File name: | cmd_20052019.cmd |
Full analysis: | https://app.any.run/tasks/0c371eb9-2599-4b2d-b4aa-9b602714ca99 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 22:15:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ISO-8859 text, with very long lines, with CRLF line terminators |
MD5: | B71D0C26BFE1A83DCEFD1A1966DCDBC3 |
SHA1: | 1210083A8A2269687ECAD88B1137B3A0389DCAA4 |
SHA256: | AE1AE9983BC936DA18586E3726FEBF7F66101A8BDC9CBD81CBB51F4D295DDA7B |
SSDEEP: | 192:xbHzAH3vDWXkIu9QneOFrojCbQAmj8xp1JoDk2HUuX3P9mtyGfk4HDuX3P9mtycW:9ToekwrogKbaOzOqrBr710G968t |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3632 | cmd /c ""C:\Users\admin\AppData\Local\Temp\cmd_20052019.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2524 | C:\Windows\system32\cmd.exe /c chcp | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4092 | chcp | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2068 | chcp 708 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1372 | cmd /c ""C:\Users\admin\AppData\Local\Temp\cmd_20052019.cmd" " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3308 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4040 | wscript //Nologo "C:\Users\admin\admin.vbs" F9EI5GbqVZMSmMuw2UZx2G8kbZzaiukDgvOTGbQvb2r4irhiMCDAz2ae | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
588 | chcp 437 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2920 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
804 | "C:\Windows\system32\cmd.exe" /c start C:\Users\admin\admin\gmzgvD_06947.exe C:\Users\admin\admin\hPUAgxu_787676 C:\Users\admin\admin\icvBDyjv_7888612 | C:\Windows\system32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1372 | cmd.exe | C:\Users\admin\admin.vbs | text | |
MD5:78ACFCA309614394F972C6F68B93C2F4 | SHA256:FE21165229C17E94C2D6A6BF37D8C1CC999D736CF8B5E6A16DD7F609003CC96A | |||
4040 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\y209[1].zip | compressed | |
MD5:A98AD3DFDF160DFFD00ACF6D756501AD | SHA256:B935B3AF04336B507BAC05FB8329A4A8E57D5F929638A0A9E05EB420A0978175 | |||
4040 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAflMiVzG3D8NJ8G81M8735AAHHMJ502DK79EA.LNK | lnk | |
MD5:EC9D0FAE4F3CC503FEB9B36C8D0FA68A | SHA256:EFD2E92D7A20B0A0732CB9AA92394BB8E05045653091E47BF07F0451D16B4002 | |||
4040 | wscript.exe | C:\Users\admin\admin\X20HYY0D9NNKI2MR7JKN8AAXKAM | executable | |
MD5:380FB8AB224DA3333BFEA49B38ACC079 | SHA256:61331263D7CC4181724F81F1889495DE8D477BC6D3EDB01BF351CE39F2447CE4 | |||
4040 | wscript.exe | C:\Users\admin\admin\hPUAgxu_787676 | a3x | |
MD5:F8B0C382B3EF0A7D1C20253714271400 | SHA256:CF1C80A78060F03B66D880B2EEAB987D79915DB956FD15B05068B022FD9DDA1E | |||
4040 | wscript.exe | C:\Users\admin\admin\T1XCVX6JUN4CFY1M5TBN6SS3NPP1HDNV2U8ORC | a3x | |
MD5:F8B0C382B3EF0A7D1C20253714271400 | SHA256:CF1C80A78060F03B66D880B2EEAB987D79915DB956FD15B05068B022FD9DDA1E | |||
4040 | wscript.exe | C:\Users\admin\fhfj5nriop.zip | compressed | |
MD5:A98AD3DFDF160DFFD00ACF6D756501AD | SHA256:B935B3AF04336B507BAC05FB8329A4A8E57D5F929638A0A9E05EB420A0978175 | |||
4040 | wscript.exe | C:\Users\admin\admin\icvBDyjv_7888612.dll | executable | |
MD5:380FB8AB224DA3333BFEA49B38ACC079 | SHA256:61331263D7CC4181724F81F1889495DE8D477BC6D3EDB01BF351CE39F2447CE4 | |||
4040 | wscript.exe | C:\Users\admin\admin\FPPUVGT42YB80TB918HYWB4J9D4MI12I5A3 | executable | |
MD5:B06E67F9767E5023892D9698703AD098 | SHA256:8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB | |||
4040 | wscript.exe | C:\Users\admin\admin\gmzgvD_06947.exe | executable | |
MD5:B06E67F9767E5023892D9698703AD098 | SHA256:8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4040 | wscript.exe | POST | 200 | 192.99.34.204:80 | http://docseguridads.com/y209/bEFjUKUA01B95JNM6A419LB0KDF2LF9D5ECMC0.txt | CA | text | 519 b | malicious |
4040 | wscript.exe | GET | 200 | 192.99.34.204:80 | http://docseguridads.com/y209/y209.zip | CA | compressed | 8.14 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4040 | wscript.exe | 192.99.34.204:80 | docseguridads.com | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
docseguridads.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4040 | wscript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Virus.vbs.qexvmc (N40/KLBanker) |