Analysis
-
max time kernel
116s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 18:49
Static task
static1
Behavioral task
behavioral1
Sample
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe
Resource
win7v20201028
General
-
Target
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe
-
Size
534KB
-
MD5
8f77e6489fa90273986d3a841bbdeb42
-
SHA1
312b86e00af45e187b52f2bf30b16233d882b7e8
-
SHA256
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
-
SHA512
435e8da0737cf341532b4cbff6419efc2b96e70221bb58a7c191e53e7d262abea2028c33d579326c77abb9c1b4b8d4f67a94e1233c1ba9c4de71ab31d133d951
Malware Config
Extracted
trickbot
1000480
ono23
144.91.79.9:443
172.245.97.148:443
85.204.116.139:443
185.62.188.117:443
185.222.202.76:443
144.91.79.12:443
185.68.93.43:443
195.123.238.191:443
146.185.219.29:443
195.133.196.151:443
91.235.129.60:443
23.227.206.170:443
185.222.202.192:443
190.154.203.218:449
178.183.150.169:449
200.116.199.10:449
187.58.56.26:449
177.103.240.149:449
81.190.160.139:449
200.21.51.38:449
181.49.61.237:449
46.174.235.36:449
36.89.85.103:449
170.233.120.53:449
89.228.243.148:449
31.214.138.207:449
186.42.98.254:449
195.93.223.100:449
181.112.52.26:449
190.13.160.19:449
186.71.150.23:449
190.152.4.98:449
170.82.156.53:449
131.161.253.190:449
200.127.121.99:449
45.235.213.126:449
31.128.13.45:449
181.10.207.234:449
201.187.105.123:449
201.210.120.239:449
190.152.125.22:449
103.69.216.86:449
128.201.174.107:449
101.108.92.111:449
190.111.255.219:449
-
autorunControl:GetSystemInfoName:systeminfoName:pwgrab
Signatures
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4016-3-0x0000000002250000-0x000000000227E000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
аНаоすは래별.exeаНаоすは래별.exepid process 4016 аНаоすは래별.exe 3804 аНаоすは래별.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1364 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exeаНаоすは래별.exeаНаоすは래별.exepid process 1036 7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe 1036 7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe 4016 аНаоすは래별.exe 4016 аНаоすは래별.exe 3804 аНаоすは래별.exe 3804 аНаоすは래별.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exeаНаоすは래별.exeаНаоすは래별.exedescription pid process target process PID 1036 wrote to memory of 4016 1036 7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe аНаоすは래별.exe PID 1036 wrote to memory of 4016 1036 7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe аНаоすは래별.exe PID 1036 wrote to memory of 4016 1036 7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe аНаоすは래별.exe PID 4016 wrote to memory of 580 4016 аНаоすは래별.exe svchost.exe PID 4016 wrote to memory of 580 4016 аНаоすは래별.exe svchost.exe PID 4016 wrote to memory of 580 4016 аНаоすは래별.exe svchost.exe PID 4016 wrote to memory of 580 4016 аНаоすは래별.exe svchost.exe PID 3804 wrote to memory of 1364 3804 аНаоすは래별.exe svchost.exe PID 3804 wrote to memory of 1364 3804 аНаоすは래별.exe svchost.exe PID 3804 wrote to memory of 1364 3804 аНаоすは래별.exe svchost.exe PID 3804 wrote to memory of 1364 3804 аНаоすは래별.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe"C:\Users\Admin\AppData\Local\Temp\7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\ProgramData\аНаоすは래별.exe"C:\ProgramData\аНаоすは래별.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:580
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeC:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\аНаоすは래별.exeMD5
8f77e6489fa90273986d3a841bbdeb42
SHA1312b86e00af45e187b52f2bf30b16233d882b7e8
SHA2567e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
SHA512435e8da0737cf341532b4cbff6419efc2b96e70221bb58a7c191e53e7d262abea2028c33d579326c77abb9c1b4b8d4f67a94e1233c1ba9c4de71ab31d133d951
-
C:\ProgramData\аНаоすは래별.exeMD5
8f77e6489fa90273986d3a841bbdeb42
SHA1312b86e00af45e187b52f2bf30b16233d882b7e8
SHA2567e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
SHA512435e8da0737cf341532b4cbff6419efc2b96e70221bb58a7c191e53e7d262abea2028c33d579326c77abb9c1b4b8d4f67a94e1233c1ba9c4de71ab31d133d951
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeMD5
8f77e6489fa90273986d3a841bbdeb42
SHA1312b86e00af45e187b52f2bf30b16233d882b7e8
SHA2567e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
SHA512435e8da0737cf341532b4cbff6419efc2b96e70221bb58a7c191e53e7d262abea2028c33d579326c77abb9c1b4b8d4f67a94e1233c1ba9c4de71ab31d133d951
-
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exeMD5
8f77e6489fa90273986d3a841bbdeb42
SHA1312b86e00af45e187b52f2bf30b16233d882b7e8
SHA2567e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
SHA512435e8da0737cf341532b4cbff6419efc2b96e70221bb58a7c191e53e7d262abea2028c33d579326c77abb9c1b4b8d4f67a94e1233c1ba9c4de71ab31d133d951
-
memory/580-4-0x0000000000000000-mapping.dmp
-
memory/1364-9-0x0000000000000000-mapping.dmp
-
memory/4016-0-0x0000000000000000-mapping.dmp
-
memory/4016-3-0x0000000002250000-0x000000000227E000-memory.dmpFilesize
184KB