37185d9df180b61b06b0b411723571eed293ca1d2c3e1c28a74a5fd72e5d9e7b

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-12-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
1116	keygen.exe
276	builder.exe
1360	builder.exe
296	builder.exe
576	builder.exe
540	builder.exe
1488	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1116	1492	cmd.exe	28
PID 1492 wrote to memory of 1116	1492	cmd.exe	28
PID 1492 wrote to memory of 1116	1492	cmd.exe	28
PID 1492 wrote to memory of 1116	1492	cmd.exe	28
PID 1492 wrote to memory of 276	1492	cmd.exe	29
PID 1492 wrote to memory of 276	1492	cmd.exe	29
PID 1492 wrote to memory of 276	1492	cmd.exe	29
PID 1492 wrote to memory of 276	1492	cmd.exe	29
PID 1492 wrote to memory of 1360	1492	cmd.exe	30
PID 1492 wrote to memory of 1360	1492	cmd.exe	30
PID 1492 wrote to memory of 1360	1492	cmd.exe	30
PID 1492 wrote to memory of 1360	1492	cmd.exe	30
PID 1492 wrote to memory of 296	1492	cmd.exe	31
PID 1492 wrote to memory of 296	1492	cmd.exe	31
PID 1492 wrote to memory of 296	1492	cmd.exe	31
PID 1492 wrote to memory of 296	1492	cmd.exe	31
PID 1492 wrote to memory of 576	1492	cmd.exe	32
PID 1492 wrote to memory of 576	1492	cmd.exe	32
PID 1492 wrote to memory of 576	1492	cmd.exe	32
PID 1492 wrote to memory of 576	1492	cmd.exe	32
PID 1492 wrote to memory of 540	1492	cmd.exe	33
PID 1492 wrote to memory of 540	1492	cmd.exe	33
PID 1492 wrote to memory of 540	1492	cmd.exe	33
PID 1492 wrote to memory of 540	1492	cmd.exe	33
PID 1492 wrote to memory of 1488	1492	cmd.exe	34
PID 1492 wrote to memory of 1488	1492	cmd.exe	34
PID 1492 wrote to memory of 1488	1492	cmd.exe	34
PID 1492 wrote to memory of 1488	1492	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:276
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:296
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:576
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:540
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

Filesize
344B

MD5
dd192e734605f79fa2e50b0bb7dd3a6e

SHA1
bf7e529a4e3a11d110576c310104dd4b13fe704d

SHA256
ddcc742dfe0c9393f4bdd5968db2efb3b01700a67d141cdcd8af067c0cdabca7

SHA512
c211e5e2f75a63b6131224be2d5be64596a90d7f225467b1cbdbc3a65b1029a9e3bd10ebd5ab8b73acd67e204a1c1dea89eaa8c76dd6b6467594fa23dbf06525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key

Filesize
344B

MD5
f0e0b3622b6e84fb25096a277eda5efa

SHA1
267f7d7cf8df4f00582cafc40930a947da5a03d4

SHA256
60ed17134f4ef9b8f98b6ce533bf8f0447bd946fdb6bd300d79390764ded2090

SHA512
9997689fe4127f025d605c01184dbb9099fc0105434f2f9abec5afb848ac9cb80c66f0c5af346eee3e93baa0c297da33cc9ecac23c5593d47f19616c51fb73cb

Download Submit
memory/1116-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads