Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DelTempDM.cmd

Overview

General Information

Sample name:DelTempDM.cmd
Analysis ID:1416960
MD5:2de2f3a97d02661f773f9e775a7e62e9
SHA1:fd43304c94512c614493fe6cda4590d6306a7349
SHA256:3283227468242e06cc192223ef39817d1cff5546471d782e3c72872f36c07096
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\DelTempDM.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: DelTempDM.cmdVirustotal: Detection: 13%Perma Link
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: classification engineClassification label: mal48.winCMD@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: DelTempDM.cmdVirustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\DelTempDM.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416960 Sample: DelTempDM.cmd Startdate: 28/03/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DelTempDM.cmd13%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1416960
Start date and time:2024-03-28 10:52:37 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:DelTempDM.cmd
Detection:MAL
Classification:mal48.winCMD@2/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .cmd
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):4.79807782593531
TrID:
    File name:DelTempDM.cmd
    File size:341 bytes
    MD5:2de2f3a97d02661f773f9e775a7e62e9
    SHA1:fd43304c94512c614493fe6cda4590d6306a7349
    SHA256:3283227468242e06cc192223ef39817d1cff5546471d782e3c72872f36c07096
    SHA512:4f1f9a27fc205b67821bfb32781d1cb649201c5af199beaec10b79f346f185d202bbaba1acf1affb7c05dea445c6f8a2ae795e169b39f3e8e616e86671ea7bf4
    SSDEEP:6:hcnqAqW093WFT18DyEARm5B6GA2AY5718DyEARm5B6GA2AY5cqOWk8DyEARm5Blj:m7qW09mN1SrjRft1SrjRfhkSrj3QjSN
    TLSH:35E04F451B0F65DC624D2021B04AD9831A73044B7A70456C241E81A74984BD75BF77E7
    File Content Preview:@echo off..# Replace ???? with the users logon name..c:..cd\temp..Del *.* /f /s /q..cd\Documents and Settings\moodyd\Local Settings\Temp..Del *.* /f /s /q..cd\Documents and Settings\moodyd\Local Settings\Temporary Internet Files..Del *.* /f /s /q..cd\Docu

    File Icon

    Icon Hash:9686878b929a9886

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:10:53:23
    Start date:28/03/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\DelTempDM.cmd" "
    Imagebase:0x7ff7728f0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:1
    Start time:10:53:23
    Start date:28/03/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6ee680000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly