Analysis
-
max time kernel
137s -
max time network
101s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
24-08-2020 22:33
Static task
static1
Behavioral task
behavioral1
Sample
127661.exe
Resource
win7v200722
General
-
Target
127661.exe
-
Size
375KB
-
MD5
309c240336952e3a6afe08f91581aa76
-
SHA1
7cc257d1dc641c5fc312c7694a1a7be7ce31cb46
-
SHA256
621d7c1d19ccbaa8d56dbcb37e46f4437fa425ce92895acd87a6df9710f8b391
-
SHA512
a7e68157c9d9e6a317fa5a898cf1b96bd884132e4634fecd495af74d5e40b72f54a85446730a0a0ac8379039146f1840229e420c5b7dd64b1eca8be0b09fb104
Malware Config
Extracted
trickbot
1000098
mac1
79.106.41.9:449
94.250.252.146:443
62.109.18.206:443
62.109.26.193:443
78.24.223.50:443
94.250.252.162:443
92.53.78.209:443
92.53.66.115:443
62.109.16.70:443
62.109.23.229:443
62.109.17.100:443
82.146.47.221:443
195.133.144.43:443
194.87.92.217:443
95.213.194.234:443
195.133.147.44:443
194.87.238.149:443
78.155.206.154:443
185.80.130.195:443
94.250.252.168:443
82.202.236.5:443
185.80.129.158:443
94.250.255.156:443
185.158.114.106:443
94.250.248.173:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
237772.exe237772.exe237772.exepid process 868 237772.exe 1948 237772.exe 1632 237772.exe -
Loads dropped DLL 1 IoCs
Processes:
127661.exepid process 1600 127661.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipecho.net 3 wtfismyip.com 5 ipecho.net -
Modifies data under HKEY_USERS 42 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTakeOwnershipPrivilege 1108 svchost.exe -
Suspicious use of WriteProcessMemory 1431 IoCs
Processes:
127661.exe237772.exedescription pid process target process PID 1600 wrote to memory of 868 1600 127661.exe 237772.exe PID 1600 wrote to memory of 868 1600 127661.exe 237772.exe PID 1600 wrote to memory of 868 1600 127661.exe 237772.exe PID 1600 wrote to memory of 868 1600 127661.exe 237772.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe PID 868 wrote to memory of 1108 868 237772.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\127661.exe"C:\Users\Admin\AppData\Local\Temp\127661.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services\237772.exeC:\Users\Admin\AppData\Roaming\services\237772.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {0C8BD2F6-A286-46CE-BE43-154C969488F8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Roaming\services\237772.exeC:\Users\Admin\AppData\Roaming\services\237772.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
-
C:\Users\Admin\AppData\Roaming\services\237772.exeC:\Users\Admin\AppData\Roaming\services\237772.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\services\237772.exe
-
C:\Users\Admin\AppData\Roaming\services\237772.exe
-
C:\Users\Admin\AppData\Roaming\services\237772.exe
-
C:\Users\Admin\AppData\Roaming\services\client_id
-
\Users\Admin\AppData\Roaming\services\237772.exe
-
memory/868-4-0x0000000000751000-0x0000000000752000-memory.dmpFilesize
4KB
-
memory/868-2-0x0000000000000000-mapping.dmp
-
memory/1108-6-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1108-5-0x0000000000000000-mapping.dmp
-
memory/1528-15-0x0000000000000000-mapping.dmp
-
memory/1600-0-0x00000000006A1000-0x00000000006A2000-memory.dmpFilesize
4KB
-
memory/1632-12-0x0000000000000000-mapping.dmp
-
memory/1632-14-0x0000000000721000-0x0000000000722000-memory.dmpFilesize
4KB
-
memory/1764-10-0x0000000000000000-mapping.dmp
-
memory/1948-9-0x0000000000751000-0x0000000000752000-memory.dmpFilesize
4KB
-
memory/1948-7-0x0000000000000000-mapping.dmp