Windows Analysis Report
Installer.bat

Overview

General Information

Sample name: Installer.bat
Analysis ID: 1428662
MD5: 17033b44988e812ebade9022cba3584f
SHA1: 3c98c9f36212cfeec679057cabb1ea5d4bffb1a1
SHA256: deda21bef6613c01484a7c219070f1c510d96a31373a9561e31a8e45b3c94473
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files

Classification

Source: classification engine Classification label: clean2.winBAT@4/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" "
Source: C:\Windows\System32\cacls.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\cacls.exe Section loaded: ntmarta.dll Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428662 Sample: Installer.bat Startdate: 19/04/2024 Architecture: WINDOWS Score: 2 5 cmd.exe 1 1 2->5         started        process3 7 conhost.exe 5->7         started        9 cacls.exe 1 5->9         started       
No contacted IP infos