Windows Analysis Report
d.bat

Overview

General Information

Sample name: d.bat
Analysis ID: 1431649
MD5: ff72478478ffdc769b1e68ebcae78ce7
SHA1: de0dcdc73c62b379b197f85665d0f79ffd503e8c
SHA256: 37078a400954db8edd7717afb95f22d7fe119efedc4691bff4e7ca2470ece1c8
Tags: bat
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Creates a process in suspended mode (likely to inject code)
Drops files with a non-matching file extension (content does not match file extension)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory

Classification

Source: https://www.irs.gov/pub/irs-pdf/f1040.pdf HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49725 version: TLS 1.2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=mS8f1Gbn84nXFYB&MD=Pu3PAxcs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=mS8f1Gbn84nXFYB&MD=Pu3PAxcs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: www.irs.gov
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: chromecache_65.5.dr, downloaded.pdf.crdownload.2.dr String found in binary or memory: http://www.aiim.org/pdfua/ns/id/
Source: d.bat String found in binary or memory: https://www.irs.gov/pub/irs-pdf/f1040.pdf
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: classification engine Classification label: clean3.winBAT@22/14@6/3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\e016da71-7c2d-48ea-b712-49cde78c4486.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\d.bat" "
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\d.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.irs.gov/pub/irs-pdf/f1040.pdf
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,8690622242313858414,1291820735043739184,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.irs.gov/pub/irs-pdf/f1040.pdf Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,8690622242313858414,1291820735043739184,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 65
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 65 Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.irs.gov/pub/irs-pdf/f1040.pdf Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431649 Sample: d.bat Startdate: 25/04/2024 Architecture: WINDOWS Score: 3 6 cmd.exe 13 2->6         started        process3 8 chrome.exe 20 6->8         started        11 conhost.exe 6->11         started        dnsIp4 16 192.168.2.5, 443, 49703, 49717 unknown unknown 8->16 18 239.255.255.250 unknown Reserved 8->18 13 chrome.exe 8->13         started        process5 dnsIp6 20 www.google.com 142.250.9.104, 443, 49717, 49726 GOOGLEUS United States 13->20 22 www.irs.gov 13->22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.9.104
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
www.google.com 142.250.9.104 true
www.irs.gov unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.irs.gov/pub/irs-pdf/f1040.pdf false
    		high
    file:///C:/Users/user/Downloads/downloaded.pdf false
    • Avira URL Cloud: safe
    		 low