Resubmissions

24-09-2022 09:21

220924-lbh5csahf7 10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2022 09:21

General

  • Target

    Build.bat

  • Size

    741B

  • MD5

    4e46e28b2e61643f6af70a8b19e5cb1f

  • SHA1

    804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

  • SHA256

    8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

  • SHA512

    009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1944
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1580
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1756
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:628
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1768
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:908
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Build\priv.key

    Filesize

    344B

    MD5

    820b5858b14106641436aedde5f11e55

    SHA1

    843682efbf99e4a9743e43e949484cf379f34bf1

    SHA256

    964bd2f6be853f02dc7b6347b7bb74263561f32403a04687dc88ac5eccbcf215

    SHA512

    7067daa332410fbd77ab31205014d89294af82af7874109ece3e4fc1f4b08f1b545e4464461fe4361d8df7fed930f672e8b6cfa32843a57478ced87511c0cc59

  • C:\Users\Admin\AppData\Local\Temp\Build\pub.key

    Filesize

    344B

    MD5

    507c8356b1fff4f7261edf6a78b5c45f

    SHA1

    3be48c8f646ef1469ce3c9d8fa657adf5fc9b8f9

    SHA256

    32c5711f8ae643098fdb960594b37a22a117681d0c5b4bc3b7ce2e72c9bbd1c8

    SHA512

    d7c43a594930a9f6630e35b089c1903b680bb9c83978291afc8117dcf0268baf63c0dbbecd4f73cba318ce4e4caa899b32f0a0446a30e3754db923de5b937e7e

  • memory/1944-55-0x0000000076031000-0x0000000076033000-memory.dmp

    Filesize

    8KB