Analysis
-
max time kernel
78s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 23:15
Static task
static1
Behavioral task
behavioral1
Sample
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe
Resource
win7v20201028
General
-
Target
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe
-
Size
534KB
-
MD5
9d817d2b622720bf60d24cbe2e15c5f1
-
SHA1
6755bd9796f0d9e188b72600f8b5a88138829982
-
SHA256
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
-
SHA512
c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
Malware Config
Extracted
trickbot
1000480
ono23
144.91.79.9:443
172.245.97.148:443
85.204.116.139:443
185.62.188.117:443
185.222.202.76:443
144.91.79.12:443
185.68.93.43:443
195.123.238.191:443
146.185.219.29:443
195.133.196.151:443
91.235.129.60:443
23.227.206.170:443
185.222.202.192:443
190.154.203.218:449
178.183.150.169:449
200.116.199.10:449
187.58.56.26:449
177.103.240.149:449
81.190.160.139:449
200.21.51.38:449
181.49.61.237:449
46.174.235.36:449
36.89.85.103:449
170.233.120.53:449
89.228.243.148:449
31.214.138.207:449
186.42.98.254:449
195.93.223.100:449
181.112.52.26:449
190.13.160.19:449
186.71.150.23:449
190.152.4.98:449
170.82.156.53:449
131.161.253.190:449
200.127.121.99:449
45.235.213.126:449
31.128.13.45:449
181.10.207.234:449
201.187.105.123:449
201.210.120.239:449
190.152.125.22:449
103.69.216.86:449
128.201.174.107:449
101.108.92.111:449
190.111.255.219:449
-
autorunControl:GetSystemInfoName:systeminfoName:pwgrab
Signatures
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1216-5-0x0000000000470000-0x000000000049E000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
аНаоすは래별.exeаНаоすは래별.exepid process 1216 аНаоすは래별.exe 1084 аНаоすは래별.exe -
Loads dropped DLL 2 IoCs
Processes:
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exepid process 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 556 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exeаНаоすは래별.exeаНаоすは래별.exepid process 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe 1216 аНаоすは래별.exe 1216 аНаоすは래별.exe 1084 аНаоすは래별.exe 1084 аНаоすは래별.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exeаНаоすは래별.exetaskeng.exeаНаоすは래별.exedescription pid process target process PID 1900 wrote to memory of 1216 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe аНаоすは래별.exe PID 1900 wrote to memory of 1216 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe аНаоすは래별.exe PID 1900 wrote to memory of 1216 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe аНаоすは래별.exe PID 1900 wrote to memory of 1216 1900 34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe аНаоすは래별.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1216 wrote to memory of 1708 1216 аНаоすは래별.exe svchost.exe PID 1644 wrote to memory of 1084 1644 taskeng.exe аНаоすは래별.exe PID 1644 wrote to memory of 1084 1644 taskeng.exe аНаоすは래별.exe PID 1644 wrote to memory of 1084 1644 taskeng.exe аНаоすは래별.exe PID 1644 wrote to memory of 1084 1644 taskeng.exe аНаоすは래별.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe PID 1084 wrote to memory of 556 1084 аНаоすは래별.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe"C:\Users\Admin\AppData\Local\Temp\34aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\ProgramData\аНаоすは래별.exe"C:\ProgramData\аНаоすは래별.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1708
-
C:\Windows\system32\taskeng.exetaskeng.exe {E6DE943B-517A-43C6-AB9F-F424DEF2C1EA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeC:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:556
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
C:\ProgramData\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
\ProgramData\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
\ProgramData\аНаоすは래별.exeMD5
9d817d2b622720bf60d24cbe2e15c5f1
SHA16755bd9796f0d9e188b72600f8b5a88138829982
SHA25634aba4b668b4f82e6fce7f6fc02c1d1c82a0352692979604d145f38ab2bd3433
SHA512c2617c1c1a2006c809c117eb88341e700b5cb604baf6a831344aab456fa7c7b025e29a684e6e30e006e5c6bb3c5534cdd654bf2b592f3aacc3e7c94f071bde90
-
memory/556-12-0x0000000000000000-mapping.dmp
-
memory/1084-9-0x0000000000000000-mapping.dmp
-
memory/1216-2-0x0000000000000000-mapping.dmp
-
memory/1216-5-0x0000000000470000-0x000000000049E000-memory.dmpFilesize
184KB
-
memory/1708-6-0x0000000000000000-mapping.dmp