Edit tour
Windows
Analysis Report
on.cmd
Overview
General Information
| Sample Name: | on.cmd |
| Analysis ID: | 1329366 |
| MD5: | fd877ae342e4e8b246d11700eb90b23d |
| SHA1: | 9c1790db6b9cbd9c5bf2b12b8fbcf6a342a6fd3a |
| SHA256: | 1ce4768f825372d55c1d30ce3ac41afb913de6299a64ae5b0ac1b3b752421d64 |
| Tags: | cmdstudioaziende-click |
| Infos: | |
 | |
Detection
| Score: | 1 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
cmd.exe (PID: 3568 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\on.cm d" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mode.com (PID: 4788 cmdline: Mode 90,20 MD5: BEA7464830980BF7C0490307DB4FC875) - cmd.exe (PID: 2640 cmdline:
C:\Windows \system32\ cmd.exe /c Set GUID[ 2>Nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5080 cmdline:
C:\Windows \system32\ cmd.exe /c Reg Query "HKLM\SOF TWARE\Micr osoft\Wind ows NT\Cur rentVersio n\NetworkL ist\Profil es" /S /V Descriptio n MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 4788 cmdline:
Reg Query "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion \NetworkLi st\Profile s" /S /V D escription MD5: 227F63E1D9008B36BDBCC4B397780BE4)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 11 Process Injection | 1 Modify Registry | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox Version: | 38.0.0 Ammolite |
| Analysis ID: | 1329366 |
| Start date and time: | 2023-10-20 17:15:07 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 1m 44s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | on.cmd |
| Detection: | CLEAN |
| Classification: | clean1.winCMD@10/1@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: on.cmd
⊘No simulations
| Process: | C:\Windows\System32\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 41 |
| Entropy (8bit): | 4.1874503350805945 |
| Encrypted: | false |
| SSDEEP: | 3:OT2egJgkuLekbevn:OC39uLevn |
| MD5: | C80A61EC2FFEB4F20A47DF967C372762 |
| SHA1: | D8C7166F59BB7022A966455DE5256C9A248D8B07 |
| SHA-256: | B29385F78B29999A6E4A4133262F5AF567372A4E30C4023E20AD0899B023B76E |
| SHA-512: | CFB36B5FD2B5B17F9B93EC4D83286CD6F1F7B56FEC378F816055B46075386E5D9763B2435D0685410002934E74FFC94EA2E822E18C732CD5D0032856F87FAE89 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.23166754615022 |
| TrID: | |
| File name: | on.cmd |
| File size: | 799 bytes |
| MD5: | fd877ae342e4e8b246d11700eb90b23d |
| SHA1: | 9c1790db6b9cbd9c5bf2b12b8fbcf6a342a6fd3a |
| SHA256: | 1ce4768f825372d55c1d30ce3ac41afb913de6299a64ae5b0ac1b3b752421d64 |
| SHA512: | 2b26cae19dc5c485076c6c8c740f5e621f1b507163d26fb8e31cce78f6917a170fe9d9ba0976e7c6079ed50f448fcea1c365e0b3f4c522981c10330c04932e99 |
| SSDEEP: | 24:nep9ZV2tXY7ur3C7TEPaV1k774kIg41k7oy:6oo7urwEiNUoy |
| TLSH: | 77019C400E494500AA719345CDF3D025B35EF593B8BAD59E390D028AAF7F686A8D5EE2 |
| File Content Preview: | ::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Del |
 | |
| Icon Hash: | 9686878b929a9886 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:15:54 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7de580000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:15:54 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:15:54 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\mode.com |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74cf00000 |
| File size: | 33'280 bytes |
| MD5 hash: | BEA7464830980BF7C0490307DB4FC875 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 17:15:55 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7de580000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 17:15:55 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7de580000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 17:15:55 |
| Start date: | 20/10/2023 |
| Path: | C:\Windows\System32\reg.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff76e670000 |
| File size: | 77'312 bytes |
| MD5 hash: | 227F63E1D9008B36BDBCC4B397780BE4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
⊘No disassembly