37185d9df180b61b06b0b411723571eed293ca1d2c3e1c28a74a5fd72e5d9e7b

General

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

pid process

1116 keygen.exe
276 builder.exe
1360 builder.exe
296 builder.exe
576 builder.exe
540 builder.exe
1488 builder.exe

pid	process
1116	keygen.exe
276	builder.exe
1360	builder.exe
296	builder.exe
576	builder.exe
540	builder.exe
1488	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1116	1492	cmd.exe	keygen.exe
PID 1492 wrote to memory of 1116	1492	cmd.exe	keygen.exe
PID 1492 wrote to memory of 1116	1492	cmd.exe	keygen.exe
PID 1492 wrote to memory of 1116	1492	cmd.exe	keygen.exe
PID 1492 wrote to memory of 276	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 276	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 276	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 276	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1360	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1360	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1360	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1360	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 296	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 296	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 296	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 296	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 540	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 540	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 540	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 540	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1488	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1488	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1488	1492	cmd.exe	builder.exe
PID 1492 wrote to memory of 1488	1492	cmd.exe	builder.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1116

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:276

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1360

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:296

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:576

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:540

C:\Users\Admin\AppData\Local\Temp\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1488

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key
Filesize
344B

MD5
dd192e734605f79fa2e50b0bb7dd3a6e

SHA1
bf7e529a4e3a11d110576c310104dd4b13fe704d

SHA256
ddcc742dfe0c9393f4bdd5968db2efb3b01700a67d141cdcd8af067c0cdabca7

SHA512
c211e5e2f75a63b6131224be2d5be64596a90d7f225467b1cbdbc3a65b1029a9e3bd10ebd5ab8b73acd67e204a1c1dea89eaa8c76dd6b6467594fa23dbf06525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key
Filesize
344B

MD5
f0e0b3622b6e84fb25096a277eda5efa

SHA1
267f7d7cf8df4f00582cafc40930a947da5a03d4

SHA256
60ed17134f4ef9b8f98b6ce533bf8f0447bd946fdb6bd300d79390764ded2090

SHA512
9997689fe4127f025d605c01184dbb9099fc0105434f2f9abec5afb848ac9cb80c66f0c5af346eee3e93baa0c297da33cc9ecac23c5593d47f19616c51fb73cb

Download Submit
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/296-62-0x0000000000000000-mapping.dmp

Download
memory/540-66-0x0000000000000000-mapping.dmp

Download
memory/576-64-0x0000000000000000-mapping.dmp

Download
memory/1116-54-0x0000000000000000-mapping.dmp

Download
memory/1116-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/1488-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads