Play interactive tourEdit tour
Windows Analysis Report 9.bat
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: bitsadmin download and execute
Creates autostart registry keys with suspicious names
Downloads files with wrong headers with respect to MIME Content-Type
Powershell drops PE file
Suspicious powershell command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Bitsadmin Job via PowerShell
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Bitsadmin Job via PowerShell | Show sources |
Source: | Author: Endgame, JHasenbusch (ported to sigma for oscd.community): |