analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DRAGON_TWEAKER_V3.bat

Full analysis: https://app.any.run/tasks/a950d11c-6f3b-4c7b-b9ef-1e2d379b04c2
Verdict: Malicious activity
Analysis date: July 12, 2020, 22:11:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

7DF696BC3706FBD34309ED52D82A643B

SHA1:

9D189F4B672C344B78CF0EAD3A1DDA1A0E0FD50E

SHA256:

65BE96447511DDFA660B92344161E404186392532617A35529980A292DD560D2

SSDEEP:

192:Zsqc7g760hOU5Mpcm2+QAPideBYpqV4/cOnM/oqSg2GtZjFqA1CXsoh:OJ7wpEcm2+QA2x0PotRNXsoh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3268)
    • Turns off the firewall via NETSH.EXE

      • cmd.exe (PID: 3268)
  • SUSPICIOUS

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 3268)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3268)
    • Application launched itself

      • cmd.exe (PID: 3268)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3268)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3268)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
205
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe mode.com no specs cmd.exe no specs ping.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs ipconfig.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3268cmd /c ""C:\Users\admin\AppData\Local\Temp\DRAGON_TWEAKER_V3.bat" "C:\Windows\system32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1380mode con cols=110 lines=25C:\Windows\system32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2644C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2840ping 127.0.0.1 -n 3 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3468findstr /v /a:0b /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [" nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4064findstr /v /a:04 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "D" nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2184findstr /v /a:0b /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "] " nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
888findstr /v /a:0b /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [" nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2828findstr /v /a:04 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "R" nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204findstr /v /a:0b /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "] " nulC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 731
Read events
104
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
3268cmd.exeC:\Users\admin\AppData\Local\Temp\ [
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\D
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\]
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\ [
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\R
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\A
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\G
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\O
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\N
MD5:
SHA256:
3268cmd.exeC:\Users\admin\AppData\Local\Temp\ [
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
cmd.exe
Invalid parameter passed to C runtime function.