b094665ec4cdca6d8e9b9f63d8d71b1b9263eda12f1fdd1d8aa820dbf4c231f6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build.bat
Size

733B
MD5

1905cc9973206fea5050b737f9303fb4
SHA1

497524177d9478a4b5dca3e73cc230be6abf4ce0
SHA256

e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb
SHA512

95bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
3048	keygen.exe
3052	builder.exe
2900	builder.exe
1288	builder.exe
2260	builder.exe
2548	builder.exe
2584	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3048	2952	cmd.exe	29
PID 2952 wrote to memory of 3048	2952	cmd.exe	29
PID 2952 wrote to memory of 3048	2952	cmd.exe	29
PID 2952 wrote to memory of 3048	2952	cmd.exe	29
PID 2952 wrote to memory of 3052	2952	cmd.exe	30
PID 2952 wrote to memory of 3052	2952	cmd.exe	30
PID 2952 wrote to memory of 3052	2952	cmd.exe	30
PID 2952 wrote to memory of 3052	2952	cmd.exe	30
PID 2952 wrote to memory of 2900	2952	cmd.exe	31
PID 2952 wrote to memory of 2900	2952	cmd.exe	31
PID 2952 wrote to memory of 2900	2952	cmd.exe	31
PID 2952 wrote to memory of 2900	2952	cmd.exe	31
PID 2952 wrote to memory of 1288	2952	cmd.exe	32
PID 2952 wrote to memory of 1288	2952	cmd.exe	32
PID 2952 wrote to memory of 1288	2952	cmd.exe	32
PID 2952 wrote to memory of 1288	2952	cmd.exe	32
PID 2952 wrote to memory of 2260	2952	cmd.exe	33
PID 2952 wrote to memory of 2260	2952	cmd.exe	33
PID 2952 wrote to memory of 2260	2952	cmd.exe	33
PID 2952 wrote to memory of 2260	2952	cmd.exe	33
PID 2952 wrote to memory of 2548	2952	cmd.exe	34
PID 2952 wrote to memory of 2548	2952	cmd.exe	34
PID 2952 wrote to memory of 2548	2952	cmd.exe	34
PID 2952 wrote to memory of 2548	2952	cmd.exe	34
PID 2952 wrote to memory of 2584	2952	cmd.exe	35
PID 2952 wrote to memory of 2584	2952	cmd.exe	35
PID 2952 wrote to memory of 2584	2952	cmd.exe	35
PID 2952 wrote to memory of 2584	2952	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

Filesize
344B

MD5
53730cd6fd4839a0b53fd35c782b3c1a

SHA1
71cd5dc4f97159ba8ed8ee0ca9cf7de2a53c3e4b

SHA256
6106540e55c7fb5f1c0f0641c159b101c4f5f8474389777e3b6ad34db0c420b5

SHA512
bd50b1c3739f5286cd3f4fa746ce86d31d2fd3df2b1b833a1bfd991e7a2ad398670388971555ad974b1adb2aa5323420e884f8506a78f9746cd8bad6cd5937fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key

Filesize
344B

MD5
5eb96cf39f1a82d81e49fc18af8c92fb

SHA1
19a63b22c38e314711751dd79c84dbcb185c17e8

SHA256
a132a5b12aea89b5af7fba8ffe1da36c0e461810f4ed63f6a49ebee80cf570fd

SHA512
19302afa9f3037727ec27722eb2afaf57c5cd16e56afbf5052e817856ba04ca8342bfa4f01e92c4e39d5c8add8473027e652d30ba800d7345a257b092d3792c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads