Overview
overview
10Static
static
1BYBBLJDYNKYQRCIW.ps1
windows7-x64
3BYBBLJDYNKYQRCIW.ps1
windows10-2004-x64
10LOEVIQHNNBLMJQGX.vbs
windows7-x64
3LOEVIQHNNBLMJQGX.vbs
windows10-2004-x64
7NOXOIMAYDCJQRTDL.bat
windows7-x64
8NOXOIMAYDCJQRTDL.bat
windows10-2004-x64
8PLYEDPJAJZDJPATK.vbs
windows7-x64
3PLYEDPJAJZDJPATK.vbs
windows10-2004-x64
7XKAHEZZHLYETQDGK.bat
windows7-x64
8XKAHEZZHLYETQDGK.bat
windows10-2004-x64
8YEJVMCIJLIUXHSQV.ps1
windows7-x64
3YEJVMCIJLIUXHSQV.ps1
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
XKAHEZZHLYETQDGK.bat
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
XKAHEZZHLYETQDGK.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win10v2004-20240611-en
General
-
Target
XKAHEZZHLYETQDGK.bat
-
Size
1KB
-
MD5
20b2afea9d76846c78a9e7588a7135e9
-
SHA1
f307dca000a50208201c49324206bb6954fea3b3
-
SHA256
9f7fc00e72e44ebc9b9f4b66bbf7d35a6eb6736f00a1ffd56100b6ea2ae57a74
-
SHA512
917d6c18f14d65563c63e7e7b1ea7913a7767f855e94ac0866ae02c268b8c03793876dec92d23789b9e055743964a1471a63e28130621675a3249c4cfd227726
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1836 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1548 wrote to memory of 1836 1548 cmd.exe powershell.exe PID 1548 wrote to memory of 1836 1548 cmd.exe powershell.exe PID 1548 wrote to memory of 1836 1548 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XKAHEZZHLYETQDGK.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\YEJVMCIJLIUXHSQV.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836