cf39b9aff5b66d9e122fa0d8a8936dd8264eed0d889079b9043d7d0dd9fb6596

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
1716	keygen.exe
1816	builder.exe
1580	builder.exe
1380	builder.exe
1584	builder.exe
1664	builder.exe
1684	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1716	560	cmd.exe	29
PID 560 wrote to memory of 1716	560	cmd.exe	29
PID 560 wrote to memory of 1716	560	cmd.exe	29
PID 560 wrote to memory of 1716	560	cmd.exe	29
PID 560 wrote to memory of 1816	560	cmd.exe	30
PID 560 wrote to memory of 1816	560	cmd.exe	30
PID 560 wrote to memory of 1816	560	cmd.exe	30
PID 560 wrote to memory of 1816	560	cmd.exe	30
PID 560 wrote to memory of 1580	560	cmd.exe	31
PID 560 wrote to memory of 1580	560	cmd.exe	31
PID 560 wrote to memory of 1580	560	cmd.exe	31
PID 560 wrote to memory of 1580	560	cmd.exe	31
PID 560 wrote to memory of 1380	560	cmd.exe	32
PID 560 wrote to memory of 1380	560	cmd.exe	32
PID 560 wrote to memory of 1380	560	cmd.exe	32
PID 560 wrote to memory of 1380	560	cmd.exe	32
PID 560 wrote to memory of 1584	560	cmd.exe	33
PID 560 wrote to memory of 1584	560	cmd.exe	33
PID 560 wrote to memory of 1584	560	cmd.exe	33
PID 560 wrote to memory of 1584	560	cmd.exe	33
PID 560 wrote to memory of 1664	560	cmd.exe	34
PID 560 wrote to memory of 1664	560	cmd.exe	34
PID 560 wrote to memory of 1664	560	cmd.exe	34
PID 560 wrote to memory of 1664	560	cmd.exe	34
PID 560 wrote to memory of 1684	560	cmd.exe	35
PID 560 wrote to memory of 1684	560	cmd.exe	35
PID 560 wrote to memory of 1684	560	cmd.exe	35
PID 560 wrote to memory of 1684	560	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

Filesize
344B

MD5
d390e99569d559576ef2829dfc78a1d1

SHA1
bacfdb298242e36f15745380d481fe3f92cf3854

SHA256
7ac9ff628e46383ae42dd54d4dd74913800d8619ce950f2be9c2f4c6fa689bf9

SHA512
173fc745f9ae984dea3d68bc606fceae90a4228b57b339577fcb3259e5b198ef53e9f6f7478e7e578c0beb7f0dda29156d64e863e8748c0c98855a9d421c90ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key

Filesize
344B

MD5
ea495b886390709f3b80293acadbd43e

SHA1
cfe7956c9d0d34d7ccef9a5e948bc39251e21b1c

SHA256
97a61fd8a2270d07ccd704ac676daa9305d47de5cb773389196512c6bb08f816

SHA512
f170e1102f50696ec7343b331ed133349514f8f55666c6830e98829c2edad5288b536a9e3888f94c88725fbb8c8c2f2cef58e266ec0e29515865707fe0a1482f

Download Submit
memory/1716-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads