| File name: | fpsboost.bat |
| Full analysis: | https://app.any.run/tasks/700e6f62-f590-4635-b832-f228ffff3004 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 13, 2024, 21:02:05 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators |
| MD5: | E783A4B7CB7A50F8ADA02EA37D10E35B |
| SHA1: | D7E5B3A79F55B8691AA18761F8CAB580B078E488 |
| SHA256: | 145AA2A4B7377BB08C467931CDF4F50128E221A800DE0A2137D44F1E1FDEDAF8 |
| SSDEEP: | 12:wbYVJQPD7XYcx9xHvbO2Erw8vI49YXPWhXxeYo568tjbItQObYfNvI7MNzxEZwv:wqQPD7JbxDxErwA1SXPWxxoo8tjbIWfR |
MALICIOUS
Actions looks like stealing of personal data
- cmd.exe (PID: 4140)
SUSPICIOUS
Executes application which crashes
- SearchApp.exe (PID: 3848)
Deletes system .NET executable
- cmd.exe (PID: 4140)
INFO
Reads the computer name
- SearchApp.exe (PID: 3848)
Checks proxy server information
- WerFault.exe (PID: 396)
Checks supported languages
- SearchApp.exe (PID: 3848)
Reads the software policy settings
- WerFault.exe (PID: 396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
133
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4140 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\fpsboost.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4264 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3848 | "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search application Exit code: 3221226107 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 396 | C:\WINDOWS\system32\WerFault.exe -u -p 3848 -s 1548 | C:\Windows\System32\WerFault.exe | SearchApp.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 867
Read events
5 866
Write events
1
Delete events
0
Modification events
| (PID) Process: | (3848) SearchApp.exe | Key: | \REGISTRY\A\{c55b8b67-cf1b-e737-3d98-4bc05bae19a6}\2814751015243726\281535107058273\CortanaUI\44a65413067acd61cb60e74ea5537a73 |
| Operation: | write | Name: | SnapshotCaptured |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 396 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e017d26da44618d4691adad6f68d2ddc5a28f1_ce03743e_c36f0a2f-7a2b-49c2-947e-6fde0efa3014\Report.wer | — | |
MD5:— | SHA256:— | |||
| 396 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERABB6.tmp.xml | xml | |
MD5:FFEC7FCFA3A50E80B78E64B5F7F74B42 | SHA256:4BFA0DBBD17B4477C7267B6788094E004E8A589A47476917722FE40576E92E14 | |||
| 396 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9FF.tmp.dmp | dmp | |
MD5:60E30A9D3EF67AB74120C706F5F109CE | SHA256:8EDEFA77DD57EA33FCBB1B7F8D3E2D1368BE5D4BBFB639E2F96742A618CF7CB4 | |||
| 396 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\SearchApp.exe.3848.dmp | dmp | |
MD5:CFDDFF1C0BB17B4962B2D1FBA6665256 | SHA256:5BBDFDC6FD8456094A1009957C5B52FEC6033F613CA647B436775D24B9D5A004 | |||
| 396 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB96.tmp.WERInternalMetadata.xml | xml | |
MD5:B84751356860D0AC2653AE7B9132F8EB | SHA256:A2FB4EAE1A56FCF15107AB2DA99E5312E054182836E96D4213794C6608C41E47 | |||
| 4140 | cmd.exe | C:\Users\admin\AppData\Local\Temp\temp_script.vbs | text | |
MD5:47D65D6905A58790BEC5DABCF90300A0 | SHA256:20C0CA7197D010F994B859E304B0D317A54232A247F84D367D100E300CED6BCF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
900 | svchost.exe | GET | 200 | 2.19.217.218:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.19.217.218:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.24.77.35:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
900 | svchost.exe | GET | 200 | 184.24.77.35:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
900 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 23.212.110.203:443 | www.bing.com | Akamai International B.V. | CZ | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
900 | svchost.exe | 184.24.77.35:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.24.77.35:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
900 | svchost.exe | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |