b094665ec4cdca6d8e9b9f63d8d71b1b9263eda12f1fdd1d8aa820dbf4c231f6

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build.bat
Size

733B
MD5

1905cc9973206fea5050b737f9303fb4
SHA1

497524177d9478a4b5dca3e73cc230be6abf4ce0
SHA256

e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb
SHA512

95bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
1892	keygen.exe
1072	builder.exe
1536	builder.exe
2744	builder.exe
2448	builder.exe
2996	builder.exe
2464	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1892	2980	cmd.exe	29
PID 2980 wrote to memory of 1892	2980	cmd.exe	29
PID 2980 wrote to memory of 1892	2980	cmd.exe	29
PID 2980 wrote to memory of 1892	2980	cmd.exe	29
PID 2980 wrote to memory of 1072	2980	cmd.exe	30
PID 2980 wrote to memory of 1072	2980	cmd.exe	30
PID 2980 wrote to memory of 1072	2980	cmd.exe	30
PID 2980 wrote to memory of 1072	2980	cmd.exe	30
PID 2980 wrote to memory of 1536	2980	cmd.exe	31
PID 2980 wrote to memory of 1536	2980	cmd.exe	31
PID 2980 wrote to memory of 1536	2980	cmd.exe	31
PID 2980 wrote to memory of 1536	2980	cmd.exe	31
PID 2980 wrote to memory of 2744	2980	cmd.exe	32
PID 2980 wrote to memory of 2744	2980	cmd.exe	32
PID 2980 wrote to memory of 2744	2980	cmd.exe	32
PID 2980 wrote to memory of 2744	2980	cmd.exe	32
PID 2980 wrote to memory of 2448	2980	cmd.exe	33
PID 2980 wrote to memory of 2448	2980	cmd.exe	33
PID 2980 wrote to memory of 2448	2980	cmd.exe	33
PID 2980 wrote to memory of 2448	2980	cmd.exe	33
PID 2980 wrote to memory of 2996	2980	cmd.exe	34
PID 2980 wrote to memory of 2996	2980	cmd.exe	34
PID 2980 wrote to memory of 2996	2980	cmd.exe	34
PID 2980 wrote to memory of 2996	2980	cmd.exe	34
PID 2980 wrote to memory of 2464	2980	cmd.exe	35
PID 2980 wrote to memory of 2464	2980	cmd.exe	35
PID 2980 wrote to memory of 2464	2980	cmd.exe	35
PID 2980 wrote to memory of 2464	2980	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build\priv.key

Filesize
344B

MD5
bdd3a38868319fc04e5272a0a0a60ea5

SHA1
6508ac90a1a7fc6f3742b1b689d7cc7cbf8c3696

SHA256
7eaa2809eff0e6aa405b18b37ed0f79953fbebb05410f3397dba2232a8c5484b

SHA512
686b41fb225220002b521cbb3443e0d52712a1672e832f526a8d72e84e52fc140ed4ce6023e2dd20b58dab70cf47dc10cb69c44a164eae18fa5c6be1ad014d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build\pub.key

Filesize
344B

MD5
bacac1eece356b032aeadf1eb905a511

SHA1
729a3add7bdcda7bf31044bd7caf9486e58f16e1

SHA256
420a34bacc745e3dbe174d5bfd5a88614ca760ebc74960eab521cc89c987f960

SHA512
6569d7014dd5cf214d91545ceb09823c59d87c78f615ac9d5e0b392b32947e2a10635d89ec196b9da4608b825f1715b37bfbc26cdadc483189a25e8c3a409830

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads