analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

삼성_앱_스토어.js

Full analysis: https://app.any.run/tasks/15faeaac-186b-49d0-86fa-56cffc91c6e4
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: December 18, 2018, 14:36:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

E5C3CCAF61D0E1D1232F2A511AFD91E0

SHA1:

9686C2A1E066CA2DA50F6F33D359F835D6D74C6B

SHA256:

73C52E33F3B5674AADBFF7ECDA954DA2BE358B003D0F49A83ABA84C16AF561F9

SSDEEP:

24576:a0Ew/XgLpnH7hIYEoluDWV/m2ja6R/WrPUyaytRMInw76ARzO89EePW5Qp40Pgar:g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 2364)
    • GandCrab keys found

      • powershell.exe (PID: 2364)
    • Renames files like Ransomware

      • powershell.exe (PID: 2364)
    • Writes file to Word startup folder

      • powershell.exe (PID: 2364)
    • Deletes shadow copies

      • powershell.exe (PID: 2364)
    • Dropped file may contain instructions of ransomware

      • powershell.exe (PID: 2364)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2996)
      • powershell.exe (PID: 2364)
    • Executes PowerShell scripts

      • WScript.exe (PID: 2996)
    • Creates files like Ransomware instruction

      • powershell.exe (PID: 2364)
    • Reads the cookies of Mozilla Firefox

      • powershell.exe (PID: 2364)
  • INFO

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs #GANDCRAB powershell.exe wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\삼성_앱_스토어.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2364"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "IEX (([System.IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\tnqalxuybs.log')).Replace('?',''));"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3984"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
328
Read events
262
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
279
Text files
206
Unknown types
8

Dropped files

PID
Process
Filename
Type
2364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AJHNWDVQXY3P9QK8Q0Y9.temp
MD5:
SHA256:
2364powershell.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
2364powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
MD5:
SHA256:
2364powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
MD5:
SHA256:
2364powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
MD5:
SHA256:
2996WScript.exeC:\Users\admin\AppData\Roaming\tnqalxuybs.logtext
MD5:F82FA95AF7C7711B7EB03038A3D7B92F
SHA256:E8A87BB31665AADBEDAAE5C3A0B3DB6346ABFEF5DE8ED8C9E9A04F708D398E61
2364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2364powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
MD5:
SHA256:
2364powershell.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
MD5:
SHA256:
2364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247e87.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.21.238:80
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info