Analysis
-
max time kernel
55s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-07-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
PI.bat.exe
Resource
win7v20210408
General
-
Target
PI.bat.exe
-
Size
706KB
-
MD5
3a990e8b280a4398f8f34c2bc06220a0
-
SHA1
5eb88cd730a0c2c69a3ff7e7876817b9d57aa0ab
-
SHA256
f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236
-
SHA512
31841a48301b63486e9cb1e4b2c649a462772545f0c9f821d2ac28aed5e240d5ce65a51db43a8ef452201db5563e0acea799e8753d4998407de41032c2e2e5fd
Malware Config
Extracted
pony
https://gulshanti.com/hybrid/panel/gate.php
-
payload_url
https://gulshanti.com/shit.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI.bat.exedescription pid process target process PID 1496 set thread context of 2724 1496 PI.bat.exe PI.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
PI.bat.exedescription pid process Token: SeImpersonatePrivilege 2724 PI.bat.exe Token: SeTcbPrivilege 2724 PI.bat.exe Token: SeChangeNotifyPrivilege 2724 PI.bat.exe Token: SeCreateTokenPrivilege 2724 PI.bat.exe Token: SeBackupPrivilege 2724 PI.bat.exe Token: SeRestorePrivilege 2724 PI.bat.exe Token: SeIncreaseQuotaPrivilege 2724 PI.bat.exe Token: SeAssignPrimaryTokenPrivilege 2724 PI.bat.exe Token: SeImpersonatePrivilege 2724 PI.bat.exe Token: SeTcbPrivilege 2724 PI.bat.exe Token: SeChangeNotifyPrivilege 2724 PI.bat.exe Token: SeCreateTokenPrivilege 2724 PI.bat.exe Token: SeBackupPrivilege 2724 PI.bat.exe Token: SeRestorePrivilege 2724 PI.bat.exe Token: SeIncreaseQuotaPrivilege 2724 PI.bat.exe Token: SeAssignPrimaryTokenPrivilege 2724 PI.bat.exe Token: SeImpersonatePrivilege 2724 PI.bat.exe Token: SeTcbPrivilege 2724 PI.bat.exe Token: SeChangeNotifyPrivilege 2724 PI.bat.exe Token: SeCreateTokenPrivilege 2724 PI.bat.exe Token: SeBackupPrivilege 2724 PI.bat.exe Token: SeRestorePrivilege 2724 PI.bat.exe Token: SeIncreaseQuotaPrivilege 2724 PI.bat.exe Token: SeAssignPrimaryTokenPrivilege 2724 PI.bat.exe Token: SeImpersonatePrivilege 2724 PI.bat.exe Token: SeTcbPrivilege 2724 PI.bat.exe Token: SeChangeNotifyPrivilege 2724 PI.bat.exe Token: SeCreateTokenPrivilege 2724 PI.bat.exe Token: SeBackupPrivilege 2724 PI.bat.exe Token: SeRestorePrivilege 2724 PI.bat.exe Token: SeIncreaseQuotaPrivilege 2724 PI.bat.exe Token: SeAssignPrimaryTokenPrivilege 2724 PI.bat.exe Token: SeImpersonatePrivilege 2724 PI.bat.exe Token: SeTcbPrivilege 2724 PI.bat.exe Token: SeChangeNotifyPrivilege 2724 PI.bat.exe Token: SeCreateTokenPrivilege 2724 PI.bat.exe Token: SeBackupPrivilege 2724 PI.bat.exe Token: SeRestorePrivilege 2724 PI.bat.exe Token: SeIncreaseQuotaPrivilege 2724 PI.bat.exe Token: SeAssignPrimaryTokenPrivilege 2724 PI.bat.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PI.bat.exePI.bat.exedescription pid process target process PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 1496 wrote to memory of 2724 1496 PI.bat.exe PI.bat.exe PID 2724 wrote to memory of 4008 2724 PI.bat.exe cmd.exe PID 2724 wrote to memory of 4008 2724 PI.bat.exe cmd.exe PID 2724 wrote to memory of 4008 2724 PI.bat.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.bat.exe"C:\Users\Admin\AppData\Local\Temp\PI.bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.bat.exe"C:\Users\Admin\AppData\Local\Temp\PI.bat.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259322484.bat" "C:\Users\Admin\AppData\Local\Temp\PI.bat.exe" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259322484.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/1496-121-0x0000000005AA0000-0x0000000005F9E000-memory.dmpFilesize
5.0MB
-
memory/1496-123-0x0000000008160000-0x00000000081BF000-memory.dmpFilesize
380KB
-
memory/1496-118-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/1496-119-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1496-120-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/1496-114-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1496-122-0x0000000003210000-0x0000000003220000-memory.dmpFilesize
64KB
-
memory/1496-117-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/1496-124-0x0000000005EC0000-0x0000000005EDD000-memory.dmpFilesize
116KB
-
memory/1496-116-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/2724-126-0x0000000000410621-mapping.dmp
-
memory/2724-127-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2724-125-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4008-128-0x0000000000000000-mapping.dmp