File name: | 5.bat |
Full analysis: | https://app.any.run/tasks/cb31ce97-3bc8-4519-86a4-22480fec4174 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 05:23:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | 8FEC728C50D4775ECB1E6490109052B1 |
SHA1: | 2E1A92A6671AEF7A5268A96FAED6DC191CD02417 |
SHA256: | A5AE9146FB009435A838109A4C9A688CB79601AF4127B84EB163BCEBC5EF0D4C |
SSDEEP: | 48:dJZk7y4qK3TweGaTweGORTeCBrTJWeG5TJe+NGjWF4cf/FHk:dwZqKjkykORTX8llsjGPHk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
900 | cmd /c ""C:\Users\admin\Desktop\5.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
932 | mshta vbscript:createobject("wscript.shell").run("""5.bat"" h",0)(window.close) | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | cmd /c ""C:\Users\admin\Desktop\5.bat" h" | C:\Windows\system32\cmd.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1976 | C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpg *.doc *.rtf | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2384 | C:\Windows\system32\cmd.exe /c "dir /a/s/b/on *.exe *.jpg *.doc *.rtf" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3580 | rar.exe a -hppg7sww5yx1olfxg4gzjk8bvrymkaxr6bkqaklbww -df lucknum-zapr2q.rar 4.txt | C:\Users\admin\Desktop\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 | ||||
2044 | more +1 1.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1732 | more +1 2.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1304 | more +1 3.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
676 | rar.exe a -hptslgfbkj8 "hi7f0ies4.rar" "C:\Users\admin\Desktop\createjohn.jpg " | C:\Users\admin\Desktop\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 |
(PID) Process: | (932) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (932) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2128 | cmd.exe | C:\Users\admin\Desktop\a.tmp | — | |
MD5:— | SHA256:— | |||
2128 | cmd.exe | C:\Users\admin\Desktop\4.txt | text | |
MD5:006E8D0C34E0D13A4CEB4D0575C9D696 | SHA256:976FC555211438FA405A8945CE5D7535A82C3827EA543C3F240120C5103EE90A | |||
2128 | cmd.exe | C:\Users\admin\Desktop\1.txt | text | |
MD5:C2A1D900422F1C4ADFEE8D6F293DED08 | SHA256:859453FB0BF7C19EBE0C9CB5EF663AF952CCA7428F02C37DB8335B1083A9840B | |||
2128 | cmd.exe | C:\Users\admin\Desktop\2.txt | text | |
MD5:9D103A042A8F2EDF1AED7A8959DBE651 | SHA256:F654E5DA0862A6B3159666F4238559313FAA45507BCEC1F9A53C30C003708170 | |||
2128 | cmd.exe | C:\Users\admin\Desktop\3.txt | text | |
MD5:6E52363A5EDC72D156AD1290B620AD7F | SHA256:34EEBCC81B27AB98276A8B8D4FDC3A7FA6B98BB068D37D186F6DA87805F40FDC | |||
676 | Rar.exe | C:\Users\admin\Desktop\hi7f0ies4.rar | compressed | |
MD5:B7FED3290D48605F8838408157D53CD0 | SHA256:D206718658BE16AB9440512BA2FCF668E3F3226B3B90DF7A6E4AF4E6096CB9D8 | |||
2128 | cmd.exe | C:\Users\admin\Desktop\5.txt | text | |
MD5:AECB1A396910FDF0993B309FD2BB1121 | SHA256:A659D78C9A1C2E37238D0E3C02488595A2DC00E36966C32401362873BBCA4E17 | |||
3580 | Rar.exe | C:\Users\admin\Desktop\lucknum-zapr2q.rar | compressed | |
MD5:F72D398E2576BCF156F5E97183C828CE | SHA256:315B6BF88193CE0D42BDAC6A7235845E7CAB3CCBE95E8C6B6E8E9301534AF1BB | |||
3972 | Rar.exe | C:\Users\admin\Desktop\6ppspwpvq.rar | compressed | |
MD5:93E7D9FE0C38D3E94F6CBCFA0A77C1FD | SHA256:A5F4ABBE4738DCD1258FE41379D05875AD004F56805D6086139B5DB528470E06 | |||
3584 | Rar.exe | C:\Users\admin\Desktop\ocfhlqebf.rar | compressed | |
MD5:C32A71E9D2FF21321A025A81B096716E | SHA256:477510BEE328D3B8D9CC4D4BCFBA78E74C19394E249E44FE6A4A0EE941B1F406 |