Windows Analysis Report
Fake!Virus!HarmlessAHAHHA.bat

Overview

General Information

Sample name: Fake!Virus!HarmlessAHAHHA.bat
Analysis ID: 1562384
MD5: 02e182ff2335b09c3fb195d3ca900217
SHA1: d58cb1be5233f97fdec08d8302fb74529f2acba3
SHA256: cc9ff758865bd6167a5cf7c5a40f7d6cf5406707155a45c72877c2d4322b281b
Tags: batcia-tfuser-JAMESWT_MHT
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessCsp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessGuard.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\assignedaccessmanagersvc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\aspnet_counters.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\asferror.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessManager.dll Jump to behavior

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Deletes files inside the Windows folder
Source: C:\Windows\System32\cmd.exe File deleted: C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.006 Jump to behavior
Source: classification engine Classification label: mal48.troj.evad.winBAT@28/13@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_03
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Fake!Virus!HarmlessAHAHHA.bat" "
Source: C:\Windows\System32\mode.com Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Fake!Virus!HarmlessAHAHHA.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con: cols=80 lines=25
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con: cols=80 lines=25 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\msftedit.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 459 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessCsp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessGuard.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\assignedaccessmanagersvc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\aspnet_counters.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\asferror.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Windows\System32\AssignedAccessManager.dll Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con: cols=80 lines=25 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 4 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1562384 Sample: Fake!Virus!HarmlessAHAHHA.bat Startdate: 25/11/2024 Architecture: WINDOWS Score: 48 5 cmd.exe 1 2->5         started        signatures3 19 Uses ping.exe to sleep 5->19 21 Uses ping.exe to check the status of other devices and networks 5->21 8 PING.EXE 1 5->8         started        11 conhost.exe 5->11         started        13 PING.EXE 1 5->13         started        15 11 other processes 5->15 process4 dnsIp5 17 127.0.0.1 unknown unknown 8->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1