Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer.bat

Overview

General Information

Sample name:Installer.bat
Analysis ID:1428662
MD5:17033b44988e812ebade9022cba3584f
SHA1:3c98c9f36212cfeec679057cabb1ea5d4bffb1a1
SHA256:deda21bef6613c01484a7c219070f1c510d96a31373a9561e31a8e45b3c94473
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 6596 cmdline: "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" MD5: A353590E06C976809F14906746109758)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean2.winBAT@4/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" "
Source: C:\Windows\System32\cacls.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\cacls.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\cacls.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"Jump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Services File Permissions Weakness		1
Services File Permissions Weakness		1
Services File Permissions Weakness		OS Credential Dumping11
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting		11
Process Injection		11
Process Injection		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428662 Sample: Installer.bat Startdate: 19/04/2024 Architecture: WINDOWS Score: 2 5 cmd.exe 1 1 2->5         started        process3 7 conhost.exe 5->7         started        9 cacls.exe 1 5->9         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Installer.bat0%VirustotalBrowse
Installer.bat0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428662
Start date and time:2024-04-19 11:27:43 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Installer.bat
Detection:CLEAN
Classification:clean2.winBAT@4/1@0/0
Cookbook Comments:
  • Found application associated with file extension: .bat
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 52.159.126.152
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\Null

Download File
Process:C:\Windows\System32\cacls.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):121
Entropy (8bit):4.323081947925383
Encrypted:false
SSDEEP:3:ohAIQDMCZArMsxo2xRSvFFwIFMW3Gtvn:ohYD+82xmwIyHtv
MD5:43B1EC1407EA9C0219A563FFFEEAE780
SHA1:C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
SHA-256:7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
SHA-512:5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
Malicious:false
Reputation:moderate, very likely benign file
Preview:C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

Static File Info

General

File type:DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):5.150691798368533
TrID:
    File name:Installer.bat
    File size:544 bytes
    MD5:17033b44988e812ebade9022cba3584f
    SHA1:3c98c9f36212cfeec679057cabb1ea5d4bffb1a1
    SHA256:deda21bef6613c01484a7c219070f1c510d96a31373a9561e31a8e45b3c94473
    SHA512:9f54c72cafeedb4b332e8c4d438e88475d1757ea4ffdf23d13d0f1bae55806b3fe58cf48002085f5a867c5d8906c4b7674584c4070288e35026037cdc33eb282
    SSDEEP:12:wpzHipHmMSI88dfKLerEtm0yy5No9kj2rxvbHVZz:wpzHOeI8sfJ0yb20BHVx
    TLSH:95F04C14004F861322A698B0C7013149E569F2473D188460F52260D0DE7F246DEEEDED
    File Content Preview:@echo off....>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"....if '%errorlevel%' NEQ '0' (.. goto UACPrompt..) else ( goto gotAdmin )....:UACPrompt.. echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\get

    File Icon

    Icon Hash:9686878b929a9886

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:1
    Start time:11:29:03
    Start date:19/04/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Installer.bat" "
    Imagebase:0x7ff71b400000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:11:29:03
    Start date:19/04/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff704000000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:11:29:03
    Start date:19/04/2024
    Path:C:\Windows\System32\cacls.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    Imagebase:0x7ff6884b0000
    File size:34'304 bytes
    MD5 hash:A353590E06C976809F14906746109758
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    Disassembly

    No disassembly