File name: | 5.bat |
Full analysis: | https://app.any.run/tasks/dd4e62bc-8c53-4fca-84b3-bafca7bdcbd7 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 05:17:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | 8FEC728C50D4775ECB1E6490109052B1 |
SHA1: | 2E1A92A6671AEF7A5268A96FAED6DC191CD02417 |
SHA256: | A5AE9146FB009435A838109A4C9A688CB79601AF4127B84EB163BCEBC5EF0D4C |
SSDEEP: | 48:dJZk7y4qK3TweGaTweGORTeCBrTJWeG5TJe+NGjWF4cf/FHk:dwZqKjkykORTX8llsjGPHk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3412 | cmd /c ""C:\Users\admin\Desktop\5.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3732 | mshta vbscript:createobject("wscript.shell").run("""5.bat"" h",0)(window.close) | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3932 | cmd /c ""C:\Users\admin\Desktop\5.bat" h" | C:\Windows\system32\cmd.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1456 | C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpg *.doc *.rtf | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
856 | C:\Windows\system32\cmd.exe /c "dir /a/s/b/on *.exe *.jpg *.doc *.rtf" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2628 | rar.exe a -hp1qvl3mjaiuva31p9gsaelrpphppjhlf1h9fuc0jx -df lucknum-zl4m9t.rar 4.txt | C:\Users\admin\Desktop\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 | ||||
1364 | more +1 1.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1456 | more +1 2.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | more +1 3.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2720 | rar.exe a -hpcfujl4bcj "zwdzq2h2e.rar" "C:\Users\admin\Desktop\bestcolumbia.rtf " | C:\Users\admin\Desktop\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 |
(PID) Process: | (3732) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3732) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3932 | cmd.exe | C:\Users\admin\Desktop\a.tmp | — | |
MD5:— | SHA256:— | |||
3932 | cmd.exe | C:\Users\admin\Desktop\3.txt | text | |
MD5:67AE67681C0654037F06EF7F8196BA81 | SHA256:618A4EE154E4B232C0C7CBDD17C8B8344E37D2FBBBBC08583DE961DD0B8441BA | |||
3932 | cmd.exe | C:\Users\admin\Desktop\1.txt | text | |
MD5:B5ACDF2E620BC22B63BE2023439AF6FA | SHA256:CC9FBF9CA9AC160D82AFB3D0110FC81C10BF27E8EFB5E86610B4FF96E0405B1C | |||
3932 | cmd.exe | C:\Users\admin\Desktop\4.txt | text | |
MD5:395B45F9BDCC52672AAE4522D1A5FB31 | SHA256:DE4C834D86974629DA000561008A1F45620DB85A03DCD69D1F70644486CABBD2 | |||
3932 | cmd.exe | C:\Users\admin\Desktop\2.txt | text | |
MD5:17176EFE82E6F67E0E50A323AF1FE8CD | SHA256:8874ABE0A0E76D6F6210BA7DC19A37489F1C6A25005812900B96B812501DA0F8 | |||
2628 | Rar.exe | C:\Users\admin\Desktop\lucknum-zl4m9t.rar | compressed | |
MD5:D38A97FC233B0DF64B6E1655D9CECCC6 | SHA256:4A47187DEF65DF25551F60A29AE6BBC0235F603283F0C3583C53A074FAB1853F | |||
3932 | cmd.exe | C:\Users\admin\Desktop\5.txt | text | |
MD5:28D57480E75AAA3770FA3C550A41576C | SHA256:83A8F26032DA1DB75B33A482024C6E133E974789E33F3E19267AC00997A80239 | |||
3732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\error[1] | html | |
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F | SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 | |||
2720 | Rar.exe | C:\Users\admin\Desktop\zwdzq2h2e.rar | compressed | |
MD5:EEBE5641282BF891C46CB93D1A37914A | SHA256:E0CB90F2FF0715B5537F7A06D809977A43B18D4480BA4243CAC2E756D4711ACB | |||
4076 | Rar.exe | C:\Users\admin\Desktop\xk4w9j0k4.rar | compressed | |
MD5:51B60C98822E219522DD7222441F763D | SHA256:2E0BD2B0112EA7A467E5E44769F9EC1B7E7FBFF9CCE92428029B1337DD1A8931 |