whitelisted
based on MD5
WPJCleanUp.cmd
This report is generated from a file or URL submitted to this webservice on December 3rd 2020 20:21:01 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.45.3 © Hybrid Analysis
Overview Sample unavailable
- PCAP File (45KiB)
- HTML Report (1MiB)
- PDF Report (12KiB)
- JSON Report (23KiB)
- XML Report (25KiB)
- OpenIOC Report (900B)
- MISP (XML) Report (736B)
- MISP (JSON) Report (637B)
- Memory Dumps (616KiB)
Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 1a989f9dd27c799f62834f5343b1461b12ffa57ef14423604ed457468bbe37f2
3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95
a5f4b731c495fc8b95a58b3228c798c887138354bafd765b5f620b913d9aa4e7
2672d366ee3c6ae745a8a547ba3f350fb8597c92e1117a80092df8f7531dd565
da6a1126510af787472f32b0535af2920799e6460f5e46779aa2dadb6caabcff - Associated URLs
- hxxps://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Informative 5
- General
- Spawns new processes
- details
- Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
- Spawns new processes that are not known child processes
- details
- Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
- Spawns new processes
- Installation/Persistence
- Creates new processes
- details
- "cmd.exe" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 104)
- source
- API Call
- relevance
- 8/10
- Opens the MountPointManager (often used to detect additional infection locations)
- details
- "cmd.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
- Touches files in the Windows directory
- details
- "cmd.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
- source
- API Call
- relevance
- 7/10
- Creates new processes
File Details
All Details:
WPJCleanUp.cmd
- Filename
- WPJCleanUp.cmd
- Size
- 1.6KiB (1608 bytes)
- Type
- script cmd
- Description
- ASCII text, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 343fe54d4e5d0b91a0b5aed57aa9733375dbae479d7400f769394d8435822153
- MD5
- 606acaf64d1da5aa33af8732a14aaa5a
- SHA1
- 4e2dae8f4674a59b32adc0035a210d5a56f6f6a9
- ssdeep
- 24:uewru1oX5bGmUrC5rnrJNQrQvEVIZFTCYPfyy6zjGqT5EUIFwxCh:6u1ozUO5DlNQs93patT52wxA
Resources
- Icon
-
Visualization
- Input File (PortEx)
Screenshots
Loading content, please wait...
System Resource Monitor
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
cmd.exe /c ""C:\WPJCleanUp.cmd" " (PID: 2372)
-
cmd.exe /c ver (PID: 3728)
-
Logged Script Calls | Logged Stdout | Extracted Streams | Memory Dumps |
Reduced Monitoring | Network Activityy | Network Error | Multiscan Match |
Network Analysis
DNS Requests
No relevant DNS requests were made.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
All Details:
- All Strings (2)
- Interesting (2)
- cmd.exe (1)
- 343fe54d4e5d0b91a0b5aed57aa9733375dbae479d7400f769394d8435822153.cmd.bin (1)
/c ""C:\WPJCleanUp.cmd" "
Ansi based on Process Commandline (cmd.exe)
@echo off setlocal for /f "tokens=2 delims=[]" %%i in ('ver') do set verStr=%%i for /f "tokens=2-6 delims=. " %%i in ("%verStr%") do ( set Major=%%i set Minor=%%j set Build=%%k set Revision=%%l ) if not %Major%.%Minor%.==10.0. ( echo This tool is for Windows 10 only! 1>&2 goto :eof ) set root=%~dp0. if %Build% GEQ 18900 ( set tool=%root%\v2004\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 18000 ( set tool=%root%\v1903\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17700 ( set tool=%root%\v1809\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17000 ( set tool=%root%\v1803\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 16000 ( set tool=%root%\v1709\CleanupWPJ_X86.exe goto :exec ) echo Unsupported Windows 10 version! 1>&2 exit /b 1:exec rem Exec
Ansi based on Memory/File Scan (343fe54d4e5d0b91a0b5aed57aa9733375dbae479d7400f769394d8435822153.cmd.bin)
/c ""C:\WPJCleanUp.cmd" "
Ansi based on Process Commandline (cmd.exe)
@echo off setlocal for /f "tokens=2 delims=[]" %%i in ('ver') do set verStr=%%i for /f "tokens=2-6 delims=. " %%i in ("%verStr%") do ( set Major=%%i set Minor=%%j set Build=%%k set Revision=%%l ) if not %Major%.%Minor%.==10.0. ( echo This tool is for Windows 10 only! 1>&2 goto :eof ) set root=%~dp0. if %Build% GEQ 18900 ( set tool=%root%\v2004\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 18000 ( set tool=%root%\v1903\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17700 ( set tool=%root%\v1809\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17000 ( set tool=%root%\v1803\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 16000 ( set tool=%root%\v1709\CleanupWPJ_X86.exe goto :exec ) echo Unsupported Windows 10 version! 1>&2 exit /b 1:exec rem Exec
Ansi based on Memory/File Scan (343fe54d4e5d0b91a0b5aed57aa9733375dbae479d7400f769394d8435822153.cmd.bin)
/c ""C:\WPJCleanUp.cmd" "
Ansi based on Process Commandline (cmd.exe)
@echo off setlocal for /f "tokens=2 delims=[]" %%i in ('ver') do set verStr=%%i for /f "tokens=2-6 delims=. " %%i in ("%verStr%") do ( set Major=%%i set Minor=%%j set Build=%%k set Revision=%%l ) if not %Major%.%Minor%.==10.0. ( echo This tool is for Windows 10 only! 1>&2 goto :eof ) set root=%~dp0. if %Build% GEQ 18900 ( set tool=%root%\v2004\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 18000 ( set tool=%root%\v1903\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17700 ( set tool=%root%\v1809\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 17000 ( set tool=%root%\v1803\CleanupWPJ_X86.exe goto :exec ) if %Build% GEQ 16000 ( set tool=%root%\v1709\CleanupWPJ_X86.exe goto :exec ) echo Unsupported Windows 10 version! 1>&2 exit /b 1:exec rem Exec
Ansi based on Memory/File Scan (343fe54d4e5d0b91a0b5aed57aa9733375dbae479d7400f769394d8435822153.cmd.bin)
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all Falcon MalQuery lookups completed in time
Community
-
Anonymous commented 1 year ago
FIN Sophos
You must be logged in to submit a comment.