File name:

1U1BU_Donotrunme.bat

Full analysis: https://app.any.run/tasks/6c940876-a34a-47c7-b44a-8ba336aa90d7
Verdict: Malicious activity
Analysis date: December 13, 2024, 21:55:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

A4E4B7B3C75C041658836CE71010E43C

SHA1:

3B71D1E219BDE2F97D131592FE6CB3364850FB0A

SHA256:

92B6A564FDF9E056D3EA53E7FFAB933A3E2610CC4B0F5F5BD72A345908C0C3DF

SSDEEP:

48:2Im3l9/LDwU/JIDnmfj8OJY+37B2TlC3RrqjZFFUxdi0bYDXMwuv7wrPxxAmGS:aLEUJIDK8OYG74Ikj1qTw1uS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 3612)

    • Create files in the Startup directory

      • cmd.exe (PID: 3612)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3612)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 3612)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3612)

    • Application launched itself

      • cmd.exe (PID: 3612)

    • The system shut down or reboot

      • cmd.exe (PID: 3612)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3612)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
46
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs vssadmin.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs attrib.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs cipher.exe no specs attrib.exe no specs shutdown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3612C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\1U1BU_Donotrunme.bat" "C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5712cmd.exe /c "exit"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5604notepad.exe C:\Windows\System32\notepad.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2676reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5320reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5740cmd.exe C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2440reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MaliciousProgram" /t REG_SZ /d "C:\Users\admin\AppData\Roaming\hidden_process.bat" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 375
Read events
1 374
Write events
1
Delete events
0

Modification events

(PID) Process:(2440) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MaliciousProgram
Value:
C:\Users\admin\AppData\Roaming\hidden_process.bat
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3612cmd.exeC:\Users\admin\Desktop\Fake_Shortcut.urltext
MD5:6B2ACB5DA930B408E1ADD6D7B794EAD7
SHA256:98A1D62E94AEDDCF26A30D0B356B0B48DFDFF0A09FFF298E716F789070BE2479
3612cmd.exeC:\Users\admin\AppData\Roaming\hidden_process.battext
MD5:73BF5980F27931716AFD01764EBDE901
SHA256:57D3A94BAAB67674EAD66C967EE24BD2F6C0435E541CBE2955F69700B9138597
3612cmd.exeC:\Users\admin\Documents\Harmful_File.vbstext
MD5:8777F010746D4DF021E355EF9C68B651
SHA256:0F8B8991AD0AA4030619A349B0BC48D1DB802C9B6091A5F403B379B4C7BB49D0
3612cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious_script.battext
MD5:A4E4B7B3C75C041658836CE71010E43C
SHA256:92B6A564FDF9E056D3EA53E7FFAB933A3E2610CC4B0F5F5BD72A345908C0C3DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
svchost.exe
GET
200
23.32.238.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
2.19.80.27:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2624
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2624
svchost.exe
23.32.238.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.32.238.153
  • 2.19.198.75
  • 2.19.198.43
  • 23.32.238.90
  • 23.32.238.97
  • 23.32.238.115
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.215.121.133
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.149
whitelisted
self.events.data.microsoft.com
  • 20.42.73.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1U1BU_Donotrunme.bat