49261ea0d0c417ebae0e0fb1e56ad02cb7fe9ae16a76edb7c4e70c754b53370f

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 21:48

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4636 wrote to memory of 3196	4636	cmd.exe	keygen.exe
PID 4636 wrote to memory of 3196	4636	cmd.exe	keygen.exe
PID 4636 wrote to memory of 3196	4636	cmd.exe	keygen.exe
PID 4636 wrote to memory of 3544	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 3544	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 3544	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 4132	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 4132	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 4132	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 2756	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 2756	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 2756	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1688	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1688	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1688	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 828	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 828	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 828	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1844	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1844	4636	cmd.exe	builder.exe
PID 4636 wrote to memory of 1844	4636	cmd.exe	builder.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
2⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
2⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
2⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
2⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
2⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\Build\priv.key
Filesize
344B

MD5
9844125e309999a9e880ff2bb4e07066

SHA1
74cebd392abb7196bbb8e56a1e520fda84d850ac

SHA256
de3a731befd37ee0e7c80a294f2e60a131f318d9de9e8878f05150f03f0d5507

SHA512
c890412b7908bda24868dbd37827d5b2c078d6ee6e2a998550ed29af107ece16249361a76a380c9c081794f1ba9c4d393e6eec4496de47c4d83fa2e6b85d7f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
Filesize
344B

MD5
538e67c91ac9ee8b8480fa3552de00bf

SHA1
5fcd1944a59964e8b59f20acb5ed00c3ebf7c41c

SHA256
9cd1836ad2ae866cdd37c1abfbd185e9fadc6d11166e0cbcb68bfbc199e123cd

SHA512
3dba86b32e003415d14510f806f6bd3e3036fd848d12335af86245d540c415fe39aa310b1287001d7fc288e7e7077f33e4bf8e7616ec5df7e09affbc3daf56b5

Download Submit
memory/828-139-0x0000000000000000-mapping.dmp

Download
memory/1688-138-0x0000000000000000-mapping.dmp

Download
memory/1844-140-0x0000000000000000-mapping.dmp

Download
memory/2756-137-0x0000000000000000-mapping.dmp

Download
memory/3196-132-0x0000000000000000-mapping.dmp

Download
memory/3544-133-0x0000000000000000-mapping.dmp

Download
memory/4132-135-0x0000000000000000-mapping.dmp

Download