File name:

MAS_AIO.cmd

Full analysis: https://app.any.run/tasks/0e8327a3-4f58-4b00-94b2-b348e6ffc742
Verdict: Malicious activity
Analysis date: October 19, 2023, 07:08:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5:

39FDABF84EDBDA37412FE76E8167376B

SHA1:

401EA2A62CBED59C2A2D992B97822C388233931F

SHA256:

08838F181A502B6738C8776F71FBC47512E46F401C1F02DA7C9C5737D9432211

SSDEEP:

3072:c1j34REl7N/VPyueR/iNiYDdYd3MPfsavJbJuAMTVFp6zGDNSCE2K0xOuW7EOGJ9:gvFQueR6TudUbJu9p6zGDNS0KgOu6m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 1824)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 1432)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1432)
      • cmd.exe (PID: 2100)

    • Application launched itself

      • cmd.exe (PID: 1432)
      • cmd.exe (PID: 2100)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 1432)
      • powershell.exe (PID: 1824)
      • cmd.exe (PID: 2100)

    • Powershell version downgrade attack

      • powershell.exe (PID: 1824)
      • powershell.exe (PID: 2696)
      • powershell.exe (PID: 1248)
      • powershell.exe (PID: 3188)
      • powershell.exe (PID: 3372)
      • powershell.exe (PID: 328)
      • powershell.exe (PID: 3940)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1432)
      • cmd.exe (PID: 2100)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2100)
      • powershell.exe (PID: 1824)
      • cmd.exe (PID: 1432)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3160)
      • cmd.exe (PID: 1432)
      • explorer.exe (PID: 3596)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3160)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3160)
      • mode.com (PID: 2200)
      • mode.com (PID: 3632)
      • mode.com (PID: 3424)
      • mode.com (PID: 1140)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3160)

    • Checks operating system version

      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
61
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs wmpnscfg.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs fltmc.exe no specs powershell.exe no specs cmd.exe find.exe no specs sc.exe no specs findstr.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120find "127.69.2.3" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
328powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
852C:\Windows\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
1044C:\Windows\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1140find /i "/" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1140mode 76, 30C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\mode.com
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
1248powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1432C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\MAS_AIO.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
1432C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v DesktopC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winbrand.dll
1480C:\Windows\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
Total events
9 258
Read events
8 869
Write events
386
Delete events
3

Modification events

(PID) Process:(3160) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8465B67A-2289-41DA-915B-FD0873E77922}\{7D0EC15D-73D5-4D6A-8623-3BA4A7343382}
Operation:delete keyName:(default)
Value:
(PID) Process:(3160) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8465B67A-2289-41DA-915B-FD0873E77922}
Operation:delete keyName:(default)
Value:
(PID) Process:(3160) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{BF8CE93F-19E2-4D7C-9D14-992E6A75265C}
Operation:delete keyName:(default)
Value:
(PID) Process:(1824) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2696) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3372) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
22
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100cmd.exeC:\Windows\Temp\`.txttext
MD5:C48DE30A6D93DE10929A00F17D725A24
SHA256:96BA30BF853B79CD26E5399DB76DEF0F6BE3C936FC1263232937FBC8A0C8C5B5
1824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
1824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1f1db2.TMPbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
3372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZGVB3VQCTIQ3K1TGZ8BF.tempbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
2696powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
2100cmd.exeC:\Windows\Temp\'binary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:
2696powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1f503c.TMPbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
2696powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UE5AJJM3PP2IYTRWG4IE.tempbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
1248powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1f7ece.TMPbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
1824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GSRY4XY74CMOOE55Y12V.tempbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
updatecheck.massgrave.dev
  • 127.69.2.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MAS_AIO.cmd