Analysis
-
max time kernel
65s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 22:22
Static task
static1
Behavioral task
behavioral1
Sample
t64.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
t64.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
t64.exe
-
Size
724KB
-
MD5
6d9047478abba33d7fbb15d602859103
-
SHA1
0f97c7af1e4185d2dfa1a9af5ae4c9ad3bfc897a
-
SHA256
6141566287a4de53c826f96492ddf53acd36ff44f90f380011b8ed5f672fef6b
-
SHA512
4ba43b8480acff2709045baa9cc58c5f1123af98b98e391a43e0cd506163765ab25cbebe070ad3aaeee4642be1d1f3881625c0ce8e1440dc99502ce79d2c0ee7
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 6 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 40 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/2 HTTP URL 30 https://citycafeonline.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 32 https://woodallmcneill.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 34 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 37 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 39 https://ikjumnh.xyz/6ea5901ae1272735f9e012d6c17ecc4d/4 -
Blacklisted process makes network request 6 IoCs
Processes:
cmd.exeflow pid process 30 3580 cmd.exe 32 3580 cmd.exe 34 3580 cmd.exe 37 3580 cmd.exe 39 3580 cmd.exe 40 3580 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
t64.exedescription pid process target process PID 728 set thread context of 3580 728 t64.exe cmd.exe -
Suspicious use of WriteProcessMemory 851 IoCs
Processes:
t64.exedescription pid process target process PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe PID 728 wrote to memory of 3580 728 t64.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\t64.exe"C:\Users\Admin\AppData\Local\Temp\t64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe2⤵
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\t64.exeC:\Users\Admin\AppData\Local\Temp\t64.exe 26964025791⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/728-0-0x0000000001FC0000-0x0000000001FEC000-memory.dmpFilesize
176KB
-
memory/728-1-0x0000000001FF0000-0x000000000201C000-memory.dmpFilesize
176KB
-
memory/3028-3-0x0000000001FD0000-0x0000000001FFC000-memory.dmpFilesize
176KB
-
memory/3580-4-0x00007FF717210000-0x00007FF717254000-memory.dmpFilesize
272KB
-
memory/3580-5-0x00007FF71722D788-mapping.dmp
-
memory/3580-6-0x00007FF717210000-0x00007FF717254000-memory.dmpFilesize
272KB