Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
24-08-2020 21:55
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v200722
General
-
Target
sample.exe
-
Size
375KB
-
MD5
309c240336952e3a6afe08f91581aa76
-
SHA1
7cc257d1dc641c5fc312c7694a1a7be7ce31cb46
-
SHA256
621d7c1d19ccbaa8d56dbcb37e46f4437fa425ce92895acd87a6df9710f8b391
-
SHA512
a7e68157c9d9e6a317fa5a898cf1b96bd884132e4634fecd495af74d5e40b72f54a85446730a0a0ac8379039146f1840229e420c5b7dd64b1eca8be0b09fb104
Malware Config
Extracted
trickbot
1000098
mac1
79.106.41.9:449
94.250.252.146:443
62.109.18.206:443
62.109.26.193:443
78.24.223.50:443
94.250.252.162:443
92.53.78.209:443
92.53.66.115:443
62.109.16.70:443
62.109.23.229:443
62.109.17.100:443
82.146.47.221:443
195.133.144.43:443
194.87.92.217:443
95.213.194.234:443
195.133.147.44:443
194.87.238.149:443
78.155.206.154:443
185.80.130.195:443
94.250.252.168:443
82.202.236.5:443
185.80.129.158:443
94.250.255.156:443
185.158.114.106:443
94.250.248.173:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
sanpmf.exesanpmf.exesanpmf.exepid process 3948 sanpmf.exe 2080 sanpmf.exe 640 sanpmf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.amazonaws.com -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTakeOwnershipPrivilege 3372 svchost.exe -
Suspicious use of WriteProcessMemory 1416 IoCs
Processes:
sample.exesanpmf.exedescription pid process target process PID 3888 wrote to memory of 3948 3888 sample.exe sanpmf.exe PID 3888 wrote to memory of 3948 3888 sample.exe sanpmf.exe PID 3888 wrote to memory of 3948 3888 sample.exe sanpmf.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe PID 3948 wrote to memory of 3372 3948 sanpmf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\svchost.exesvchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exeC:\Users\Admin\AppData\Roaming\services\sanpmf.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
C:\Users\Admin\AppData\Roaming\services\sanpmf.exe
-
memory/640-12-0x00000000008C4000-0x00000000008C7000-memory.dmpFilesize
12KB
-
memory/852-13-0x0000000000000000-mapping.dmp
-
memory/2080-8-0x0000000000854000-0x0000000000857000-memory.dmpFilesize
12KB
-
memory/3372-6-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/3372-5-0x0000000000000000-mapping.dmp
-
memory/3728-9-0x0000000000000000-mapping.dmp
-
memory/3888-0-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/3948-4-0x00000000007B1000-0x00000000007B2000-memory.dmpFilesize
4KB
-
memory/3948-1-0x0000000000000000-mapping.dmp