Resubmissions
07-12-2020 21:19
201207-dxaesc38wa 1002-12-2020 13:37
201202-y581fb4476 1023-11-2020 11:51
201123-kbf2mbqj7j 1020-11-2020 12:12
201120-2wfg5nazp6 10Analysis
-
max time kernel
593s -
max time network
597s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-12-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win7v20201028
Behavioral task
behavioral3
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win10v20201028
General
-
Target
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
-
Size
724KB
-
MD5
1a3adc0b25169b3aa6b7779e9b59715d
-
SHA1
7430bc136e8f7843525d38803ed05a130057481b
-
SHA256
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
-
SHA512
cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
Malware Config
Extracted
trickbot
2000017
tot13
81.91.234.196:443
2.179.73.140:443
185.160.60.26:443
188.133.138.240:443
181.211.128.49:443
190.107.93.172:443
103.194.88.2:443
203.156.72.34:443
117.222.39.83:443
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Executes dropped EXE 1 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Loads dropped DLL 2 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1428 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exedescription pid process target process PID 1208 wrote to memory of 1408 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1208 wrote to memory of 1408 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1208 wrote to memory of 1408 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1208 wrote to memory of 1408 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1208 wrote to memory of 1388 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1208 wrote to memory of 1388 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1208 wrote to memory of 1388 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1208 wrote to memory of 1388 1208 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1388 wrote to memory of 1428 1388 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe"C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeC:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
memory/1208-5-0x0000000003460000-0x0000000003494000-memory.dmpFilesize
208KB
-
memory/1208-13-0x0000000000540000-0x0000000000544000-memory.dmpFilesize
16KB
-
memory/1208-14-0x0000000002630000-0x0000000002634000-memory.dmpFilesize
16KB
-
memory/1388-8-0x0000000000000000-mapping.dmp
-
memory/1388-16-0x0000000000230000-0x0000000000234000-memory.dmpFilesize
16KB
-
memory/1388-17-0x00000000027B0000-0x00000000027B4000-memory.dmpFilesize
16KB
-
memory/1408-4-0x0000000000000000-mapping.dmp
-
memory/1428-15-0x0000000000000000-mapping.dmp