analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

$RBQBPOU.bat

Full analysis: https://app.any.run/tasks/983d672d-1e61-4c60-aca3-7bcc411f684b
Verdict: Malicious activity
Analysis date: January 21, 2024, 18:08:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text
MD5:

A490C94DCE1E2FBFA50DBE459CC6F4B7

SHA1:

192D83A6AD0C432523E071453F0DD14EA113E861

SHA256:

AA6D26A7A6404C6FDA8166117201021A3A52DD656E183C0058FEB895292173EF

SSDEEP:

6144:qxSr9NbUCOte2Gx5eesnb1KzBONfYrGPfFy2ChiqSHMzqL/rFcpvn980oL0:lR+f+7YnEVyeyy/Ub5cfAL0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • csc.exe (PID: 548)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2088)

  • SUSPICIOUS

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 2040)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 1588)
      • cmd.exe (PID: 1636)
      • cmd.exe (PID: 664)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 2040)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 548)
      • expand.exe (PID: 480)
      • xcopy.exe (PID: 1632)

    • Process drops legitimate windows executable

      • expand.exe (PID: 480)
      • xcopy.exe (PID: 1632)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2088)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 1588)
      • cmd.exe (PID: 1636)
      • cmd.exe (PID: 664)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 2040)
      • powershell.exe (PID: 1836)

    • Reads the Internet Settings

      • powershell.exe (PID: 1836)
      • cmd.exe (PID: 1636)
      • wscript.exe (PID: 2592)

    • Powershell scripting: start process

      • cmd.exe (PID: 1588)

    • Application launched itself

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 1636)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2040)
      • powershell.exe (PID: 1836)
      • cmd.exe (PID: 1636)

    • The executable file from the user directory is run by the CMD process

      • center.exe (PID: 1924)

    • The process executes VB scripts

      • cmd.exe (PID: 1636)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2592)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2592)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1636)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 548)
      • mode.com (PID: 324)
      • cvtres.exe (PID: 532)
      • mode.com (PID: 2056)
      • mode.com (PID: 2668)
      • center.exe (PID: 1924)
      • DisableX.exe (PID: 2464)
      • mode.com (PID: 2688)
      • mode.com (PID: 2536)

    • Reads the machine GUID from the registry

      • cvtres.exe (PID: 532)
      • csc.exe (PID: 548)

    • Drops the executable file immediately after the start

      • expand.exe (PID: 480)
      • xcopy.exe (PID: 1632)

    • Create files in a temporary directory

      • csc.exe (PID: 548)
      • cvtres.exe (PID: 532)
      • expand.exe (PID: 480)
      • xcopy.exe (PID: 1632)

    • Checks operating system version

      • cmd.exe (PID: 1636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
39
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs net.exe no specs net1.exe no specs mode.com no specs powershell.exe no specs csc.exe cvtres.exe no specs expand.exe xcopy.exe cmd.exe no specs reg.exe no specs powershell.exe no specs cmd.exe mode.com no specs powershell.exe no specs cmd.exe no specs mode.com no specs center.exe no specs wscript.exe no specs disablex.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs mode.com no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2040C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\$RBQBPOU.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
255
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1432net session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1356C:\Windows\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
324mode con cols=78 lines=6C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2088powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
548"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\c440ejs0.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
532C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF889.tmp" "c:\Users\admin\AppData\Local\Temp\CSC315E6F0E38D84CDDBFF72310F25499D4.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
480"C:\Windows\system32\expand.exe" -R 1 -F:* .C:\Windows\System32\expand.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
6.1.7601.24535 (win7sp1_ldr_escrow.191105-1059)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cabinet.dll
1632xcopy /s /h KMS_Suite 29854 C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
1588cmd.exe /c KMS_Suite.batC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 259
Read events
5 227
Write events
32
Delete events
0

Modification events

(PID) Process:(1836) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1836) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1836) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1836) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1636) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1636) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1636) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1636) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2592) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2592) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
28
Suspicious files
12
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
2088powershell.exeC:\Users\admin\AppData\Local\Temp\c440ejs0.0.cstext
MD5:2619C2087E535BD9EF20A732A58BFA84
SHA256:85835D9BE283D806347DB25628B7E5108A11F46F9EF540656DF28F09F66CA0FB
548csc.exeC:\Users\admin\AppData\Local\Temp\c440ejs0.dllexecutable
MD5:4D3AF4752943F4B217421220B032FCB8
SHA256:3C14FC51CFFCED29AAF69E7338922C8B4A7933D71B54257EF78405DD9C748F20
2088powershell.exeC:\Users\admin\AppData\Local\Temp\1compressed
MD5:436D8D09DC86C53BE0486371400BD951
SHA256:586AA43770695B63537A434AD7835FD5B10C8D513EB1743255CF5B68CB5586B2
548csc.exeC:\Users\admin\AppData\Local\Temp\CSC315E6F0E38D84CDDBFF72310F25499D4.TMPbinary
MD5:03C5F2D99A3C6BC027FF772E80BAA5AA
SHA256:D7C42EBC0D8F51BB2EA13B5041A31D759BC26532A693FA63F31D462E0D7DB60B
480expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\center.exeexecutable
MD5:0A847EAFDDC4529388E1A1B291354CF8
SHA256:69533D9B66B840B4764F901CD6A502D12453B604617A841F4C2C602FC87DF255
2088powershell.exeC:\Users\admin\AppData\Local\Temp\svqdxepn.ls2.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
480expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.vbstext
MD5:C2206C9C9B0C97F7C5DB4F473E96E9A3
SHA256:F1CEC878CD1DB36CA4CCB68296CD47CE039054E2ECE4CD22D9933B90C8625C1F
480expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exeexecutable
MD5:15CE0753A16DD4F9B9F0F9926DD37C4E
SHA256:028C8FBE58F14753B946475DE9F09A9C7A05FD62E81A1339614C9E138FC2A21D
548csc.exeC:\Users\admin\AppData\Local\Temp\c440ejs0.outtext
MD5:908A385B3B711A14F1F6A67126A836E4
SHA256:283AFE4BE153E206164F988D3713BC826A81B908128C64A0F49BD8FA39B287F4
480expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\KMS_Suite.battext
MD5:F825DCC537D39BEFD3A38D3558AF19EC
SHA256:2A6A60CC19BDE03D9EF004B0413CE9C73B1ABB71BB21A7A14EBAA41636CB561B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
$RBQBPOU.bat