Overview
overview
10Static
static
1BYBBLJDYNKYQRCIW.ps1
windows7-x64
3BYBBLJDYNKYQRCIW.ps1
windows10-2004-x64
10LOEVIQHNNBLMJQGX.vbs
windows7-x64
3LOEVIQHNNBLMJQGX.vbs
windows10-2004-x64
7NOXOIMAYDCJQRTDL.bat
windows7-x64
8NOXOIMAYDCJQRTDL.bat
windows10-2004-x64
8PLYEDPJAJZDJPATK.vbs
windows7-x64
3PLYEDPJAJZDJPATK.vbs
windows10-2004-x64
7XKAHEZZHLYETQDGK.bat
windows7-x64
8XKAHEZZHLYETQDGK.bat
windows10-2004-x64
8YEJVMCIJLIUXHSQV.ps1
windows7-x64
3YEJVMCIJLIUXHSQV.ps1
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 18:45
Static task
static1
Behavioral task
behavioral1
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
XKAHEZZHLYETQDGK.bat
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
XKAHEZZHLYETQDGK.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win10v2004-20240508-en
General
-
Target
NOXOIMAYDCJQRTDL.bat
-
Size
1KB
-
MD5
f0615a271904779ef01a22ccffc5b7ac
-
SHA1
b18bab505208a2d1a53f7496286f25ac199b7475
-
SHA256
5e91677a0a32ced94580bef9253982462f9d9a7e5f2166a07561fe13f4342e98
-
SHA512
caa35c7111c525d8385e14b51368f657f9232b606dd6aa27fb580884264d0215435de234b4bfc155ec006107dfd94da978a73331442a2fd19c310348e3d758a2
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2168 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2480 wrote to memory of 2168 2480 cmd.exe powershell.exe PID 2480 wrote to memory of 2168 2480 cmd.exe powershell.exe PID 2480 wrote to memory of 2168 2480 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\NOXOIMAYDCJQRTDL.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\BYBBLJDYNKYQRCIW.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168