Compare this analysis to...

Analysis

Category Started Completed Duration Log
FILE 2022-11-30 22:02:09 2022-11-30 22:04:23 134 seconds Show Log 
2022-08-02 23:02:08,000 [root] INFO: Date set to: 08-03-22, time set to: 04:02:08
2022-08-02 23:02:08,015 [root] DEBUG: Starting analyzer from: C:\nvvtsczdpa
2022-08-02 23:02:08,015 [root] DEBUG: Storing results at: C:\fxMPzhC
2022-08-02 23:02:08,015 [root] DEBUG: Pipe server name: \\.\PIPE\pdJgFVRl
2022-08-02 23:02:08,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2022-08-02 23:02:08,015 [root] INFO: Automatically selected analysis package "generic"
2022-08-02 23:02:08,046 [root] DEBUG: Started auxiliary module Browser
2022-08-02 23:02:08,046 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2022-08-02 23:02:08,046 [root] DEBUG: Started auxiliary module DigiSig
2022-08-02 23:02:08,046 [root] DEBUG: Started auxiliary module Disguise
2022-08-02 23:02:08,046 [root] DEBUG: Started auxiliary module Human
2022-08-02 23:02:08,062 [root] DEBUG: Started auxiliary module Screenshots
2022-08-02 23:02:08,062 [root] DEBUG: Started auxiliary module Usage
2022-08-02 23:02:08,062 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\ADMINI~1\AppData\Local\Temp\execute.bat"" with pid 1732
2022-08-02 23:02:08,062 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2022-08-02 23:02:08,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1732
2022-08-02 23:02:10,108 [lib.api.process] INFO: Successfully resumed process with pid 1732
2022-08-02 23:02:10,108 [root] INFO: Added new process to list with pid: 1732
2022-08-02 23:02:10,140 [root] INFO: Cuckoomon successfully loaded in process with pid 1732.
2022-08-02 23:02:10,140 [root] INFO: Announced 32-bit process name: cmd.exe pid: 324
2022-08-02 23:02:10,155 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2022-08-02 23:02:10,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 324
2022-08-02 23:02:10,155 [root] INFO: Disabling sleep skipping.
2022-08-02 23:02:10,171 [root] INFO: Disabling sleep skipping.
2022-08-02 23:02:10,187 [root] INFO: Added new process to list with pid: 324
2022-08-02 23:02:10,187 [root] INFO: Cuckoomon successfully loaded in process with pid 324.
2022-08-02 23:04:09,140 [root] INFO: Analysis timeout hit, terminating analysis.
2022-08-02 23:04:09,140 [root] INFO: Created shutdown mutex.
2022-08-02 23:04:10,140 [root] INFO: Shutting down package.
2022-08-02 23:04:10,140 [root] INFO: Stopping auxiliary modules.
2022-08-02 23:04:11,140 [root] INFO: Finishing auxiliary modules.
2022-08-02 23:04:11,140 [root] INFO: Shutting down pipe server and dumping dropped files.
2022-08-02 23:04:11,140 [root] INFO: Analysis completed.

MalScore

2.3

Suspicious

Machine

Name Label Manager Started On Shutdown On
cuckoo5 cuckoo5 VirtualBox 2022-11-30 22:02:09 2022-11-30 22:04:23

File Details

File Name execute.bat
File Size 340 bytes
File Type DOS batch file, ASCII text, with CRLF line terminators
MD5 c5f1d285fd7e6dc7ecb334bb391bca4e
SHA1 cb85f3d48b95b880bb5bf64b054064b9c79d1c44
SHA256 016f6ca43ee55a5b2784e74fc4d7d425bf931762c3738f9baf529f26ee03a1a5
SHA512 976bd38b37393664041a5245d26d7465d5a4e527cff149adf2b0f88c1ed7b555d769ca21b87b164d6f9133f42ab819c324e8b31e3f5a31c4e5a7cf331d7a93f0
CRC32 B082F5BA
Ssdeep 6:hyWNeN23fG80TVteN23fG8kK71eN23fG8kAnJPESeN23fG8kcn:EK+n1+3K7z+3uV+3cn
ClamAV None matched
Yara None matched

Signatures

Performs some HTTP requests
url: http://www.msftncsi.com/ncsi.txt
Network activity detected but not expressed in API logs

Screenshots

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] unknown
N 23.218.224.154 [VT] unknown
N 129.6.15.29 [VT] unknown

DNS

Name Response Post-Analysis Lookup
teredo.ipv6.microsoft.com [VT] NXDOMAIN [VT]
time-b.nist.gov [VT] CNAME time-b-g.nist.gov [VT]
A 129.6.15.29 [VT] 		129.6.15.29 [VT]
www.msftncsi.com [VT] A 23.218.224.135 [VT]
CNAME www.msftncsi.com.edgesuite.net [VT]
A 23.218.224.154 [VT]
CNAME a1961.g2.akamai.net [VT] 		23.218.224.154 [VT]

Summary

C:\Users\Administrator\AppData\Local\Temp
C:\Users
C:\Users\Administrator
C:\Users\Administrator\AppData
C:\Users\Administrator\AppData\Local
C:\
C:\Users\Administrator\AppData\Local\Temp\execute.bat
C:\Users\HP\AppData\Local\Temp\05e142656be3a8f0aa0fff21fe2e1955\stdout
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users\HP\AppData\Local\Temp\05e142656be3a8f0aa0fff21fe2e1955\status
C:\Users\Administrator\AppData\Local\Temp\execute.bat
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users\HP\AppData\Local\Temp\05e142656be3a8f0aa0fff21fe2e1955\stdout
C:\Users\HP\AppData\Local\Temp\05e142656be3a8f0aa0fff21fe2e1955\status
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel

Process Tree

  • cmd.exe 324 C:\Windows\system32\cmd.exe /K "C:\Users\ADMINI~1\AppData\Local\Temp\execute.bat"
cmd.exe, PID: 1732, Parent PID: 952
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\ADMINI~1\AppData\Local\Temp\execute.bat"
cmd.exe, PID: 324, Parent PID: 1732
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: C:\Windows\system32\cmd.exe /K "C:\Users\ADMINI~1\AppData\Local\Temp\execute.bat"
Download PCAP

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] unknown
N 23.218.224.154 [VT] unknown
N 129.6.15.29 [VT] unknown

TCP

Source Source Port Destination Destination Port
192.168.56.105 49164 23.218.224.154 www.msftncsi.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.105 123 129.6.15.29 time-b.nist.gov 123
192.168.56.105 137 192.168.56.255 137
192.168.56.105 138 192.168.56.255 138
192.168.56.105 54783 224.0.0.252 5355
192.168.56.105 56399 224.0.0.252 5355
192.168.56.105 57438 224.0.0.252 5355
192.168.56.105 57452 224.0.0.252 5355
192.168.56.105 59958 8.8.8.8 53
192.168.56.105 63565 8.8.8.8 53
192.168.56.105 64794 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
teredo.ipv6.microsoft.com [VT] NXDOMAIN [VT]
time-b.nist.gov [VT] CNAME time-b-g.nist.gov [VT]
A 129.6.15.29 [VT] 		129.6.15.29 [VT]
www.msftncsi.com [VT] A 23.218.224.135 [VT]
CNAME www.msftncsi.com.edgesuite.net [VT]
A 23.218.224.154 [VT]
CNAME a1961.g2.akamai.net [VT] 		23.218.224.154 [VT]

HTTP Requests

URI Data
http://www.msftncsi.com/ncsi.txt 
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.
Sorry! No dropped files.
JSON Report Download

Comments


[2024-04-10 08:30:37]
Hello there, You have done a great job. I'll definitely digg it and personally recommend
to my friends. I am sure they will be benefited from this web site.
click here please https://Jjpowwdzrgwe7.exblog.jp/33740136/
[2024-02-16 18:12:40]
Hello! I know this is kinda off topic however
I'd figured I'd ask. Would you be interested in trading links or
maybe guest writing a blog article or vice-versa? My site goes over a lot of the same subjects as
yours and I think we could greatly benefit from each other.
If you happen to be interested feel free to send me an e-mail.
I look forward to hearing from you! Wonderful blog by the
way! click on a link https://gehrlaqsoceyiv9.exblog.jp/33488669/
[2024-01-27 06:00:32]
I am in fact thankful to the holder of this website who has shared this great article at here.
digital click http://wgujqhqmhfrfp2.mee.nu/?entry=3551808
[2023-10-18 14:45:50]
antivert 25mg pill buy antivert 25 antivert 25mg over the counter

Processing ( 1.121 seconds )

  • 0.699 NetworkAnalysis
  • 0.396 VirusTotal
  • 0.011 BehaviorAnalysis
  • 0.007 AnalysisInfo
  • 0.004 TargetInfo
  • 0.002 Static
  • 0.001 Debug
  • 0.001 Strings

Signatures ( 0.027 seconds )

  • 0.006 antiav_detectreg
  • 0.003 infostealer_ftp
  • 0.002 persistence_autorun
  • 0.002 antiav_detectfile
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 network_torgateway
  • 0.001 ransomware_extensions
  • 0.001 ransomware_files

Reporting ( 0.019 seconds )

  • 0.019 JsonDump
Task ID 820
Mongo ID 638827cb2694ed0bd8a401ba
Cuckoo release 1.3-NG