| File name: | 1.bat |
| Full analysis: | https://app.any.run/tasks/795c3031-1964-4684-babf-d6d89ca80e2e |
| Verdict: | Malicious activity |
| Analysis date: | July 19, 2023, 07:05:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | Little-endian UTF-16 Unicode text, with very long lines, with no line terminators |
| MD5: | 4B2794840B114BE5011DA81AD4C462D8 |
| SHA1: | 66CF9461EFA6FB1E55AF037515121D2A856670AC |
| SHA256: | 60DBAED2358A02ED2102CC2158C05FCE9BBA87674D68F1114198423BD8460A93 |
| SSDEEP: | 192:JhSy/Ogy0+OPN3b9h5gIZpiuhHA9waK+FJYY9gUeYzUEo1UfUu:JhSy/Ogy0+OPN3b1gBuRAzKEJD6G |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3296)
Application launched itself
- cmd.exe (PID: 3296)
Executing commands from a ".bat" file
- cmd.exe (PID: 3296)
INFO
The process checks LSA protection
- notepad++.exe (PID: 2096)
Creates files in the program directory
- cmd.exe (PID: 3296)
Manual execution by a user
- notepad++.exe (PID: 2096)
- notepad.exe (PID: 3016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .txt | | | Text - UTF-16 (LE) encoded (66.6) |
|---|---|---|
| .mp3 | | | MP3 audio (33.3) |
Total processes
46
Monitored processes
7
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2096 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\1.bat" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 3016 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3296 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\1.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3480 | cmd.exe /c C:\ProgramData\2.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3596 | cmd.exe /c C:\ProgramData\2.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3856 | cmd.exe /c C:\ProgramData\sett.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3932 | cmd.exe /c C:\ProgramData\7z.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
866
Read events
824
Write events
41
Delete events
1
Modification events
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 07000000020000000C000000000000000B000000010000000D000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy |
| Operation: | write | Name: | MRUListEx |
Value: 0100000000000000FFFFFFFF | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\* |
| Operation: | write | Name: | MRUListEx |
Value: 06000000050000000400000003000000020000000100000000000000FFFFFFFF | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
| Operation: | delete value | Name: | 4 |
Value: 6E006F00740065007000610064002B002B002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D010000A3000000400300003F02000000000000000000000000000000000000000000000000000000000000000000000100000000000000 | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
| Operation: | write | Name: | MRUListEx |
Value: 00000000030000000200000001000000FFFFFFFF | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} |
| Operation: | write | Name: | Mode |
Value: 6 | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} |
| Operation: | write | Name: | LogicalViewMode |
Value: 2 | |||
| (PID) Process: | (2096) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} |
| Operation: | write | Name: | FFlags |
Value: 1 | |||
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3296 | cmd.exe | C:\ProgramData\sett.bat | text | |
MD5:FAB8A5386FCBD88D6DBF18910A809D45 | SHA256:17A225F29D266A241915590A9556C66E923E48473836CA69B6A28F21DB7A19C2 | |||
| 3296 | cmd.exe | C:\ProgramData\2.bat | text | |
MD5:531BCB4DB878A3C7D1F573319BAE9354 | SHA256:B0008D65A2522F3E9DF20F08DCBC898B67C60752FB52054494B3A07125551EB0 | |||
| 3296 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b3.vbs | text | |
MD5:A883AA8226B7A6328633EB161B7EFB85 | SHA256:EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA | |||
| 3296 | cmd.exe | C:\ProgramData\7z.bat | text | |
MD5:7063F82F4E6D276C0B637974F321DF67 | SHA256:4A89DF9CD6D795717F9A1D5D41D28AC8A524F67F7B0FFF9587665702F2505F7C | |||
| 3296 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b1.vbs | text | |
MD5:A883AA8226B7A6328633EB161B7EFB85 | SHA256:EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA | |||
| 3296 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b2.vbs | text | |
MD5:A883AA8226B7A6328633EB161B7EFB85 | SHA256:EE218F8B91B270886DC87064F014AC734E0E80EC87214DCF149B436CCFA8B9DA | |||
| 2096 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:640F164B8C71B030F9EEFD5BAD98B146 | SHA256:A514644C103445C5C54C3E7A3ED53EE3AD3213E0EF2F047E8C07A6C334C3BF6D | |||
| 2096 | notepad++.exe | C:\Users\admin\Desktop\1.txt | text | |
MD5:75D4E4DDDF8C6CD65DA27B9A0E7BF1BA | SHA256:678F6087F0E973457051BB13184EAC791C68F32203D121E5256325DF83600AF1 | |||
| 2096 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:5AF19D067228E5E4E0D91E1D7DEAF3F4 | SHA256:C1A215D27FFB0FB49CB1490D6CD1B47922C3ED519F1F1AE2C3695937FCC3A2EC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2640 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Threats
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|