453eebd2dcf98e15e9ccab2c706438a9d34497631db1f64b6fe9cc3ed41696da

General

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

pid process

1340 keygen.exe
616 builder.exe
1528 builder.exe
944 builder.exe
940 builder.exe
956 builder.exe
1736 builder.exe

pid	process
1340	keygen.exe
616	builder.exe
1528	builder.exe
944	builder.exe
940	builder.exe
956	builder.exe
1736	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 1340	1424	cmd.exe	keygen.exe
PID 1424 wrote to memory of 1340	1424	cmd.exe	keygen.exe
PID 1424 wrote to memory of 1340	1424	cmd.exe	keygen.exe
PID 1424 wrote to memory of 1340	1424	cmd.exe	keygen.exe
PID 1424 wrote to memory of 616	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 616	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 616	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 616	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1528	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1528	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1528	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1528	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 944	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 944	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 944	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 944	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 940	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 940	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 940	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 940	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 956	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 956	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 956	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 956	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1736	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1736	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1736	1424	cmd.exe	builder.exe
PID 1424 wrote to memory of 1736	1424	cmd.exe	builder.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1340

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:616

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1528

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:944

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:940

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:956

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1736

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key
Filesize
344B

MD5
95fb0b8f42833da0b1c01079b265b46d

SHA1
d6002d01fb128bca8484432c79d83ff123e74d73

SHA256
bc06b43e11f975d49097847188e63c8424973712db75fc97791c27c111600cd9

SHA512
83e61567b91286c2ed4016f5e8bc01b5edbceb34fa84a5def056ab74541eb3051a8c6128b5e3385de3c0573063b3bda855048190a0896ca52ff19f8fec0e9544

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
Filesize
344B

MD5
40d79d57406c0224a32b4c90d301227f

SHA1
c7ea6cd5e25d84d4e6cbd4cb9d56cae0e5ee4164

SHA256
3095f4d9488249ebc7f3e02bbefdce6f44d4e984ebb34540e1e311eea2fb2e2e

SHA512
8bddd23ba28b8061d35e8cf667039d0720ca28b913077f035876963b2668914812f0caaf20d893a40637e2aacc28806269c94af6f17804f421ab03b2b9ef5c13

Download Submit
memory/616-56-0x0000000000000000-mapping.dmp

Download
memory/940-64-0x0000000000000000-mapping.dmp

Download
memory/944-62-0x0000000000000000-mapping.dmp

Download
memory/956-66-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x0000000000000000-mapping.dmp

Download
memory/1340-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads