Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
body.msg.bat.exe

Overview

General Information

Sample name:body.msg.bat.exe
Analysis ID:1581289
MD5:191d90ba8ed8b74590a812bebe8117a0
SHA1:5b787d4687cbbb9be414b7c109da0b9479815dcf
SHA256:49bf50560f43e88fdb63f3ebbde7d008cd7d6e880e9275538903d9678a6e4967
Tags:exeuser-TeamDreier
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected PE file pumping (to bypass AV & sandboxing)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • body.msg.bat.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\body.msg.bat.exe" MD5: 191D90BA8ED8B74590A812BEBE8117A0)
    • tserv.exe (PID: 7456 cmdline: C:\Windows\tserv.exe s MD5: 191D90BA8ED8B74590A812BEBE8117A0)
    • notepad.exe (PID: 7480 cmdline: C:\Windows\System32\notepad.exe C:\Users\user\Desktop\2631.tmp MD5: E92D3A824A0578A50D2DD81B5060145F)
  • tserv.exe (PID: 7876 cmdline: "C:\Windows\tserv.exe" s MD5: 191D90BA8ED8B74590A812BEBE8117A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections
Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 98.136.96.76, DesusertionIsIpv6: false, DesusertionPort: 25, EventID: 3, Image: C:\Windows\tserv.exe, Initiated: true, ProcessId: 7456, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49706
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\tserv.exe s, EventID: 13, EventType: SetValue, Image: C:\Windows\tserv.exe, ProcessId: 7456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tserv
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: msji449c14b7.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\tserv.exe, ProcessId: 7456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:29:31.716846+010020169981A Network Trojan was detected192.168.2.949708193.166.255.17180TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:29:53.764767+010020197142Potentially Bad Traffic192.168.2.949708193.166.255.17180TCP
2024-12-27T10:30:15.561931+010020197142Potentially Bad Traffic192.168.2.949712193.166.255.17180TCP
2024-12-27T10:30:15.961830+010020197142Potentially Bad Traffic192.168.2.949713193.166.255.17180TCP
2024-12-27T10:30:37.844580+010020197142Potentially Bad Traffic192.168.2.949717193.166.255.17180TCP
2024-12-27T10:30:38.291189+010020197142Potentially Bad Traffic192.168.2.949718193.166.255.17180TCP
2024-12-27T10:31:00.166826+010020197142Potentially Bad Traffic192.168.2.949722193.166.255.17180TCP
2024-12-27T10:31:00.463550+010020197142Potentially Bad Traffic192.168.2.949723193.166.255.17180TCP
2024-12-27T10:31:22.282599+010020197142Potentially Bad Traffic192.168.2.949727193.166.255.17180TCP
2024-12-27T10:31:22.579898+010020197142Potentially Bad Traffic192.168.2.949728193.166.255.17180TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:29:53.764767+010028033053Unknown Traffic192.168.2.949708193.166.255.17180TCP
2024-12-27T10:30:15.561931+010028033053Unknown Traffic192.168.2.949712193.166.255.17180TCP
2024-12-27T10:30:15.961830+010028033053Unknown Traffic192.168.2.949713193.166.255.17180TCP
2024-12-27T10:30:37.844580+010028033053Unknown Traffic192.168.2.949717193.166.255.17180TCP
2024-12-27T10:30:38.291189+010028033053Unknown Traffic192.168.2.949718193.166.255.17180TCP
2024-12-27T10:31:00.166826+010028033053Unknown Traffic192.168.2.949722193.166.255.17180TCP
2024-12-27T10:31:00.463550+010028033053Unknown Traffic192.168.2.949723193.166.255.17180TCP
2024-12-27T10:31:22.282599+010028033053Unknown Traffic192.168.2.949727193.166.255.17180TCP
2024-12-27T10:31:22.579898+010028033053Unknown Traffic192.168.2.949728193.166.255.17180TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: body.msg.bat.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Windows\tserv.exeAvira: detection malicious, Label: WORM/Stration.C
Multi AV Scanner detection for dropped file
Source: C:\Windows\tserv.exeReversingLabs: Detection: 94%
Source: C:\Windows\tserv.exeVirustotal: Detection: 86%Perma Link
Multi AV Scanner detection for submitted file
Source: body.msg.bat.exeVirustotal: Detection: 86%Perma Link
Source: body.msg.bat.exeReversingLabs: Detection: 94%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.1% probability
Machine Learning detection for dropped file
Source: C:\Windows\tserv.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: body.msg.bat.exeJoe Sandbox ML: detected
Source: body.msg.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: Joe Sandbox ViewIP Address: 67.195.204.79 67.195.204.79
Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox ViewIP Address: 67.195.228.110 67.195.228.110
Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.9:49708 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49708 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49708 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49727 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49712 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49712 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49718 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49728 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49718 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49728 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49713 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49717 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49717 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49723 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49723 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49722 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49722 -> 193.166.255.171:80
Source: global trafficTCP traffic: 192.168.2.9:49706 -> 98.136.96.76:25
Source: global trafficTCP traffic: 192.168.2.9:49710 -> 67.195.204.79:25
Source: global trafficTCP traffic: 192.168.2.9:49715 -> 67.195.228.110:25
Source: global trafficTCP traffic: 192.168.2.9:49719 -> 142.250.157.26:25
Source: global trafficTCP traffic: 192.168.2.9:49725 -> 108.177.98.27:25
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficDNS traffic detected: DNS query: yahoo.com
Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: www4.cedesunjerinkas.com
Source: global trafficDNS traffic detected: DNS query: gmail.com
Source: global trafficDNS traffic detected: DNS query: alt4.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt1.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt2.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt3.gmail-smtp-in.l.google.com
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,1_2_00423D83
Source: C:\Users\user\Desktop\body.msg.bat.exeFile created: C:\Windows\tserv.exeJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeFile created: C:\Windows\tserv.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004118001_2_00411800
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004108D01_2_004108D0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040C8E01_2_0040C8E0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040F0E91_2_0040F0E9
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004109071_2_00410907
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004041101_2_00404110
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004091191_2_00409119
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040F1C71_2_0040F1C7
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040C1D01_2_0040C1D0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004049901_2_00404990
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004091A71_2_004091A7
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040E2461_2_0040E246
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00428A081_2_00428A08
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004252141_2_00425214
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004053101_2_00405310
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00408BC01_2_00408BC0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00415BD01_2_00415BD0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041B3D01_2_0041B3D0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040DBF01_2_0040DBF0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041E3A01_2_0041E3A0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004094361_2_00409436
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00409CF71_2_00409CF7
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041BD001_2_0041BD00
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040EDE01_2_0040EDE0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040DE561_2_0040DE56
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041C6601_2_0041C660
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004106701_2_00410670
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040E6761_2_0040E676
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00409F471_2_00409F47
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040EF781_2_0040EF78
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040FF301_2_0040FF30
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00405F301_2_00405F30
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: String function: 0042664C appears 45 times
Source: body.msg.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal100.evad.winEXE@6/3@11/7
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,1_2_004047A0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00405090
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,1_2_0041E0B0
Source: C:\Users\user\Desktop\body.msg.bat.exeFile created: C:\Users\user\Desktop\2631.tmpJump to behavior
Source: C:\Windows\tserv.exeMutant created: NULL
Source: body.msg.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\body.msg.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: body.msg.bat.exeVirustotal: Detection: 86%
Source: body.msg.bat.exeReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\body.msg.bat.exeFile read: C:\Users\user\Desktop\body.msg.bat.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\body.msg.bat.exe "C:\Users\user\Desktop\body.msg.bat.exe"
Source: C:\Users\user\Desktop\body.msg.bat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: C:\Users\user\Desktop\body.msg.bat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\2631.tmp
Source: unknownProcess created: C:\Windows\tserv.exe "C:\Windows\tserv.exe" s
Source: C:\Users\user\Desktop\body.msg.bat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\2631.tmpJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0042647C push eax; ret 1_2_0042649A
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254C4
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254EC
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00426687 push ecx; ret 1_2_00426697

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\body.msg.bat.exeExecutable created and started: C:\Windows\tserv.exeJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeFile created: C:\Windows\tserv.exeJump to dropped file
Source: C:\Users\user\Desktop\body.msg.bat.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
Source: C:\Windows\tserv.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tservJump to behavior
Source: C:\Windows\tserv.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tservJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0041D159

Malware Analysis System Evasion

barindex
Detected PE file pumping (to bypass AV & sandboxing)
Source: body.msg.bat.exeStatic PE information: Resource name: RT_ICON size: 0xffffff28
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\body.msg.bat.exeRDTSC instruction interceptor: First address: 40C1E0 second address: 40C1EE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [76FF188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFF48EE81D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+08h], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\body.msg.bat.exeRDTSC instruction interceptor: First address: 40C1EE second address: 40C1FC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [76FF188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFF4959D3D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+0Ch], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\body.msg.bat.exeRDTSC instruction interceptor: First address: 40C1FC second address: 40C20A instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [76FF188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFF48EE81D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+10h], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-12752
Source: C:\Users\user\Desktop\body.msg.bat.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-12686
Source: C:\Windows\tserv.exe TID: 7644Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 7916Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exeLast function: Thread delayed
Source: C:\Windows\tserv.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,1_2_00429F44
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeAPI call chain: ExitProcess graph end nodegraph_1-12753
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,1_2_004210D0
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0042731A SetUnhandledExceptionFilter,1_2_0042731A
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0042732E SetUnhandledExceptionFilter,1_2_0042732E

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,1_2_00404840
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,1_2_00423260
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: GetLocaleInfoA,1_2_0042C8B2
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\2631.tmp VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,1_2_00401830
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,1_2_0040BE00
Source: C:\Users\user\Desktop\body.msg.bat.exeCode function: 1_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,1_2_00425D91

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Native API		11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		121
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		121
Virtualization/Sandbox Evasion		LSASS Memory32
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials124
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.