Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
watermarkedMagistrates.cmd

Overview

General Information

Sample Name:watermarkedMagistrates.cmd
Analysis ID:715163
MD5:500e9b6f69d6c73c8d230e5a5aaecb9f
SHA1:285c236c26d1adfb7a7a38b22fa9777a7b963e87
SHA256:c6b2b705be17902eb4cb8c5f1c587e74e2206e2d6f67a4b6b90b0e24d0395f5a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Program does not show much activity (idle)

Classification

  • System is w10x64_ra
  • cmd.exe (PID: 4920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\watermarkedMagistrates.cmd" " MD5: 9D59442313565C2E0860B88BF32B2277)
    • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_02
Source: classification engineClassification label: clean1.winCMD@2/0@0/0
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\watermarkedMagistrates.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Process Injection
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 715163 Sample: watermarkedMagistrates.cmd Startdate: 03/10/2022 Architecture: WINDOWS Score: 1 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.