Analysis
-
max time kernel
65s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 22:20
Static task
static1
Behavioral task
behavioral1
Sample
t64.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
t64.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
t64.exe
-
Size
724KB
-
MD5
6d9047478abba33d7fbb15d602859103
-
SHA1
0f97c7af1e4185d2dfa1a9af5ae4c9ad3bfc897a
-
SHA256
6141566287a4de53c826f96492ddf53acd36ff44f90f380011b8ed5f672fef6b
-
SHA512
4ba43b8480acff2709045baa9cc58c5f1123af98b98e391a43e0cd506163765ab25cbebe070ad3aaeee4642be1d1f3881625c0ce8e1440dc99502ce79d2c0ee7
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 6 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 32 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 35 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 36 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 37 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/2 HTTP URL 27 https://citycafeonline.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 29 https://woodallmcneill.com/6ea5901ae1272735f9e012d6c17ecc4d/4 -
Blacklisted process makes network request 6 IoCs
Processes:
cmd.exeflow pid process 27 2176 cmd.exe 29 2176 cmd.exe 32 2176 cmd.exe 35 2176 cmd.exe 36 2176 cmd.exe 37 2176 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
t64.exedescription pid process target process PID 884 set thread context of 2176 884 t64.exe cmd.exe -
Suspicious use of WriteProcessMemory 851 IoCs
Processes:
t64.exedescription pid process target process PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe PID 884 wrote to memory of 2176 884 t64.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\t64.exe"C:\Users\Admin\AppData\Local\Temp\t64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe2⤵
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\t64.exeC:\Users\Admin\AppData\Local\Temp\t64.exe 37614140201⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/196-3-0x0000000002000000-0x000000000202C000-memory.dmpFilesize
176KB
-
memory/884-1-0x0000000001FF0000-0x000000000201C000-memory.dmpFilesize
176KB
-
memory/884-0-0x0000000000430000-0x000000000045C000-memory.dmpFilesize
176KB
-
memory/2176-5-0x00007FF7EF87D788-mapping.dmp
-
memory/2176-4-0x00007FF7EF860000-0x00007FF7EF8A4000-memory.dmpFilesize
272KB
-
memory/2176-6-0x00007FF7EF860000-0x00007FF7EF8A4000-memory.dmpFilesize
272KB