analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Unhide Files.bat

Full analysis: https://app.any.run/tasks/9048e73a-d904-44ff-8e06-85f4dad38fbb
Verdict: Malicious activity
Analysis date: November 16, 2019, 21:30:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

ED321251DC3B4F175E68BE78E694474D

SHA1:

9E72DA35F476589E57754A6768E9914D7717F2E0

SHA256:

F335F7098DE9B44F3849B8ADA84FCCA1AC09ED00F8936D60CB3CF8D085EEA2E5

SSDEEP:

12288:wnVHDWx5jouKbs3wPDdI3N4Pgq9vJvSuuqngHAJ:wnc/YsgrgN45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2712)

    • Application was dropped or rewritten from another process

      • eng.exe (PID: 784)
      • rf.exe (PID: 2232)
      • cmd.exe (PID: 2712)
      • svcnosts.exe (PID: 2252)
      • cmd.exe (PID: 1252)
      • cmd.exe (PID: 1560)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 1916)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 928)
      • cmd.exe (PID: 3196)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 996)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 2524)
      • cmd.exe (PID: 1648)
      • svcnost.exe (PID: 3784)
      • cmd.exe (PID: 1400)

    • Changes the autorun value in the registry

      • rf.exe (PID: 2232)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2712)
      • eng.exe (PID: 784)
      • rf.exe (PID: 2232)

    • Application launched itself

      • cmd.exe (PID: 2712)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 928)
      • cmd.exe (PID: 2864)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2712)
      • rf.exe (PID: 2232)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1560)
      • cmd.exe (PID: 2712)

    • Creates executable files which already exist in Windows

      • rf.exe (PID: 2232)

    • Modifies the open verb of a shell class

      • rf.exe (PID: 2232)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • rf.exe (PID: 2232)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
52
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start cmd.exe eng.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs ping.exe no specs rf.exe ping.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs reg.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs svcnosts.exe no specs svcnost.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2712cmd /c ""C:\Users\admin\Desktop\Unhide Files.bat" "C:\Windows\system32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
784"C:\Users\admin\AppData\Local\Temp\rlgms574\eng.exe" "C:\Users\admin\AppData\Local\Temp\rlgms574\sk.js"C:\Users\admin\AppData\Local\Temp\rlgms574\eng.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1648attrib * -s /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2456attrib * -h /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3804attrib * -h -s /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1560C:\Windows\system32\cmd.exe /c REG QUERY HKCU\SOFTWARE\btC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2080REG QUERY HKCU\SOFTWARE\btC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820ping 127.0.0.1 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232"C:\Users\admin\AppData\Local\Temp\rlgms574\rf.exe" rlcC:\Users\admin\AppData\Local\Temp\rlgms574\rf.exe
eng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
1.0.0.0
3944ping 127.0.0.1 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
687
Read events
653
Write events
34
Delete events
0

Modification events

(PID) Process:(784) eng.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(784) eng.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\bt
Operation:writeName:gp
Value:
21:3
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Microsoft
Operation:writeName:STR
Value:
C|juhoxa|serouuc|svcnost|svcnosts
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Explorers
Value:
C:\Windows\explorer.exe /root c:\windows\system32\rundll32.exe ..\windows\system32\user32.dll.ShellExecute(%s), C:\System_VoIume_lnformation\Jnt\serouuc\bmz\explorer.exe, 0xff3leca
(PID) Process:(2232) rf.exeKey:HKEY_CLASSES_ROOT\.exe
Operation:writeName:
Value:
exefiles
(PID) Process:(2232) rf.exeKey:HKEY_CLASSES_ROOT\exefiles\shell\open\command
Operation:writeName:
Value:
"C:\System_VoIume_lnformation\Jnt\serouuc\explorers.exe" rts "%1"
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Microsoft
Operation:writeName:SLK
Value:
0
Executable files
6
Suspicious files
2
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
784eng.exeC:\Users\admin\AppData\Local\Temp\rlgms574\rf.exeexecutable
MD5:43935A2B61416385736FDF2D0D4BDFCC
SHA256:C5F21CBEAA15988A6E0887A1FD3B652DA9E8FFECC60D207E9513930CFF2CD965
2232rf.exeC:\sefera\Jnt\juhoxa\gotera.bmpbinary
MD5:CAC17D4A6C7489D29F523FB4D9A7EA25
SHA256:AC1D3CDA8A70C5FFDAA00C5B770BDA2660569B3B270F9775337C8E8C9B3BFE5B
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\explorers.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
2232rf.exeC:\sefera\Jnt\juhoxa\svcnost.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\unrf.dllbib
MD5:ED321251DC3B4F175E68BE78E694474D
SHA256:F335F7098DE9B44F3849B8ADA84FCCA1AC09ED00F8936D60CB3CF8D085EEA2E5
2232rf.exeC:\sefera\Jnt\juhoxa\svcnosts.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\sk.jstext
MD5:3ABAFFE780DACFD3C83A6D79D3456CD1
SHA256:1D16BCFDCC3ACBD37D4E39E07DF2FA6F496FB4B9998D6F1D83C5E076860AFC6B
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\gotera.bmpbinary
MD5:CAC17D4A6C7489D29F523FB4D9A7EA25
SHA256:AC1D3CDA8A70C5FFDAA00C5B770BDA2660569B3B270F9775337C8E8C9B3BFE5B
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\bmz\explorer.exeexecutable
MD5:AD7B9C14083B52BC532FBA5948342B98
SHA256:17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\eng.exeexecutable
MD5:D1AB72DB2BEDD2F255D35DA3DA0D4B16
SHA256:047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
svcnost.exe
151.101.1.195:443
clear-march.firebaseapp.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
clear-march.firebaseapp.com
  • 151.101.1.195
  • 151.101.65.195
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Unhide Files.bat