Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 16:38
Static task
static1
Behavioral task
behavioral1
Sample
Annual.bin.exe
Resource
win7v20201028
General
-
Target
Annual.bin.exe
-
Size
233KB
-
MD5
edeb0079066374d0b5d522646e0a2a62
-
SHA1
3a08af50c97c60b8f5984f95d31e9472e5eb1cc5
-
SHA256
437fc85d1ec4b73ef1a54b8626b92ca0d50a64c901dc17c19eb74d929f857d9b
-
SHA512
d01bae4af74bca1f1fd9c11e720bdd7f7aa1abb92f9dc626b41a7430236711984d8e7773683b724453f3dd62344664e192d8038c7a6f43c5d25757556434098d
Malware Config
Extracted
trickbot
100001
tar2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
6259.exepid process 2504 6259.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ident.me 20 ident.me -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2232 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Annual.bin.exe6259.exedescription pid process target process PID 416 wrote to memory of 2504 416 Annual.bin.exe 6259.exe PID 416 wrote to memory of 2504 416 Annual.bin.exe 6259.exe PID 416 wrote to memory of 2504 416 Annual.bin.exe 6259.exe PID 2504 wrote to memory of 2232 2504 6259.exe wermgr.exe PID 2504 wrote to memory of 2232 2504 6259.exe wermgr.exe PID 2504 wrote to memory of 2232 2504 6259.exe wermgr.exe PID 2504 wrote to memory of 2232 2504 6259.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Annual.bin.exe"C:\Users\Admin\AppData\Local\Temp\Annual.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6259.exeC:\Users\Admin\AppData\Local\Temp\6259.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6259.exeMD5
5d75b8689e2cfbfe8065752fd4c4f661
SHA19238d8073102fd84c752f6e65edc717944346f20
SHA256fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22
SHA5127d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575
-
C:\Users\Admin\AppData\Local\Temp\6259.exeMD5
5d75b8689e2cfbfe8065752fd4c4f661
SHA19238d8073102fd84c752f6e65edc717944346f20
SHA256fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22
SHA5127d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575
-
memory/416-0-0x0000000000BD0000-0x0000000000BF6000-memory.dmpFilesize
152KB
-
memory/416-1-0x0000000140000000-0x0000000140025000-memory.dmpFilesize
148KB
-
memory/2232-7-0x0000000000000000-mapping.dmp
-
memory/2504-2-0x0000000000000000-mapping.dmp
-
memory/2504-5-0x0000000000750000-0x000000000078E000-memory.dmpFilesize
248KB
-
memory/2504-6-0x0000000002240000-0x000000000227A000-memory.dmpFilesize
232KB