Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ud.bat

Overview

General Information

Sample name:ud.bat
Analysis ID:1560041
MD5:89bd8649b06f620a24f3aeab75a51dce
SHA1:2a79ffd60ef8a8e25013df5f114ccd7346a56579
SHA256:87a7bca1d04498d08235601c9c2af35f68d63392ac560d1bf2ee4abd812db69d
Tags:batrouki555user-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Found large BAT file
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 7260 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ud.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7320 cmdline: powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7504 cmdline: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
ud.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x5b:$s2: :~10,1%%
  • 0x67:$s2: :~24,1%%
  • 0x73:$s2: :~48,1%%
  • 0x7f:$s2: :~37,1%%
  • 0x8b:$s2: :~58,1%
  • 0x99:$s2: :~32,1%
  • 0xa6:$s2: :~27,1%%
  • 0xb2:$s2: :~19,1%
  • 0xbf:$s2: :~45,1%%
  • 0xcb:$s2: :~50,1%%
  • 0xd7:$s2: :~59,1%%
  • 0xe3:$s2: :~10,1%%
  • 0xef:$s2: :~47,1%%
  • 0xfb:$s2: :~33,1%%
  • 0x107:$s2: :~5,1%%
  • 0x112:$s2: :~7,1%%
  • 0x11d:$s2: :~15,1%%
  • 0x129:$s2: :~30,1%%
  • 0x135:$s2: :~54,1%%
  • 0x141:$s2: :~41,1%%

System Summary

barindex
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" , CommandLine: powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" , CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ud.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" , ProcessId: 7320, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1727474977.000001C5686F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb: source: powershell.exe, 00000004.00000002.1727474977.000001C568754000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.1728023586.000001C5688C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbH source: powershell.exe, 00000004.00000002.1727474977.000001C568754000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbH source: powershell.exe, 00000004.00000002.1728023586.000001C5688C8000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000004.00000002.1724397409.000001C500084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1724397409.000001C50001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1724397409.000001C50005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68

System Summary

barindex
Source: ud.bat, type: SAMPLEMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Source: ud.batStatic file information: 3428531
Source: ud.bat, type: SAMPLEMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engineClassification label: mal56.winBAT@7/7@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uunydedk.hq1.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ud.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ud.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.pyJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: ud.batStatic file information: File size 3428531 > 1048576
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1727474977.000001C5686F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb: source: powershell.exe, 00000004.00000002.1727474977.000001C568754000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.1728023586.000001C5688C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbH source: powershell.exe, 00000004.00000002.1727474977.000001C568754000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbH source: powershell.exe, 00000004.00000002.1728023586.000001C5688C8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B883714 pushad ; retf 4_2_00007FFD9B883731
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8822B5 pushad ; iretd 4_2_00007FFD9B88232D
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1982Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1153Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1879Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1074Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 1879 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 1074 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.pyJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts1
PowerShell
1
Scripting
11
Process Injection
21
Virtualization/Sandbox Evasion
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
11
Process Injection
LSASS Memory21
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS2
File and Directory Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560041 Sample: ud.bat Startdate: 21/11/2024 Architecture: WINDOWS Score: 56 18 Malicious sample detected (through community Yara rule) 2->18 20 Found large BAT file 2->20 7 cmd.exe 1 2->7         started        process3 signatures4 22 Suspicious powershell command line found 7->22 10 powershell.exe 11 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 powershell.exe 7 10->14         started        16 conhost.exe 10->16         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ud.bat3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aka.ms/pscore68powershell.exe, 00000004.00000002.1724397409.000001C50001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1724397409.000001C50005D000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1724397409.000001C500084000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1560041
      Start date and time:2024-11-21 10:40:08 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 15s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:ud.bat
      Detection:MAL
      Classification:mal56.winBAT@7/7@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 4
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .bat
      • Stop behavior analysis, all processes terminated
      • Execution Graph export aborted for target powershell.exe, PID 7504 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: ud.bat
      No simulations
      No context
      No context
      No context
      No context
      No context
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):64
      Entropy (8bit):0.773832331134527
      Encrypted:false
      SSDEEP:3:Nlllulo/:NllUo/
      MD5:E54D0B143115DA49AA5126838E7B394E
      SHA1:F5CB59DCFB794E2B68B61F55D98A2AD0B3035C3D
      SHA-256:1A7168DD4E695D69BBC1A590D2EC6DDCD335C968A4000734C6D9155754EC09B9
      SHA-512:284B3E5A76AF507F423DD23CBDAFBB5DD73CBEAA4BE983B0828D1E9BBE5CAEC0C98FF46D30289CD52D0CE6B8EB9E6AD57358906F16DB0722100A8B43935C1920
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:@...e...........................................................
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Reputation:high, very likely benign file
      Preview:# PowerShell test file to determine AppLocker lockdown mode
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):6221
      Entropy (8bit):3.73359321105563
      Encrypted:false
      SSDEEP:96:VexjKI33CxHJDkvhkvCCtwzK08GH3zK08NHb:QdKIypHw2c23
      MD5:29041C56F9CF8B31955A83BB4E53153E
      SHA1:2B3B5FF192E78727F136B8C0C6EBEDDD7C7DDC9E
      SHA-256:7FF1D6A3F4A44C771A5DF0358981E679AE6E01F9F6F8DAF26223CCD1185BF728
      SHA-512:88B9885F0FD0F9D33C84794D5C408082A913118037B764CACD775783ADA3F6D4627B7AC6CD26DA0E920C986639DA28B31B88565393D98C682ABCA3F94A3492F2
      Malicious:false
      Preview:...................................FL..................F.".. ...-/.v.....B.y.;..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....[.%u.;...T.z.;......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^uY.M...........................%..A.p.p.D.a.t.a...B.V.1.....uY.M..Roaming.@......CW.^uY.M..........................k4:.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^uY!M..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................?..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^uY!M....Q...........
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):6221
      Entropy (8bit):3.73359321105563
      Encrypted:false
      SSDEEP:96:VexjKI33CxHJDkvhkvCCtwzK08GH3zK08NHb:QdKIypHw2c23
      MD5:29041C56F9CF8B31955A83BB4E53153E
      SHA1:2B3B5FF192E78727F136B8C0C6EBEDDD7C7DDC9E
      SHA-256:7FF1D6A3F4A44C771A5DF0358981E679AE6E01F9F6F8DAF26223CCD1185BF728
      SHA-512:88B9885F0FD0F9D33C84794D5C408082A913118037B764CACD775783ADA3F6D4627B7AC6CD26DA0E920C986639DA28B31B88565393D98C682ABCA3F94A3492F2
      Malicious:false
      Preview:...................................FL..................F.".. ...-/.v.....B.y.;..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....[.%u.;...T.z.;......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^uY.M...........................%..A.p.p.D.a.t.a...B.V.1.....uY.M..Roaming.@......CW.^uY.M..........................k4:.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^uY!M..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................?..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^uY!M....Q...........
      File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
      Entropy (8bit):3.9147630928816652
      TrID:
      • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
      • Text - UTF-16 (LE) encoded (2002/1) 36.37%
      • MP3 audio (1001/1) 18.19%
      File name:ud.bat
      File size:3'428'531 bytes
      MD5:89bd8649b06f620a24f3aeab75a51dce
      SHA1:2a79ffd60ef8a8e25013df5f114ccd7346a56579
      SHA256:87a7bca1d04498d08235601c9c2af35f68d63392ac560d1bf2ee4abd812db69d
      SHA512:eac8fe8dd76b586bb0f44996bfa97d0135f54617ab4042033ad6e73bb1dae92bf5d38d7c87534c711f75a872b9c95d7c6479be8e85357dc79ab343df296d3df1
      SSDEEP:3072:iMw7o+MzQBO1mBLeV4CPsqnwI1b2pBqKjka/UuMhCEqnqrQlwLK:iLByQBO1iLeV4gpipBj/0ULCK
      TLSH:7EF52E630ADAEF4FE50C8315A2935406278AE87F707D339AB93D7D3909696F9E01F085
      File Content Preview:..&@cls&@set "dvy.=y678g1fSjH@0GwQZCoUVWn9FsTcP2NKvBODhdtIRpL3xYqzaeME4kmJ5Xr lAubi"..%dvy.:~10,1%%dvy.:~24,1%%dvy.:~48,1%%dvy.:~37,1%%dvy.:~58,1%".%dvy.:~32,1%.%dvy.:~27,1%%dvy.:~19,1%=%dvy.:~45,1%%dvy.:~50,1%%dvy.:~59,1%%dvy.:~10,1%%dvy.:~47,1%%dvy.:~33
      Icon Hash:9686878b929a9886
      No network behavior found

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Click to jump to process

      Target ID:0
      Start time:04:41:00
      Start date:21/11/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ud.bat" "
      Imagebase:0x7ff61fcd0000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:1
      Start time:04:41:00
      Start date:21/11/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:2
      Start time:04:41:01
      Start date:21/11/2024
      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:powershell.exe -WindowStyle Hidden -Command "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py"
      Imagebase:0x7ff788560000
      File size:452'608 bytes
      MD5 hash:04029E121A0CFA5991749937DD22A1D9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:3
      Start time:04:41:01
      Start date:21/11/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:4
      Start time:04:41:03
      Start date:21/11/2024
      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\Lib\\sim.py
      Imagebase:0x7ff788560000
      File size:452'608 bytes
      MD5 hash:04029E121A0CFA5991749937DD22A1D9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Reset < >
        Memory Dump Source
        • Source File: 00000004.00000002.1728891401.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 18428486bcf1e01293f88de8d149fc2c42d81d9b050f576429085c8b279016a3
        • Instruction ID: af0b6c5fe2c4d418765f945bf488fc4eb6c81c994d72edd5404d2f6d8ee9d643
        • Opcode Fuzzy Hash: 18428486bcf1e01293f88de8d149fc2c42d81d9b050f576429085c8b279016a3
        • Instruction Fuzzy Hash: 4FD16832B1FACD1FE7B59BE888645B57BA1EF16310B1900FED84CC70E3DA18A9058351
        Memory Dump Source
        • Source File: 00000004.00000002.1728891401.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3a5864ac1382e16f1ef43ec77e541f4333e87b78bec4f6899d5b40ae222cb0aa
        • Instruction ID: e0b0777249397ea6d14647a6b866b04fdeebc05492718d401fe119a28c1f48ed
        • Opcode Fuzzy Hash: 3a5864ac1382e16f1ef43ec77e541f4333e87b78bec4f6899d5b40ae222cb0aa
        • Instruction Fuzzy Hash: 08710422A4F7C91FD76797F858205A47FF1EF56220B0A01FBD488CB0E3D9599909C352
        Memory Dump Source
        • Source File: 00000004.00000002.1728891401.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 336d857e1c9f477cd933536e25d7aa47adcf50e66b999e3f5e31249a11c648ba
        • Instruction ID: 648a03d04d0a33b634ffb97ab7e9d23c47bc30ece8e64daeff0470b3581a394a
        • Opcode Fuzzy Hash: 336d857e1c9f477cd933536e25d7aa47adcf50e66b999e3f5e31249a11c648ba
        • Instruction Fuzzy Hash: 9E61D02294F7CA1FD76787F498341A17FF1AF57220B0A41EBD488CB0A3D9995C4AC322
        Memory Dump Source
        • Source File: 00000004.00000002.1728722343.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
        • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
        • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41