File name:

1.bat

Full analysis: https://app.any.run/tasks/6b2eba81-92b8-41b9-a272-7109b3cdfd07
Verdict: Malicious activity
Analysis date: June 16, 2019, 16:21:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ISO-8859 text, with CRLF line terminators
MD5:

F65D2D9F5063DF04193D11182C21D53B

SHA1:

BB93F26FC4ECDE755F68FFDB12959ABF4EC72B80

SHA256:

FAB0F8423BB4B64DB0526E9B4D356CB705AE84DAA2428C714FCE877DAF43FB53

SSDEEP:

48:dJZk7y4GaDvK9TweGaTweGOveCBrTJWeG5TJe+NGjxyfviocf/jJZOkpoVVYDNvC:dwZGajKZkykOvX8llsjxACHoAJC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Rar.exe (PID: 3272)
      • Rar.exe (PID: 3280)
      • Rar.exe (PID: 4048)
      • Rar.exe (PID: 2700)
      • Rar.exe (PID: 2940)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2928)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3088)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3820)
      • cmd.exe (PID: 2928)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2928)

    • Application launched itself

      • cmd.exe (PID: 2928)

    • Executes scripts

      • cmd.exe (PID: 2928)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3820)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 2688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
27
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start cmd.exe no specs mshta.exe no specs cmd.exe more.com no specs more.com no specs cmd.exe no specs cmd.exe no specs rar.exe no specs wscript.exe no specs more.com no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs more.com no specs more.com no specs more.com no specs rar.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328more +1 2.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
488more +1 3.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2608"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\1.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2628C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpgC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2688"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\╜Γ╤╣lucknum╘╦╨╨0bat╜Γ├▄.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2700rar.exe a -hpue0k5qqkm "8gmrag4ge.rar" "C:\Users\admin\Desktop\outsideseveral.jpg "C:\Users\admin\Desktop\Rar.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
0
Version:
5.60.0
Modules
Images
c:\users\admin\desktop\rar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2736more +1 3.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2756more +1 5.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2796more +1 3.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2800more +1 1.txt C:\Windows\system32\more.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\more.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
Total events
322
Read events
310
Write events
12
Delete events
0

Modification events

(PID) Process:(3820) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3820) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2928) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2928) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2688) NOTEPAD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
66
(PID) Process:(2688) NOTEPAD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
66
(PID) Process:(2688) NOTEPAD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:(2688) NOTEPAD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
501
Executable files
1
Suspicious files
5
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
2928cmd.exeC:\Users\admin\Desktop\a.tmp
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\5.txttext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\0.txttext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\0.battext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\4.txttext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\2.txttext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\3.txttext
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\1.txttext
MD5:
SHA256:
3272Rar.exeC:\Users\admin\Desktop\╜Γ├▄lucknum-ftjgdp.rarcompressed
MD5:
SHA256:
2928cmd.exeC:\Users\admin\Desktop\commentsmethod.jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info