analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5.bat

Full analysis: https://app.any.run/tasks/cb31ce97-3bc8-4519-86a4-22480fec4174
Verdict: Malicious activity
Analysis date: June 16, 2019, 05:23:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

8FEC728C50D4775ECB1E6490109052B1

SHA1:

2E1A92A6671AEF7A5268A96FAED6DC191CD02417

SHA256:

A5AE9146FB009435A838109A4C9A688CB79601AF4127B84EB163BCEBC5EF0D4C

SSDEEP:

48:dJZk7y4qK3TweGaTweGORTeCBrTJWeG5TJe+NGjWF4cf/FHk:dwZqKjkykORTX8llsjGPHk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Rar.exe (PID: 676)
      • Rar.exe (PID: 3580)
      • Rar.exe (PID: 3972)
      • Rar.exe (PID: 3584)
      • Rar.exe (PID: 3396)
      • Rar.exe (PID: 3456)
      • Rar.exe (PID: 2812)
      • Rar.exe (PID: 3940)
      • Rar.exe (PID: 3420)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2128)
    • Application launched itself

      • cmd.exe (PID: 2128)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 932)
      • cmd.exe (PID: 2128)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 900)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2128)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
41
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start cmd.exe no specs mshta.exe no specs cmd.exe cmd.exe no specs cmd.exe no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
900cmd /c ""C:\Users\admin\Desktop\5.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
932mshta vbscript:createobject("wscript.shell").run("""5.bat"" h",0)(window.close)C:\Windows\system32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2128cmd /c ""C:\Users\admin\Desktop\5.bat" h"C:\Windows\system32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1976C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpg *.doc *.rtfC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2384C:\Windows\system32\cmd.exe /c "dir /a/s/b/on *.exe *.jpg *.doc *.rtf"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3580rar.exe a -hppg7sww5yx1olfxg4gzjk8bvrymkaxr6bkqaklbww -df lucknum-zapr2q.rar 4.txtC:\Users\admin\Desktop\Rar.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
0
Version:
5.60.0
2044more +1 1.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1732more +1 2.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1304more +1 3.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
676rar.exe a -hptslgfbkj8 "hi7f0ies4.rar" "C:\Users\admin\Desktop\createjohn.jpg "C:\Users\admin\Desktop\Rar.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
0
Version:
5.60.0
Total events
342
Read events
338
Write events
4
Delete events
0

Modification events

(PID) Process:(932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
1
Suspicious files
9
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
2128cmd.exeC:\Users\admin\Desktop\a.tmp
MD5:
SHA256:
2128cmd.exeC:\Users\admin\Desktop\4.txttext
MD5:006E8D0C34E0D13A4CEB4D0575C9D696
SHA256:976FC555211438FA405A8945CE5D7535A82C3827EA543C3F240120C5103EE90A
2128cmd.exeC:\Users\admin\Desktop\1.txttext
MD5:C2A1D900422F1C4ADFEE8D6F293DED08
SHA256:859453FB0BF7C19EBE0C9CB5EF663AF952CCA7428F02C37DB8335B1083A9840B
2128cmd.exeC:\Users\admin\Desktop\2.txttext
MD5:9D103A042A8F2EDF1AED7A8959DBE651
SHA256:F654E5DA0862A6B3159666F4238559313FAA45507BCEC1F9A53C30C003708170
2128cmd.exeC:\Users\admin\Desktop\3.txttext
MD5:6E52363A5EDC72D156AD1290B620AD7F
SHA256:34EEBCC81B27AB98276A8B8D4FDC3A7FA6B98BB068D37D186F6DA87805F40FDC
676Rar.exeC:\Users\admin\Desktop\hi7f0ies4.rarcompressed
MD5:B7FED3290D48605F8838408157D53CD0
SHA256:D206718658BE16AB9440512BA2FCF668E3F3226B3B90DF7A6E4AF4E6096CB9D8
2128cmd.exeC:\Users\admin\Desktop\5.txttext
MD5:AECB1A396910FDF0993B309FD2BB1121
SHA256:A659D78C9A1C2E37238D0E3C02488595A2DC00E36966C32401362873BBCA4E17
3580Rar.exeC:\Users\admin\Desktop\lucknum-zapr2q.rarcompressed
MD5:F72D398E2576BCF156F5E97183C828CE
SHA256:315B6BF88193CE0D42BDAC6A7235845E7CAB3CCBE95E8C6B6E8E9301534AF1BB
3972Rar.exeC:\Users\admin\Desktop\6ppspwpvq.rarcompressed
MD5:93E7D9FE0C38D3E94F6CBCFA0A77C1FD
SHA256:A5F4ABBE4738DCD1258FE41379D05875AD004F56805D6086139B5DB528470E06
3584Rar.exeC:\Users\admin\Desktop\ocfhlqebf.rarcompressed
MD5:C32A71E9D2FF21321A025A81B096716E
SHA256:477510BEE328D3B8D9CC4D4BCFBA78E74C19394E249E44FE6A4A0EE941B1F406
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info