analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Virus.bat

Full analysis: https://app.any.run/tasks/a81e45c8-7c33-4167-bf80-90f8688c63a0
Verdict: Malicious activity
Analysis date: May 21, 2022, 09:05:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

94FD61CE02CADE547895C5C9D0A0BAC0

SHA1:

313DED429034FBFC4567935BB91CC9A409066375

SHA256:

B3A13CDC76DEA743146238DE8432E0C8E5A8C8B7FB43793077AC92F8A1E1771B

SSDEEP:

12:IOfkVAvCestzPNHSuVM1t2GOestzF+r1Xjat2B8LSfDQg7BiZM7r9LpUOsyyzxMK:I4ABdtbwuVMtOdtBs1h1f37BOQjUOhyP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • cmd.exe (PID: 2968)
  • SUSPICIOUS

    • Checks supported languages

      • cmd.exe (PID: 2968)
      • format.com (PID: 2500)
      • format.com (PID: 912)
      • format.com (PID: 4084)
      • format.com (PID: 1988)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2968)
    • Creates files in the user directory

      • cmd.exe (PID: 2968)
    • Reads the computer name

      • cmd.exe (PID: 2968)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2968)
    • Starts Internet Explorer

      • cmd.exe (PID: 2968)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2968)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 188)
    • Removes files from Windows directory

      • cmd.exe (PID: 2968)
  • INFO

    • Checks supported languages

      • msg.exe (PID: 3044)
      • rundll32.exe (PID: 3948)
      • taskkill.exe (PID: 1004)
      • iexplore.exe (PID: 3516)
      • iexplore.exe (PID: 4068)
      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 188)
    • Reads the computer name

      • msg.exe (PID: 3044)
      • taskkill.exe (PID: 1004)
      • iexplore.exe (PID: 4068)
      • iexplore.exe (PID: 3516)
      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 188)
    • Changes internet zones settings

      • iexplore.exe (PID: 3516)
      • iexplore.exe (PID: 4068)
    • Application launched itself

      • iexplore.exe (PID: 4068)
      • iexplore.exe (PID: 3516)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 188)
    • Creates files in the user directory

      • iexplore.exe (PID: 188)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4068)
      • iexplore.exe (PID: 188)
      • iexplore.exe (PID: 3516)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 188)
      • iexplore.exe (PID: 3516)
      • iexplore.exe (PID: 4068)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • iexplore.exe (PID: 4068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe msg.exe no specs taskkill.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe format.com no specs format.com no specs format.com no specs format.com no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2968C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Virus.bat" "C:\Windows\system32\cmd.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3044msg * (Muhahaha)C:\Windows\system32\msg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Message Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1004taskkill /IM explorer.exe /fC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3948Rundll32 user32, SwapMouseButtonC:\Windows\system32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516"C:\Program Files\Internet Explorer\iexplore.exe" http://www.evil-shit.de/C:\Program Files\Internet Explorer\iexplore.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4068"C:\Program Files\Internet Explorer\iexplore.exe" http://www.akk.li/pics/anne/jpgC:\Program Files\Internet Explorer\iexplore.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2500format D:\ /FC:\Windows\system32\format.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Disk Format Utility
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
912format E:\ /FC:\Windows\system32\format.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Disk Format Utility
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4084format F:\ /FC:\Windows\system32\format.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Disk Format Utility
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1988format G:\ /FC:\Windows\system32\format.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Disk Format Utility
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
20 658
Read events
20 456
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
17
Unknown types
11

Dropped files

PID
Process
Filename
Type
4068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:0C01AD1C07F53ED1800743912B04D81A
SHA256:AFA786AAD42ACB61430DCC3801B6D2974511F809C60AC521C152B8F56BD66691
4068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC4726FEE26B5D7F5BC731F03E7D7E34
SHA256:990F044CAB696ED00BBC2CB11C62BA52EE6D61F33AAFD5F78CD35EA3513D9C01
188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9der
MD5:3523BFA7B3ACACA361AC9814166709AD
SHA256:CE82F93FDB091E30497236D7F04BB67F7008E8E4133D2A8445B531C16D13AA67
188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_72BF6A27377E65244ED5348D2E81C743der
MD5:0D3D5D73E90D0F4349F5DD3436CF7552
SHA256:46B9C4EEF9EB565AC4F655647A36462A84C31D7F8F6BA415B8DDF3B24AAEE9B3
188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3125F06B0098B6B1E22A7274222B4FA7
SHA256:81500AE2010908B4122D44B628A7062F7849153F0A16D81EF186462E64C683A2
2968cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.battext
MD5:94FD61CE02CADE547895C5C9D0A0BAC0
SHA256:B3A13CDC76DEA743146238DE8432E0C8E5A8C8B7FB43793077AC92F8A1E1771B
4068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:FA526918A211E850A6078FB1D00B2045
SHA256:396B94C667643AFA59D155EF4D812DA6F4D67DD50CEC97194E1CA3A1B3ECE3FE
188iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\jpg[1].htmhtml
MD5:CF4E529FEF1956DB6D128515AE7F0E63
SHA256:EFEDEDAFCFF7BADBEF47409136A30304DB6EE9B910D632D6C5D2FC2355B89816
188iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DTMWROUK.txttext
MD5:862CFB5EB276780CE61F13960102190E
SHA256:0347A565468FF2C96DA89BA4A22805526971C13ADCF36B2FD56A2B154A339B5A
188iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\6QB1NSOR.txttext
MD5:9D69D3072D172891BD71F09E2CDC7CCB
SHA256:D7ED0941E9CE6E06E8E8A1E12AEF65EECCF14265DCA20A6768ED3B19C0750915
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
31
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
iexplore.exe
GET
62.143.36.236:80
http://www.evil-shit.de/
DE
unknown
4068
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
188
iexplore.exe
POST
200
199.59.243.200:80
http://www.akk.li/_fd
US
text
2.30 Kb
malicious
188
iexplore.exe
GET
200
199.59.243.200:80
http://www.akk.li/pics/anne/jpg
US
html
979 b
malicious
4068
iexplore.exe
GET
200
199.59.243.200:80
http://www.akk.li/favicon.ico
US
malicious
188
iexplore.exe
GET
200
199.59.243.200:80
http://www.akk.li/js/parking.2.88.1.js
US
html
21.6 Kb
malicious
188
iexplore.exe
GET
200
199.59.243.200:80
http://www.akk.li/px.gif?ch=2&rn=7.611487305465162
US
image
42 b
malicious
188
iexplore.exe
GET
200
172.217.16.131:80
http://crl.pki.goog/gsr1/gsr1.crl
US
der
1.61 Kb
whitelisted
188
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
4068
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2972
iexplore.exe
62.143.36.236:80
www.evil-shit.de
Liberty Global Operations B.V.
DE
unknown
188
iexplore.exe
142.250.186.36:443
www.google.com
Google Inc.
US
whitelisted
188
iexplore.exe
142.250.181.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3516
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
188
iexplore.exe
199.59.243.200:80
www.akk.li
US
malicious
4068
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
188
iexplore.exe
142.250.186.130:443
partner.googleadservices.com
Google Inc.
US
whitelisted
4068
iexplore.exe
199.59.243.200:80
www.akk.li
US
malicious
4068
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
www.evil-shit.de
  • 62.143.36.236
unknown
www.akk.li
  • 199.59.243.200
malicious
parking.bodiscdn.com
  • 104.22.41.120
  • 172.67.5.15
  • 104.22.40.120
whitelisted
fonts.googleapis.com
  • 142.250.185.234
whitelisted
www.google.com
  • 142.250.186.36
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.pki.goog
  • 142.250.181.227
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info