Overview

overview

10

Static

static

Launcher.zip

windows7-x64

1

Launcher.zip

windows10-2004-x64

1

Launcher/INFO.txt

windows7-x64

1

Launcher/INFO.txt

windows10-2004-x64

1

Launcher/Opener.bat

windows7-x64

7

Launcher/Opener.bat

windows10-2004-x64

10

Launcher/zzen.zip

windows7-x64

1

Launcher/zzen.zip

windows10-2004-x64

1

bypasser

windows7-x64

1

bypasser

windows10-2004-x64

1

gpasser.cmd

windows7-x64

1

gpasser.cmd

windows10-2004-x64

1

ks.vbs

windows7-x64

1

ks.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    47s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2022 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher/Opener.bat

  • Size

    2KB

  • MD5

    8092113dbaa8ee234de6ee8039b7db66

  • SHA1

    6cdb65dd9e6aaa54a82ff3ac10e1b9b40bfc8e39

  • SHA256

    576e869202da1137de261ed1519ad0487331a69db5890b0746b5bf4d310d3992

  • SHA512

    badfd71b652f9a3c91c690269e0ef36496998614a0d7c30bbbed8bebb163bac5590fed3188ae907829536cb96a008299ad63d6950ebb9623f927877f89197754

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Launcher\Opener.bat"
    1⤵
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell ren zzen.dll -newname kola.zip
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Expand-Archive kola.zip -DestinationPath (Get-Location).path
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:668
    • C:\Windows\system32\cmd.exe
      cmd start cmd /c gpasser.cmd ks.avi
      2⤵
        PID:1708
      • C:\Windows\system32\cmd.exe
        cmd start cmd /c gpasser.cmd bypasser
        2⤵
          PID:276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell ren ks.avi -newname ks.bat
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2028

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        7eb89ff61baecef9cd0706abc26e6d56

        SHA1

        89eaf4a8637b66ae749f6bcaf3ad00a1701b2588

        SHA256

        569ee732319f489795136b5758d02a29ceb34ec388e11ab50326b5c5a5b866d8

        SHA512

        153b2c82a902cd29fd9edadec2277c32c675765b4132330106e18f2e2eede47feb05bd7dbaa53ee8bd713e22cecb8d25507d73a7d064515a8cad708c56253db4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        7eb89ff61baecef9cd0706abc26e6d56

        SHA1

        89eaf4a8637b66ae749f6bcaf3ad00a1701b2588

        SHA256

        569ee732319f489795136b5758d02a29ceb34ec388e11ab50326b5c5a5b866d8

        SHA512

        153b2c82a902cd29fd9edadec2277c32c675765b4132330106e18f2e2eede47feb05bd7dbaa53ee8bd713e22cecb8d25507d73a7d064515a8cad708c56253db4

        Download Submit
      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • memory/276-71-0x0000000000000000-mapping.dmp
        Download
      • memory/668-67-0x00000000022C4000-0x00000000022C7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/668-66-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/668-69-0x00000000022CB000-0x00000000022EA000-memory.dmp
        Filesize

        124KB

        Download
      • memory/668-68-0x00000000022C4000-0x00000000022C7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/668-62-0x0000000000000000-mapping.dmp
        Download
      • memory/668-65-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1232-57-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1232-56-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1232-54-0x0000000000000000-mapping.dmp
        Download
      • memory/1232-61-0x000000000264B000-0x000000000266A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1232-60-0x0000000002644000-0x0000000002647000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1232-59-0x000000001B740000-0x000000001BA3F000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1232-58-0x0000000002644000-0x0000000002647000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1232-55-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1708-70-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-72-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-76-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/2028-77-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/2028-78-0x00000000026F4000-0x00000000026F7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2028-79-0x000000001B800000-0x000000001BAFF000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2028-81-0x00000000026FB000-0x000000000271A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/2028-80-0x00000000026F4000-0x00000000026F7000-memory.dmp
        Filesize

        12KB

        Download