analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

script output.txt

Full analysis: https://app.any.run/tasks/722c11b6-ddae-4898-b767-4f6bad284d0c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: October 20, 2020, 13:18:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

BD186764E800351F0511163CDED6FE3E

SHA1:

763D800002BA8B6E1FCE6AFB08B8CF54B98EC11E

SHA256:

DED1D6BDEB2BD09C100A1CD7CC264573325C0542B1B82179E530607D4EC653E3

SSDEEP:

12288:cEgtxczJ38aRlFocpp7KGw+ixGaRBralt:4t4uSfbp7KGacazaH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3932)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 896)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2792)
      • schtasks.exe (PID: 1524)
      • schtasks.exe (PID: 2928)
    • Dropped file may contain instructions of ransomware

      • NOTEPAD.EXE (PID: 444)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 3588)
      • powershell.exe (PID: 1776)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3896)
    • PowerShell script executed

      • powershell.exe (PID: 3588)
    • Executes PowerShell scripts

      • powershell.exe (PID: 3588)
    • Application launched itself

      • powershell.exe (PID: 3588)
  • INFO

    • Manual execution by user

      • powershell.exe (PID: 3588)
      • explorer.exe (PID: 3744)
    • Dropped object may contain Bitcoin addresses

      • NOTEPAD.EXE (PID: 444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\script output.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3588"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1776"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ".\script output.ps!"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3896"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .\script.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
896"C:\Windows\system32\cmd.exe" /C schtasks /create /xml C:\Windows\SystemApps\Microsoft.Windows.Defender_cw5n1h2txyewy\config.xml /tn "\Microsoft\Windows\Windows Defender\DefenderDefinitionsUpdate" /FC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2928schtasks /create /xml C:\Windows\SystemApps\Microsoft.Windows.Defender_cw5n1h2txyewy\config.xml /tn "\Microsoft\Windows\Windows Defender\DefenderDefinitionsUpdate" /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3932"C:\Windows\system32\cmd.exe" /C schtasks /run /tn "\Microsoft\Windows\Windows Defender\DefenderDefinitionsUpdate"C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1524schtasks /run /tn "\Microsoft\Windows\Windows Defender\DefenderDefinitionsUpdate"C:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4072"C:\Windows\system32\cmd.exe" /C schtasks /create /xml C:\Windows\SystemApps\Microsoft.Windows.Defender_cw5n1h2txyewy\config2.xml /tn "\Microsoft\Windows\Windows Defender\ClearOutdatedUpdates" /FC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2792schtasks /create /xml C:\Windows\SystemApps\Microsoft.Windows.Defender_cw5n1h2txyewy\config2.xml /tn "\Microsoft\Windows\Windows Defender\ClearOutdatedUpdates" /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 265
Read events
1 027
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3588powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6AQQ3DYFD0EOLPSDJ0UX.temp
MD5:
SHA256:
1776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDATN7RHT881ORJ22PWL.temp
MD5:
SHA256:
3896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3QWQYXAHTHJGG8MROUVF.temp
MD5:
SHA256:
3588powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:749E25FBF5466346CFB846A90C7DCEC6
SHA256:8392FD3B933C6B78F946337D3F4AD08D554943B7B17C089182BD12908A6F796B
1776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
3896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
444NOTEPAD.EXEC:\Users\admin\Desktop\script output.txttext
MD5:BD186764E800351F0511163CDED6FE3E
SHA256:DED1D6BDEB2BD09C100A1CD7CC264573325C0542B1B82179E530607D4EC653E3
3896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF139657.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
3588powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF12fe9c.TMPbinary
MD5:749E25FBF5466346CFB846A90C7DCEC6
SHA256:8392FD3B933C6B78F946337D3F4AD08D554943B7B17C089182BD12908A6F796B
1776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1332db.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info