Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:46
Static task
static1
Behavioral task
behavioral1
Sample
e21f86a0329f9fca7eb0492f22d76125.exe
Resource
win7v20201028
General
-
Target
e21f86a0329f9fca7eb0492f22d76125.exe
-
Size
600KB
-
MD5
5e138a79931adc0c76b0b6ae46d90433
-
SHA1
7c9ff4a71756b6d8329183294669aabab59195ee
-
SHA256
c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
-
SHA512
847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd
Malware Config
Extracted
trickbot
2000016
lib7
202.136.89.226:449
202.169.244.252:449
203.176.135.38:449
212.3.104.50:449
41.203.215.122:449
41.41.179.239:449
43.239.152.240:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449
45.230.8.34:449
45.233.25.6:449
78.138.128.20:449
49.156.41.74:449
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
e21f86a0329f9fca7eb0492f22d76125.exepid process 2796 e21f86a0329f9fca7eb0492f22d76125.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1000 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e21f86a0329f9fca7eb0492f22d76125.exee21f86a0329f9fca7eb0492f22d76125.exepid process 880 e21f86a0329f9fca7eb0492f22d76125.exe 2796 e21f86a0329f9fca7eb0492f22d76125.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
e21f86a0329f9fca7eb0492f22d76125.exee21f86a0329f9fca7eb0492f22d76125.exedescription pid process target process PID 880 wrote to memory of 2796 880 e21f86a0329f9fca7eb0492f22d76125.exe e21f86a0329f9fca7eb0492f22d76125.exe PID 880 wrote to memory of 2796 880 e21f86a0329f9fca7eb0492f22d76125.exe e21f86a0329f9fca7eb0492f22d76125.exe PID 880 wrote to memory of 2796 880 e21f86a0329f9fca7eb0492f22d76125.exe e21f86a0329f9fca7eb0492f22d76125.exe PID 2796 wrote to memory of 1000 2796 e21f86a0329f9fca7eb0492f22d76125.exe wermgr.exe PID 2796 wrote to memory of 1000 2796 e21f86a0329f9fca7eb0492f22d76125.exe wermgr.exe PID 2796 wrote to memory of 1000 2796 e21f86a0329f9fca7eb0492f22d76125.exe wermgr.exe PID 2796 wrote to memory of 1000 2796 e21f86a0329f9fca7eb0492f22d76125.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e21f86a0329f9fca7eb0492f22d76125.exe"C:\Users\Admin\AppData\Local\Temp\e21f86a0329f9fca7eb0492f22d76125.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exeC:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exeMD5
5e138a79931adc0c76b0b6ae46d90433
SHA17c9ff4a71756b6d8329183294669aabab59195ee
SHA256c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
SHA512847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd
-
C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exeMD5
5e138a79931adc0c76b0b6ae46d90433
SHA17c9ff4a71756b6d8329183294669aabab59195ee
SHA256c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
SHA512847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd
-
memory/880-2-0x0000000002330000-0x0000000002364000-memory.dmpFilesize
208KB
-
memory/1000-9-0x0000000000000000-mapping.dmp
-
memory/2796-3-0x0000000000000000-mapping.dmp