analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 1.bat |
| Full analysis: | https://app.any.run/tasks/a3c4e4b8-4d77-48f1-8be9-690bb93e5980 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | October 22, 2019, 18:27:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ISO-8859 text, with CRLF line terminators |
| MD5: | 7D108D936DFD3B74B9EC8C9FDDF7586E |
| SHA1: | 5B24191F619AD83BAA9676E11047693E36EDA394 |
| SHA256: | 65F16463298085AAF9B69C70409AEC763148107E76492E65B1ABE53539570E4A |
| SSDEEP: | 49152:ZvW0Ic0kzeWKnCBKgtDuv7zTfLVkr+CwdeBNTp7T3jHKRBkU2FF4nj8XRbsYii0J:ZjzeVCm |
MALICIOUS
Renames files like Ransomware
- cmd.exe (PID: 3964)
Actions looks like stealing of personal data
- cmd.exe (PID: 3964)
Writes file to Word startup folder
- cmd.exe (PID: 3964)
Writes to a start menu file
- cmd.exe (PID: 3964)
Modifies files in Chrome extension folder
- cmd.exe (PID: 3964)
SUSPICIOUS
Starts CMD.EXE for commands execution
- mshta.exe (PID: 856)
Starts MSHTA.EXE for opening HTA or HTMLS files
- cmd.exe (PID: 3288)
Creates files like Ransomware instruction
- certutil.exe (PID: 2204)
Executable content was dropped or overwritten
- certutil.exe (PID: 2204)
- cmd.exe (PID: 3964)
Creates files in the program directory
- cmd.exe (PID: 3964)
Starts CertUtil for decode files
- cmd.exe (PID: 3964)
Executes scripts
- cmd.exe (PID: 3964)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3964)
Creates files in the user directory
- cscript.exe (PID: 3980)
- vlc.exe (PID: 3140)
- cmd.exe (PID: 3964)
Creates files in the Windows directory
- cmd.exe (PID: 3964)
Changes the desktop background image
- reg.exe (PID: 2456)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 3964)
INFO
Manual execution by user
- cmd.exe (PID: 3288)
Reads internet explorer settings
- mshta.exe (PID: 856)
Dropped object may contain Bitcoin addresses
- cmd.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .bib/bibtex/txt | | | BibTeX references (100) |
|---|
Total processes
66
Monitored processes
23
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3868 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\1.bat.bib | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3288 | cmd /c ""C:\Users\admin\Desktop\1.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 856 | mshta vbscript:createobject("wscript.shell").run("""1.bat"" h",0)(window.close) | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 3964 | cmd /c ""C:\Users\admin\Desktop\1.bat" h" | C:\Windows\system32\cmd.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2692 | certutil -encode "billartists.png.cxkdata" "billartists.png.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1876 | certutil -encode "calledpublic.rtf.cxkdata" "calledpublic.rtf.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2700 | certutil -encode "carejob.jpg.cxkdata" "carejob.jpg.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2092 | certutil -encode "connectjanuary.png.cxkdata" "connectjanuary.png.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3028 | certutil -encode "exchangecity.rtf.cxkdata" "exchangecity.rtf.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1096 | certutil -encode "lgeorge.jpg.cxkdata" "lgeorge.jpg.cxkdata.cxk_nmsl" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
943
Read events
932
Write events
11
Delete events
0
Modification events
| (PID) Process: | (856) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (856) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3980) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3980) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3980) cscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum |
| Operation: | write | Name: | Implementing |
Value: 1C00000001000000E3070A000200160012001E001000250300000000 | |||
| (PID) Process: | (2456) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | Wallpaper |
Value: C:\Users\admin\AppData\Roaming\wallpaper.jpg | |||
Executable files
1 088
Suspicious files
1
Text files
469
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3964 | cmd.exe | C:\Users\admin\Desktop\1.bat.cxkdata | — | |
MD5:— | SHA256:— | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\1.bat | — | |
MD5:— | SHA256:— | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\connectjanuary.png.cxkdata | image | |
MD5:A9C60496B7C5BF9E4BE9A696B7466382 | SHA256:836B55474B47EC50AA455AFBF573F0760F89F40733AB8E0D7E580360CB9D0C36 | |||
| 2092 | certutil.exe | C:\Users\admin\Desktop\connectjanuary.png.cxkdata.cxk_nmsl | text | |
MD5:2700FC73C91A52B4CBE49F9DA4D1FEFC | SHA256:F83ECEC67236C0ED1DD0FE6F4A604EEF9825A49F1339A2F4ED0437F6FE4CF92F | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\longprevious.rtf.cxkdata | text | |
MD5:88B58130D32A44D5F22D978A250688D3 | SHA256:8F14D33C4D608751EAD89D397EE9231EE488AAA136F0C9759E4BF6B614E16B91 | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\minichild.rtf.cxkdata | text | |
MD5:1116E9E7EF409733E25F15473692B635 | SHA256:507B3EBB473666A223314BAC0BFB12A5E20EE68F158AEDD10975EB2C76C54E67 | |||
| 1876 | certutil.exe | C:\Users\admin\Desktop\calledpublic.rtf.cxkdata.cxk_nmsl | text | |
MD5:39526B00D3E0BE91BFC8AE3F817F07AD | SHA256:0FD96999E460F35F6BFB9DF119AC281F1A15348345D98E6A38B396B013C45D5C | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\calledpublic.rtf.cxkdata | text | |
MD5:528EEC40AD4537094610239D8154BC4E | SHA256:4BBA7B74CD579BEAB622A5A4D4A8F214BA681A1CBD2C7409557D80A9FED19437 | |||
| 2700 | certutil.exe | C:\Users\admin\Desktop\carejob.jpg.cxkdata.cxk_nmsl | text | |
MD5:CD856182BCA7F7F1D75D69CAA8DCC510 | SHA256:428D39FEE61B016A21C3383D51F623495E0CA3C5ACE040471B01F5075206D1D9 | |||
| 3964 | cmd.exe | C:\Users\admin\Desktop\locatedtexas.jpg.cxkdata | image | |
MD5:DE2134E5B075AAACB8EBD0DCA6F1281F | SHA256:D66440C8BF817C295C3ADF1BE1A33EF17EACBAC32370F9A2F83E84B40C0A5B98 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Threats
Process | Message |
|---|---|
vlc.exe | core libvlc: one instance mode ENABLED
|
vlc.exe | core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
|
vlc.exe | core stream error: cannot pre fill buffer
|
vlc.exe | core input error: ES_OUT_SET_(GROUP_)PCR is called too late (pts_delay increased to 300 ms)
|
vlc.exe | core input error: ES_OUT_RESET_PCR called
|
vlc.exe | mpgatofixed32 audio converter error: libmad error: bad main_data_begin pointer
|