Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe
Resource
win10v20201028
General
-
Target
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe
-
Size
756KB
-
MD5
d6408ae6bf86b97eadfb3f15bbfd7933
-
SHA1
dd877b59c9acd80535ad22bdc07525d536a41139
-
SHA256
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21
-
SHA512
f97da566db808c31ef9813124a7555ce35d3ead23238911935aa85845374dead962587cb252b7fda05c94c9b54b4555ec953e2d31316d2495c73aab148e88dec
Malware Config
Extracted
trickbot
100003
rob6
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
-
autorunName:pwgrab
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 myexternalip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1168 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exepid process 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exedescription pid process target process PID 1880 wrote to memory of 1340 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe splwow64.exe PID 1880 wrote to memory of 1340 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe splwow64.exe PID 1880 wrote to memory of 1340 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe splwow64.exe PID 1880 wrote to memory of 1340 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe splwow64.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe PID 1880 wrote to memory of 1168 1880 4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe"C:\Users\Admin\AppData\Local\Temp\4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1340
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-4-0x0000000000000000-mapping.dmp
-
memory/1340-2-0x0000000000000000-mapping.dmp
-
memory/1880-3-0x00000000024D0000-0x000000000250A000-memory.dmpFilesize
232KB
-
memory/1880-6-0x0000000002690000-0x0000000002694000-memory.dmpFilesize
16KB
-
memory/1880-5-0x0000000002550000-0x0000000002554000-memory.dmpFilesize
16KB