Resubmissions
24-09-2022 09:21
220924-lbh5csahf7 10Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 09:21
Behavioral task
behavioral1
Sample
Build.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Build.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
builder.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
builder.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
keygen.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
keygen.exe
Resource
win10v2004-20220812-en
General
-
Target
Build.bat
-
Size
741B
-
MD5
4e46e28b2e61643f6af70a8b19e5cb1f
-
SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
-
SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
-
SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
pid Process 1944 keygen.exe 1580 builder.exe 1756 builder.exe 628 builder.exe 1768 builder.exe 908 builder.exe 1664 builder.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1944 1112 cmd.exe 29 PID 1112 wrote to memory of 1944 1112 cmd.exe 29 PID 1112 wrote to memory of 1944 1112 cmd.exe 29 PID 1112 wrote to memory of 1944 1112 cmd.exe 29 PID 1112 wrote to memory of 1580 1112 cmd.exe 30 PID 1112 wrote to memory of 1580 1112 cmd.exe 30 PID 1112 wrote to memory of 1580 1112 cmd.exe 30 PID 1112 wrote to memory of 1580 1112 cmd.exe 30 PID 1112 wrote to memory of 1756 1112 cmd.exe 31 PID 1112 wrote to memory of 1756 1112 cmd.exe 31 PID 1112 wrote to memory of 1756 1112 cmd.exe 31 PID 1112 wrote to memory of 1756 1112 cmd.exe 31 PID 1112 wrote to memory of 628 1112 cmd.exe 32 PID 1112 wrote to memory of 628 1112 cmd.exe 32 PID 1112 wrote to memory of 628 1112 cmd.exe 32 PID 1112 wrote to memory of 628 1112 cmd.exe 32 PID 1112 wrote to memory of 1768 1112 cmd.exe 33 PID 1112 wrote to memory of 1768 1112 cmd.exe 33 PID 1112 wrote to memory of 1768 1112 cmd.exe 33 PID 1112 wrote to memory of 1768 1112 cmd.exe 33 PID 1112 wrote to memory of 908 1112 cmd.exe 34 PID 1112 wrote to memory of 908 1112 cmd.exe 34 PID 1112 wrote to memory of 908 1112 cmd.exe 34 PID 1112 wrote to memory of 908 1112 cmd.exe 34 PID 1112 wrote to memory of 1664 1112 cmd.exe 35 PID 1112 wrote to memory of 1664 1112 cmd.exe 35 PID 1112 wrote to memory of 1664 1112 cmd.exe 35 PID 1112 wrote to memory of 1664 1112 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\keygen.exekeygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1664
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5820b5858b14106641436aedde5f11e55
SHA1843682efbf99e4a9743e43e949484cf379f34bf1
SHA256964bd2f6be853f02dc7b6347b7bb74263561f32403a04687dc88ac5eccbcf215
SHA5127067daa332410fbd77ab31205014d89294af82af7874109ece3e4fc1f4b08f1b545e4464461fe4361d8df7fed930f672e8b6cfa32843a57478ced87511c0cc59
-
Filesize
344B
MD5507c8356b1fff4f7261edf6a78b5c45f
SHA13be48c8f646ef1469ce3c9d8fa657adf5fc9b8f9
SHA25632c5711f8ae643098fdb960594b37a22a117681d0c5b4bc3b7ce2e72c9bbd1c8
SHA512d7c43a594930a9f6630e35b089c1903b680bb9c83978291afc8117dcf0268baf63c0dbbecd4f73cba318ce4e4caa899b32f0a0446a30e3754db923de5b937e7e