File name: | OpenMe.bat |
Full analysis: | https://app.any.run/tasks/183040bc-f348-47f9-99a2-f1b8106bbc52 |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 21:33:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines |
MD5: | 90912A048F7442FDF29C4D8F13076A72 |
SHA1: | 6D99CD120AC38D6CF4042A84E09E35151F3B36CA |
SHA256: | CE2A1B1E42E096F9C23A9D3B72DE39E1607C909D1281BA68E912D29AF4521ABD |
SSDEEP: | 24:JotrlyRYdH7grM8OQzMzYizoVUD+V2MZK7iu+l+V2MZKHLFk9LQ9gu+lyJmkdu/o:n+mrOrzFzo9p0Wep0HP9gCI1mprMq |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | cmd /c ""C:\Users\admin\Downloads\OpenMe.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4080 | fsutil dirty query C: | C:\Windows\system32\fsutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: fsutil.exe Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2788 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2660 | "C:\Windows\System32\cmd.exe" /k cd "C:\Users\admin\DOWNLO~1\" && C:\Users\admin\DOWNLO~1\OpenMe.bat | C:\Windows\System32\cmd.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
876 | fsutil dirty query C: | C:\Windows\system32\fsutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: fsutil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1016 | REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v R | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1980 | REG ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit /t REG_SZ /d "C:\Users\admin\DOWNLO~1\OpenMe.bat" /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3412 | REG ADD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon /t REG_SZ /d 1 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1512 | REG ADD HKLM\SOFTWARE\Classes\batfile\shell\edit\command /v (Default) /t REG_EXPAND_SZ /d "C:\Users\admin\DOWNLO~1\OpenMe.bat" /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2216 | taskkill /im svchost.exe /f | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2804) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2804) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2788) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2788) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (1016) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | R |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\edit\command |
Operation: | write | Name: | (Default) |
Value: C:\Users\admin\DOWNLO~1\OpenMe.bat |
PID | Process | Filename | Type | |
---|---|---|---|---|
2660 | cmd.exe | C:\Users\admin\Downloads\4ever.txt | — | |
MD5:— | SHA256:— | |||
2660 | cmd.exe | C:\Users\admin\AppData\Local\Temp\BOOT.txt | text | |
MD5:FE786F61C6940666961641C80085F6D1 | SHA256:57EC0A83D1E5A64C3BD636C2EC946C3B7A1731E632CE840E332CDA1276C60BE3 | |||
2660 | cmd.exe | C:\Users\admin\Downloads\bcd.bat | text | |
MD5:59111A42DCCD1D7F144DE4EF00D9EEC7 | SHA256:D5B157DC4E799D4F72A3F451DF5EECA85FD6D87492339EF78ACBE7755E44CBB1 | |||
2804 | cmd.exe | C:\Users\admin\AppData\Local\Temp\getadmin.vbs | text | |
MD5:AC7BF566115CA4C7D3F4D44E001B5EEB | SHA256:57258F7AF5CAD4D186E13B0EDBF3DDB400E5C40A3B9D0D94E1FFDC56B915CE5F | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\738115911188829032739410750125423029125799137649903.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\32506189962870415679225699661697724385267951175729463.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\12682191641264728011043467121805623342157201213325569.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\1895411946172012012224790778450721854220100269182177.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\225354518250226909406814679243432182349891275623052.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 | |||
2660 | cmd.exe | C:\Users\admin\DOWNLO~1\1259421082573815569302803035060635791231092243310649.txt | text | |
MD5:353034951203C929EBEE2983D9672D29 | SHA256:5921E328BF10D4DBD905AAF4DCB05C21077ADB215C09A1D3BE8F8DC9A3CA6320 |