File name: | 5.bat |
Full analysis: | https://app.any.run/tasks/cba1602a-e179-457d-90ff-ec5142d73ce9 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 05:11:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | 0CA94AB4D9D1911BFAA7EEFC5446788F |
SHA1: | 98650B9AF5DC7979BE07FBFA375ADD6369DF73BC |
SHA256: | 3BA12887AAD56642A691CC434E6432E2638F9DA8E77543EC8A24277E1BE73C4D |
SSDEEP: | 48:dJZk7y4qK9TweGaTweGOveCBrTJWeG5TJe+NGjWF4cf/FHk:dwZqKZkykOvX8llsjGPHk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1252 | cmd /c ""C:\Users\admin\AppData\Local\Temp\5.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2748 | mshta vbscript:createobject("wscript.shell").run("""5.bat"" h",0)(window.close) | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2976 | cmd /c ""C:\Users\admin\AppData\Local\Temp\5.bat" h" | C:\Windows\system32\cmd.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3560 | C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpg | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3620 | C:\Windows\system32\cmd.exe /c "dir /a/s/b/on *.exe *.jpg" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2296 | rar.exe a -hpten72qr111fwm8j528osy7j6zpzmpf9m1rt7oyax -df lucknum-iaq3f2.rar 4.txt | C:\Users\admin\AppData\Local\Temp\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 | ||||
3644 | more +1 1.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3676 | more +1 2.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3216 | more +1 3.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2908 | rar.exe a -hpbgjt5adsv "rfzuiy241.rar" "C:\Users\admin\AppData\Local\Temp\Rar.exe " | C:\Users\admin\AppData\Local\Temp\Rar.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
(PID) Process: | (2748) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2748) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\5.txt | text | |
MD5:85ECB7D6A87B61039AC13C1FB7E480AC | SHA256:28217B2ACC31324B4AE89041C921474B5E92E4EFE1935B5D9025E8A215D798B0 | |||
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\4.txt | text | |
MD5:567EA775166A5E6430609CD153D5D3C1 | SHA256:68979778C035E27C77A9C4AD92FBCAEC5873E406E6B762156FE5A8735602ED98 | |||
2296 | Rar.exe | C:\Users\admin\AppData\Local\Temp\lucknum-iaq3f2.rar | compressed | |
MD5:47AA02E7B3B7CE7F1A34A3B638662B6F | SHA256:0A354E5E6C16CC0DA9D42EDD2ADCEDCC012031C60FBB779595220C4B2DD74F13 | |||
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\1.txt | text | |
MD5:306634B0172F81CD1B2A85FEAC1DF349 | SHA256:353029B161883850507C72B6A0841E7EA88C50032471EAB2DB1C39103AD31E39 | |||
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\2.txt | text | |
MD5:A0A990E9842937A5A3FFF94A122B5549 | SHA256:7E0CA693E7545F34CEA0B3BE3E331BA7DF649ECDA9590A0D19FC659D2DA55B85 | |||
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\3.txt | text | |
MD5:F543E4C2BECABAC24C0A0D2CF5873EEA | SHA256:6B0E5C20D4D0D69574C1BD64BA02C7B212A8BA6D2457E917D9114E98600A8253 | |||
2908 | Rar.exe | C:\Users\admin\AppData\Local\Temp\rfzuiy241.rar | compressed | |
MD5:D4099DAB54321D1F232156DC019E8B1D | SHA256:BFCC6552D87B0FABF8BEF9247DFAE54144481406E2B6B1CEE69F0DAC5110AFE6 | |||
2748 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\error[1] | html | |
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F | SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 | |||
2976 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Rar.exe | executable | |
MD5:FD5EFD73394BA1B411C356FA849BF3F1 | SHA256:8014C516D154A6E17FDF3C40806B775F75B21E18E4047BF1D898A072EE4E3311 |