Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
update.bat

Overview

General Information

Sample name:update.bat
Analysis ID:1546597
MD5:f367f9325667365943803103e4f6d1c1
SHA1:8af3410e29740193b254bb06f843b2e3795fc007
SHA256:317d70c2f994f77d4058b6d1283213ead1c0d53cc7b7754acabcf76d09670877
Tags:batSPAM-ITAterrorists-cultures-wallpaper-tabs-trycloudflare-comuser-JAMESWT_MHT
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Maps a DLL or memory area into another process
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses taskkill to terminate processes
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 2996 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\update.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
update.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x5a:$s2: :~43,1%%
  • 0x66:$s2: :~61,1%%
  • 0x72:$s2: :~41,1%%
  • 0x7e:$s2: :~33,1%%
  • 0x8a:$s2: :~25,1%
  • 0x9c:$s2: :~34,1%%
  • 0xa8:$s2: :~14,1%%
  • 0xb4:$s2: :~42,1%%
  • 0xc0:$s2: :~57,1%%
  • 0xcc:$s2: :~45,1%%
  • 0xd8:$s2: :~5,1%%
  • 0xe3:$s2: :~12,1%%
  • 0xef:$s2: :~17,1%%
  • 0xfb:$s2: :~10,1%%
  • 0x107:$s2: :~2,1%%
  • 0x112:$s2: :~26,1%%
  • 0x11e:$s2: :~52,1%%
  • 0x12a:$s2: :~41,1%%
  • 0x136:$s2: :~51,1%%
  • 0x142:$s2: :~19,1%%
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: update.batVirustotal: Detection: 12%Perma Link

System Summary

barindex
Source: update.bat, type: SAMPLEMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Source: update.bat, type: SAMPLEMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engineClassification label: mal60.evad.winBAT@19/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\update.bat" "
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: update.batVirustotal: Detection: 12%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\update.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\update.bat" MY_FLAG
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe ana.py
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python ab.py
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe en.py
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe eni.py
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\update.bat" MY_FLAGJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe ana.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python ab.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe en.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe eni.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apisethost.appexecutionalias.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: daxexec.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: container.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: capauthz.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InProcServer32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\cmd.exeSection loaded: NULL target: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe protection: readonlyJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: NULL target: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe protection: readonlyJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: NULL target: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe protection: readonlyJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: NULL target: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe protection: readonlyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\update.bat" MY_FLAGJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe ana.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python ab.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe en.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe eni.pyJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts1
Windows Management Instrumentation
1
Scripting
111
Process Injection
1
Disable or Modify Tools
OS Credential Dumping12
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
111
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546597 Sample: update.bat Startdate: 01/11/2024 Architecture: WINDOWS Score: 60 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 7 cmd.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 conhost.exe 7->12         started        signatures5 26 Maps a DLL or memory area into another process 9->26 14 taskkill.exe 1 9->14         started        16 conhost.exe 9->16         started        18 AppInstallerPythonRedirector.exe 9->18         started        20 3 other processes 9->20 process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
update.bat8%ReversingLabs
update.bat13%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1546597
Start date and time:2024-11-01 08:21:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:update.bat
Detection:MAL
Classification:mal60.evad.winBAT@19/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .bat
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
  • Not all processes where analyzed, report is missing behavior information
TimeTypeDescription
03:21:54API Interceptor4x Sleep call for process: AppInstallerPythonRedirector.exe modified
No context
No context
No context
No context
No context
No created / dropped files found
File type:Unicode text, UTF-16, little-endian text, with very long lines (10089), with no line terminators
Entropy (8bit):4.682193817909024
TrID:
  • Text - UTF-16 (LE) encoded (2002/1) 66.67%
  • MP3 audio (1001/1) 33.33%
File name:update.bat
File size:20'181 bytes
MD5:f367f9325667365943803103e4f6d1c1
SHA1:8af3410e29740193b254bb06f843b2e3795fc007
SHA256:317d70c2f994f77d4058b6d1283213ead1c0d53cc7b7754acabcf76d09670877
SHA512:a8dff84f23f0b10629c378e44a99c8cce965f0b0d6a98260835ccea6bcaa72f20b3d9585823a8b2e0c23bdb0659c8b7184c9da2b2408f030dd24c0214d97ad91
SSDEEP:384:EC3F/dAMtK3aF1QahFOs3DrgyDC1lIHR9z:7F/GMxQahFOs3Drgy+1lC9z
TLSH:8F92F92419D70BFEB138D42B705347BADDD7A53EA528F9DB80E67C7E1882625E203684
File Content Preview:..&@cls&@set "..a.=CbwOrK1cpyfRmJXY2L7aN6uIn 8Di5ZFBtlHPhvzWe4@QVGA3gTE9q0xoSjUMsdk".%..a.:~43,1%%..a.:~61,1%%..a.:~41,1%%..a.:~33,1%%..a.:~25,1%"....=%..a.:~34,1%%..a.:~14,1%%..a.:~42,1%%..a.:~57,1%%..a.:~45,1%%..a.:~5,1%%..a.:~12,1%%..a.:~17,1%%..a.:~10
Icon Hash:9686878b929a9886
No network behavior found

Click to jump to process

Click to jump to process

Click to jump to process

Target ID:0
Start time:03:21:53
Start date:01/11/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\update.bat" "
Imagebase:0x7ff7ba080000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:1
Start time:03:21:53
Start date:01/11/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:3
Start time:03:21:53
Start date:01/11/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\update.bat" MY_FLAG
Imagebase:0x7ff7ba080000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:4
Start time:03:21:54
Start date:01/11/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:5
Start time:03:21:54
Start date:01/11/2024
Path:C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
Wow64 process (32bit):false
Commandline:python.exe ana.py
Imagebase:0x7ff614730000
File size:207'872 bytes
MD5 hash:5E1055E69FF01930C62388625726A90E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Target ID:6
Start time:03:21:54
Start date:01/11/2024
Path:C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
Wow64 process (32bit):false
Commandline:python ab.py
Imagebase:0x7ff614730000
File size:207'872 bytes
MD5 hash:5E1055E69FF01930C62388625726A90E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Target ID:7
Start time:03:21:55
Start date:01/11/2024
Path:C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
Wow64 process (32bit):false
Commandline:python.exe en.py
Imagebase:0x7ff614730000
File size:207'872 bytes
MD5 hash:5E1055E69FF01930C62388625726A90E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Target ID:8
Start time:03:21:56
Start date:01/11/2024
Path:C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
Wow64 process (32bit):false
Commandline:python.exe eni.py
Imagebase:0x7ff614730000
File size:207'872 bytes
MD5 hash:5E1055E69FF01930C62388625726A90E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Target ID:9
Start time:03:21:56
Start date:01/11/2024
Path:C:\Windows\System32\taskkill.exe
Wow64 process (32bit):false
Commandline:taskkill /F /IM cmd.exe
Imagebase:0x7ff6f8b00000
File size:101'376 bytes
MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

No disassembly