528702f6407cf8dd4934c0bcdb0d719f57f49f10bc9103da59888386572c9b5e

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
968	keygen.exe
1832	builder.exe
1640	builder.exe
1636	builder.exe
1008	builder.exe
856	builder.exe
556	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 968	1064	cmd.exe	28
PID 1064 wrote to memory of 968	1064	cmd.exe	28
PID 1064 wrote to memory of 968	1064	cmd.exe	28
PID 1064 wrote to memory of 968	1064	cmd.exe	28
PID 1064 wrote to memory of 1832	1064	cmd.exe	29
PID 1064 wrote to memory of 1832	1064	cmd.exe	29
PID 1064 wrote to memory of 1832	1064	cmd.exe	29
PID 1064 wrote to memory of 1832	1064	cmd.exe	29
PID 1064 wrote to memory of 1640	1064	cmd.exe	30
PID 1064 wrote to memory of 1640	1064	cmd.exe	30
PID 1064 wrote to memory of 1640	1064	cmd.exe	30
PID 1064 wrote to memory of 1640	1064	cmd.exe	30
PID 1064 wrote to memory of 1636	1064	cmd.exe	31
PID 1064 wrote to memory of 1636	1064	cmd.exe	31
PID 1064 wrote to memory of 1636	1064	cmd.exe	31
PID 1064 wrote to memory of 1636	1064	cmd.exe	31
PID 1064 wrote to memory of 1008	1064	cmd.exe	32
PID 1064 wrote to memory of 1008	1064	cmd.exe	32
PID 1064 wrote to memory of 1008	1064	cmd.exe	32
PID 1064 wrote to memory of 1008	1064	cmd.exe	32
PID 1064 wrote to memory of 856	1064	cmd.exe	33
PID 1064 wrote to memory of 856	1064	cmd.exe	33
PID 1064 wrote to memory of 856	1064	cmd.exe	33
PID 1064 wrote to memory of 856	1064	cmd.exe	33
PID 1064 wrote to memory of 556	1064	cmd.exe	34
PID 1064 wrote to memory of 556	1064	cmd.exe	34
PID 1064 wrote to memory of 556	1064	cmd.exe	34
PID 1064 wrote to memory of 556	1064	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:968
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:856
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

Filesize
344B

MD5
52c64d2b009c15abe8890e0aadf52692

SHA1
c9243886857a9176374912d8afd2d9c541a58f13

SHA256
4e8c8b2dfeb1824e49ae7c144cabf2d2a3039b68fb07ed22ca46dda24b4ba4f3

SHA512
d59bb874d2b49e95c05307a19b6423e0a3097437b5ea6145b6c35bf1a45d850745dd27946f29463aba9c6bb3e5b731b3c939e8ac1f2375b329f4aefe46fb9b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key

Filesize
344B

MD5
30527fac5024d3cda3b6750f5fb5f0a4

SHA1
bf7408320b05d85d36c82490d94ec4c17ed51f75

SHA256
39abba5465935540c2ab030ec165731dff0129a7eb4d411dc71b266fdb5f82eb

SHA512
303efa42a09b720fe5836961fe72cdda1364f863a848e95e77a69d7acd6a236bfcaa841c1e3de76a70d6c54a5d56a1cef1b1830e5aa73ad8abcec530fc8bee99

Download Submit
memory/968-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads