Explorer

      • gup.exe (PID: 3652)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start wscript.exe no specs powershell.exe nvsmartmaxapp.exe no specs wmplayer.exe gup.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2800"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\ffb6ee6635710ed30075e61311ecb73e.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3844"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\admin\AppData\Local\Temp\admin.ps1" -WindowStyle HiddenC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2836"C:\Users\admin\AppData\Roaming\iZVXYbP\nvsmartmaxapp.exe" C:\Users\admin\AppData\Roaming\iZVXYbP\nvsmartmaxapp.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NVIDIA Smart Maximise Helper Host
Exit code:
0
Version:
6.14.10.100.03
2316"C:\Program Files\Windows Media Player\wmplayer.exe"C:\Program Files\Windows Media Player\wmplayer.exe
nvsmartmaxapp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
3652C:\Users\admin\AppData\Roaming\iZVXYbP\gup.exe C:\Users\admin\AppData\Roaming\iZVXYbP\gup.exetaskeng.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
WinGup for Notepad++
Exit code:
0
Version:
5.04
280"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
gup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
688
Read events
611
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
5
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3844powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5BX2V28SEXJKGTHK7RTQ.temp
MD5:
SHA256:
3844powershell.exeC:\Users\admin\AppData\Roaming\iZVXYbP\NvSmartMax
MD5:
SHA256:
2800WScript.exeC:\Users\admin\AppData\Local\Temp\admin.ps1text
MD5:9A362DD5FB8679B63CA3996098A903FF
SHA256:30CC11279F166A46236EB838391DF9D0D93FDA8E818755A6FBE6168D13C7E8FC
3844powershell.exeC:\Users\admin\AppData\Roaming\zc.zipcompressed
MD5:921E32B176FDD14257174A7CF4305811
SHA256:0C450F4586D7EE35ECD86659823415BA9401ED34ED5CADCB58BF306FBCFE2F88
3844powershell.exeC:\Users\admin\AppData\Roaming\iZVXYbP\NvSmartMax.dllexecutable
MD5:5B861438E716D7C47632C4922BE36795
SHA256:EB3514C05E4AD10610A1B2D5BB25565B01A577291B96C1D6122DEC1ACABC59C4
3844powershell.exeC:\Users\admin\AppData\Roaming\iZVXYbP\libcurlbinary
MD5:B4AD244FF08CA0A4413BEAD51FD9BB2C
SHA256:B150BC468E1DF07540255450DF863F5E309F7142F12EDD5ED2D847EF8B05AB04
3844powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1990ec.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3844powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3844powershell.exeC:\Users\admin\AppData\Roaming\iZVXYbP\libcurl.dllexecutable
MD5:E880C09454A68B4714C6F184F7968070
SHA256:C9CF8E159809CFA97971A0B84801C6AEAD32E03A423A2FD0CA1C402032B16A82
3844powershell.exeC:\Users\admin\AppData\Roaming\zc.txtcompressed
MD5:921E32B176FDD14257174A7CF4305811
SHA256:0C450F4586D7EE35ECD86659823415BA9401ED34ED5CADCB58BF306FBCFE2F88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
280
iexplore.exe
GET
200
144.217.210.54:80
http://144.217.210.54/inites.php
CA
unknown
3844
powershell.exe
GET
200
187.45.195.28:80
http://barbosaoextra.com.br/dados/noticia/7/imagem/laeVzgltmLq.bmp
BR
compressed
8.87 Mb
unknown
2316
wmplayer.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
325 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
powershell.exe
187.45.195.28:80
barbosaoextra.com.br
Locaweb Serviços de Internet S/A
BR
unknown
280
iexplore.exe
144.217.210.54:80
OVH SAS
CA
unknown
2316
wmplayer.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
barbosaoextra.com.br
  • 187.45.195.28
unknown
ip-api.com
  • 185.194.141.58
shared

Threats

PID
Process
Class
Message
2316
wmplayer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
No debug info