Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
24-08-2020 21:55
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v200722
General
-
Target
sample.exe
-
Size
375KB
-
MD5
309c240336952e3a6afe08f91581aa76
-
SHA1
7cc257d1dc641c5fc312c7694a1a7be7ce31cb46
-
SHA256
621d7c1d19ccbaa8d56dbcb37e46f4437fa425ce92895acd87a6df9710f8b391
-
SHA512
a7e68157c9d9e6a317fa5a898cf1b96bd884132e4634fecd495af74d5e40b72f54a85446730a0a0ac8379039146f1840229e420c5b7dd64b1eca8be0b09fb104
Malware Config
Extracted
trickbot
1000098
mac1
79.106.41.9:449
94.250.252.146:443
62.109.18.206:443
62.109.26.193:443
78.24.223.50:443
94.250.252.162:443
92.53.78.209:443
92.53.66.115:443
62.109.16.70:443
62.109.23.229:443
62.109.17.100:443
82.146.47.221:443
195.133.144.43:443
194.87.92.217:443
95.213.194.234:443
195.133.147.44:443
194.87.238.149:443
78.155.206.154:443
185.80.130.195:443
94.250.252.168:443
82.202.236.5:443
185.80.129.158:443
94.250.255.156:443
185.158.114.106:443
94.250.248.173:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
sanpmf.exesanpmf.exesanpmf.exepid process 1436 sanpmf.exe 1828 sanpmf.exe 1744 sanpmf.exe -
Loads dropped DLL 1 IoCs
Processes:
sample.exepid process 1420 sample.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip.anysrc.net -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTakeOwnershipPrivilege 288 svchost.exe -
Suspicious use of WriteProcessMemory 1431 IoCs
Processes:
sample.exesanpmf.exedescription pid process target process PID 1420 wrote to memory of 1436 1420 sample.exe sanpmf.exe PID 1420 wrote to memory of 1436 1420 sample.exe sanpmf.exe PID 1420 wrote to memory of 1436 1420 sample.exe sanpmf.exe PID 1420 wrote to memory of 1436 1420 sample.exe sanpmf.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe PID 1436 wrote to memory of 288 1436 sanpmf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {065F6C61-4F13-4D3F-9C14-9BF439BD90B2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\services\client_id
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
memory/288-5-0x0000000000000000-mapping.dmp
-
memory/288-6-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/1420-0-0x0000000000601000-0x0000000000602000-memory.dmpFilesize
4KB
-
memory/1436-2-0x0000000000000000-mapping.dmp
-
memory/1556-15-0x0000000000000000-mapping.dmp
-
memory/1640-10-0x0000000000000000-mapping.dmp
-
memory/1744-12-0x0000000000000000-mapping.dmp
-
memory/1744-14-0x0000000000751000-0x0000000000752000-memory.dmpFilesize
4KB
-
memory/1828-9-0x0000000000711000-0x0000000000712000-memory.dmpFilesize
4KB
-
memory/1828-7-0x0000000000000000-mapping.dmp