ID: 447398 Sample Name: Register.bat Cookbook: default.jbs Time: 17:15:31 Date: 12/07/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report Register.bat 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 System Summary: 3 Jbx Signature Overview 3 System Summary: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 6 Domains and IPs 6 Contacted Domains 6 Contacted IPs 6 General Information 6 Simulations 6 Behavior and APIs 6 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 7 General 7 File Icon 7 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 8 Analysis Process: cmd.exe PID: 2132 Parent PID: 5636 8 General 8 File Activities 8 File Read 8 Analysis Process: conhost.exe PID: 2760 Parent PID: 2132 8 General 8 Analysis Process: regsvr32.exe PID: 4452 Parent PID: 2132 9 General 9 File Activities 9 Disassembly 9 Code Analysis 9
Copyright Joe Security LLC 2021 Page 2 of 9 Windows Analysis Report Register.bat
Overview
General Information Detection Signatures Classification
Sample Register.bat Name: SSiiiggmaa ddeettteeccttteedd::: RReeggssvvrrr3322 AAnnoomaalllyy
Analysis ID: 447398 CSCrirrgeemaatttaee ssd eaat eppcrrrotoeccdee:ss Rss eiiinng ssvuurss3pp2ee nAndndeoedmd maloyo… MD5: 4b61829c0e26ed… PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…
SHA1: 679618a0b0a21d… Ransomware QPruuoeegrrrriiieaesms tt thdheoe e vvsoo llnluuomt ees h iiinnofffwoorr rmauatcttiiiohon na (c((nntiavami … Miner Spreading SHA256: d7694e4f2a4ee59… RQReuegegirissietteesrr stsh aae DDvoLLlLLume information (nam RReeggiiissttteerrrss aa DDLLLL mmaallliiiccciiioouusss Infos: malicious Evader Phishing
sssuusssppiiiccciiioouusss TRTrrreiiieegssis tttoeo r lllsoo aadd D mLiiLissssiiinngg DDLLLLss suspicious
Most interesting Screenshot: cccllleeaann clean Tries to load missing DLLs
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%
Process Tree
System is w10x64 cmd.exe (PID: 2132 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\Register.bat' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) regsvr32.exe (PID: 4452 cmdline: Regsvr32.exe /i adxloader.Sigma.Mona.ExcelAddin.Reporting.dll MD5: D78B75FC68247E8A63ACBA846182740E) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
System Summary:
Sigma detected: Regsvr32 Anomaly
Jbx Signature Overview
Click to jump to signature section
Copyright Joe Security LLC 2021 Page 3 of 9 System Summary:
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Scripting 1 DLL Side- Process Regsvr32 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Loading 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or DLL Side- Process LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Injection 1 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Script Scripting 1 Security Query Registry SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) (Windows) Account Admin Shares Network Exfiltration Track Device Device Device Manager Shared Location Cloud Data Drive Backups Local At Logon Script Logon Script DLL Side- NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Windows) (Mac) (Mac) Loading 1 Network Component Capture Transfer Impersonation Swap Billing Configuration Object Model Fraud Discovery
Behavior Graph
Hide Legend Behavior Graph Legend: Process ID: 447398 Signature Sample: Register.bat Created File Startdate: 12/07/2021 DNS/IP Info Architecture: WINDOWS Is Dropped
Score: 22 Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic Sigma detected: Regsvr32 started Delphi Anomaly Java
.Net C# or VB.NET
C, C++ or other language
Is malicious cmd.exe Internet
1
started started
regsvr32.exe conhost.exe
Screenshots Copyright Joe Security LLC 2021 Page 4 of 9 Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
Copyright Joe Security LLC 2021 Page 5 of 9 No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 447398 Start date: 12.07.2021 Start time: 17:15:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: Register.bat Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 26 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.winBAT@4/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .bat Warnings: Show All
Simulations
Behavior and APIs
Copyright Joe Security LLC 2021 Page 6 of 9 No simulations No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
General File type: DOS batch file, ASCII text, with CRLF line terminators Entropy (8bit): 5.24398767650524 TrID: File name: Register.bat File size: 922 MD5: 4b61829c0e26ed154e2bd261aebf2dab SHA1: 679618a0b0a21dd3472bd3c85f97a442c51898aa SHA256: d7694e4f2a4ee592545a2ec559a2f91dff7a3ef9e2e14293 2700bc038b8ba3f4 SHA512: 86c6f0c379cb5c2b8d69e8ed101944f0179ff86c6d91a76 6a921771ac8a8f63dd2f2b06276d12b244eb9da9dceb0b1 f300f0c599fc7eba18f53457d71fd84203 SSDEEP: 24:ZjkAAOyGFZXZ6d8RneSG42XDZXZYPM47RneSF Md2XTUZXZRHM4rGPF+MDP7+MZ1m:qjtGbyaej4wtW PMueCMdwsfHMHF+Mz7i File Content Preview: @ECHO OFF....ECHO...ECHO *** Moving to directory.. ECHO...%~d0..CD "%~p0"..CD....REM...=> Not needed since it is in the same directory => Will be done automat ically by dependance..REM ECHO...REM ECHO *** Re gistering .Net Library in the GAC "AddinExpress.MS
File Icon
Icon Hash: 988686829e9ae600
Copyright Joe Security LLC 2021 Page 7 of 9 Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 2132 Parent PID: 5636
General
Start time: 17:16:24 Start date: 12/07/2021 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\Register.bat' ' Imagebase: 0x7ff7bf140000 File size: 273920 bytes MD5 hash: 4E2ACF4F8A396486AB4268C94A6A245F Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities Show Windows behavior
File Read
Analysis Process: conhost.exe PID: 2760 Parent PID: 2132
General
Start time: 17:16:25 Start date: 12/07/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff774ee0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Copyright Joe Security LLC 2021 Page 8 of 9 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Analysis Process: regsvr32.exe PID: 4452 Parent PID: 2132
General
Start time: 17:16:25 Start date: 12/07/2021 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: Regsvr32.exe /i adxloader.Sigma.Mona.ExcelAddin.Reporting.dll Imagebase: 0x7ff7d84a0000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities Show Windows behavior
Disassembly
Code Analysis
Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond
Copyright Joe Security LLC 2021 Page 9 of 9