1b8dbedf6136cd2c742daba48bcecd584421a4456a78f7b907cadd4f76e5e90b

General

Target

triage/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exe

pid process

2120 keygen.exe
3044 builder.exe
2152 builder.exe
2144 builder.exe
2356 builder.exe
3048 builder.exe
2624 builder.exe

pid	process
2120	keygen.exe
3044	builder.exe
2152	builder.exe
2144	builder.exe
2356	builder.exe
3048	builder.exe
2624	builder.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2716 wrote to memory of 2120	2716	cmd.exe	keygen.exe
PID 2716 wrote to memory of 2120	2716	cmd.exe	keygen.exe
PID 2716 wrote to memory of 2120	2716	cmd.exe	keygen.exe
PID 2716 wrote to memory of 2120	2716	cmd.exe	keygen.exe
PID 2716 wrote to memory of 3044	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3044	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3044	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3044	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2152	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2152	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2152	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2152	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2144	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2144	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2144	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2144	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2356	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2356	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2356	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2356	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3048	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3048	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3048	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 3048	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2624	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2624	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2624	2716	cmd.exe	builder.exe
PID 2716 wrote to memory of 2624	2716	cmd.exe	builder.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\triage\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\triage\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\triage\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\triage\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\triage\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\triage\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\triage\Build\priv.key

Filesize
344B

MD5
5acff71271cac8aad542eb2132cb749b

SHA1
2dacdec871dc329e020ff794749856ff7d7f1a96

SHA256
170c867ddf20e00af3a3534344fe2ed4addc66021d7274c4cec6c350f3e62fca

SHA512
548984dba80bf215c87d56c10f51e1b4256a8fa63133e8de94fe04bf2eb2c5c492de540b350f2b5139d46ce7fbcb9c020f43ed8198e953a9a69f430d17eba632

Download Submit
C:\Users\Admin\AppData\Local\Temp\triage\Build\pub.key

Filesize
344B

MD5
2fa46b6af5e1df1d31dab63ea0d90819

SHA1
e04d2c9c598cc25a33a42bc799bee18f136e3c09

SHA256
f3f04c04bca76d6a989b6226aea9a7e8c6f72d9eeb5df42b500f8a673f2b7cee

SHA512
080304bbd9be7c5b29a62fc877f4791510de31c851b5c9f22e598ec80c1ffed40368a3324a18b79602afe1d08ec9f06a9f17b94be61b7cf37a1e7b3c5042b89d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads