Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
MRZhwo07xs.js
Resource
win7v20201028
General
-
Target
MRZhwo07xs.js
-
Size
56KB
-
MD5
e09a8411720fada28aa0a4ec1e78d7c8
-
SHA1
f0e5b9f692e2e40d1b0caf0b2126e8f1136cf56f
-
SHA256
edcb57b4cacec853469ec74863fed43262f50a5cd2b64f15e50326a6a032540d
-
SHA512
4bbad28c8b36f6a8b3ef308da3b2268e69716d6020ec4e3836b7e6a03a74db47762965b94c14093347a72ec5b47328baf8dcb52cb82f6ecdafaea050a29c8b49
Malware Config
Extracted
trickbot
100010
rob35
5.34.180.180:443
64.74.160.228:443
198.46.198.116:443
5.34.180.185:443
107.152.46.188:443
195.123.241.214:443
23.254.224.2:443
107.172.188.113:443
200.52.147.93:443
185.198.59.45:443
45.14.226.101:443
185.82.126.38:443
85.204.116.139:443
45.155.173.248:443
103.91.244.50:443
45.230.244.20:443
45.226.124.226:443
187.84.95.6:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
180.92.158.244:443
-
autorunName:pwgrab
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.execmd.exeflow pid process 6 296 wscript.exe 7 328 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
405996.datpid process 1516 405996.dat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 328 cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exe405996.datdescription pid process target process PID 296 wrote to memory of 1516 296 wscript.exe 405996.dat PID 296 wrote to memory of 1516 296 wscript.exe 405996.dat PID 296 wrote to memory of 1516 296 wscript.exe 405996.dat PID 296 wrote to memory of 1516 296 wscript.exe 405996.dat PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe PID 1516 wrote to memory of 328 1516 405996.dat cmd.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MRZhwo07xs.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.dat2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.datMD5
e6ad160ab47dc90d05577ff2d4ebcb86
SHA16b56dc6e5dd8588beb848038486357e9dfe9086d
SHA2564cd0c1271aa09d8a1b5a5ce144fc6ef827bf89f5d451ebdc933a9f3502841aec
SHA512d45c4e3e173d56122ba52eba9f59ae382f598659a51c03db9d89cf174da10cf885c1d1896759b3e5f3ee19ae9ac5e908b0196ad824bdb2bbdc8a3ee391b53e57
-
memory/296-5-0x00000000026A0000-0x00000000026A4000-memory.dmpFilesize
16KB
-
memory/328-6-0x0000000000000000-mapping.dmp
-
memory/1516-3-0x0000000000000000-mapping.dmp
-
memory/1972-2-0x000007FEF6580000-0x000007FEF67FA000-memory.dmpFilesize
2.5MB