analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

XMLPDF0201.cmd

Full analysis: https://app.any.run/tasks/b83b25dc-5e0f-4e74-a1ee-b67b571cff37
Verdict: Malicious activity
Analysis date: June 18, 2019, 17:01:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

6730F5DC398EADD78B3133829879391C

SHA1:

1A3EED9908A2295AAEBBC5BC4575708B4EBA5A0A

SHA256:

B509738439B07EC579C4FBD69EAE4BAA41A1EA86C4313834E9E12546483A3EA0

SSDEEP:

96:Lkta78t7os7gF7y7A7Y7LE7k7i76/D7o7Y7K7q57Z797a7qFH7O57m7v7o7K57Ka:LOTFqGAFqlAZJuc+t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3524)
    • Changes settings of System certificates

      • wscript.exe (PID: 3888)
  • SUSPICIOUS

    • Creates files in the program directory

      • wscript.exe (PID: 3888)
    • Executes scripts

      • cmd.exe (PID: 3524)
    • Adds / modifies Windows certificates

      • wscript.exe (PID: 3888)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs ping.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3524cmd /c ""C:\Users\admin\AppData\Local\Temp\XMLPDF0201.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4048ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3888wscript //Nologo "C:\Users\Public\admin\admin.vbs" zPbi3qEG8PbwZeOKFHdo3uiORZK7fvPQLmGdoRyzjrxb C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
126
Read events
92
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
66
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524cmd.exeC:\Users\Public\admin\admin.vbstext
MD5:3071CB83176532F370C7EEF42734DD75
SHA256:9ACD038A5812E6A37331203F22BF21B703C6A16F790948F055775C884D7D8EDF
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Cab950F.tmp
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Tar9510.tmp
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Cab9531.tmp
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Tar9532.tmp
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Tar95DF.tmp
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\19[1].txt
MD5:
SHA256:
3888wscript.exeC:\Users\admin\AppData\Local\Temp\Cab95DE.tmpcompressed
MD5:41577A5AB6A7D917CDDEEDDC2EF52D53
SHA256:695FCBF6D5B0A83F6671EA2063AA9E2D45D263A108E826F21186B4A7F05925FF
3888wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:41577A5AB6A7D917CDDEEDDC2EF52D53
SHA256:695FCBF6D5B0A83F6671EA2063AA9E2D45D263A108E826F21186B4A7F05925FF
3888wscript.exeC:\ProgramData\i.dattext
MD5:1ED3B93137E997BA35F5676F3D24B2D2
SHA256:8F2F1217A8722E0C107B35F76F80F639C9CCD74827C4D1A118CAAC43F2BBE9C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
wscript.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
wscript.exe
34.227.214.181:443
education.asahq.org
Amazon.com, Inc.
US
unknown
3888
wscript.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
education.asahq.org
  • 34.227.214.181
  • 52.201.25.217
unknown
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

No threats detected
No debug info