Resubmissions
07-12-2020 21:19
201207-dxaesc38wa 1002-12-2020 13:37
201202-y581fb4476 1023-11-2020 11:51
201123-kbf2mbqj7j 1020-11-2020 12:12
201120-2wfg5nazp6 10Analysis
-
max time kernel
1793s -
max time network
1796s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-12-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win7v20201028
Behavioral task
behavioral3
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Resource
win10v20201028
General
-
Target
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
-
Size
724KB
-
MD5
1a3adc0b25169b3aa6b7779e9b59715d
-
SHA1
7430bc136e8f7843525d38803ed05a130057481b
-
SHA256
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
-
SHA512
cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
Malware Config
Extracted
trickbot
2000017
tot13
81.91.234.196:443
2.179.73.140:443
185.160.60.26:443
188.133.138.240:443
181.211.128.49:443
190.107.93.172:443
103.194.88.2:443
203.156.72.34:443
117.222.39.83:443
-
autorunName:pwgrab
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Executes dropped EXE 1 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Loads dropped DLL 2 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 604 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exepid process 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exedescription pid process target process PID 1080 wrote to memory of 1200 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1080 wrote to memory of 1200 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1080 wrote to memory of 1200 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1080 wrote to memory of 1200 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe splwow64.exe PID 1080 wrote to memory of 1628 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1080 wrote to memory of 1628 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1080 wrote to memory of 1628 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1080 wrote to memory of 1628 1080 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe PID 1628 wrote to memory of 604 1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe"C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeC:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exeMD5
1a3adc0b25169b3aa6b7779e9b59715d
SHA17430bc136e8f7843525d38803ed05a130057481b
SHA25673f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013
-
memory/604-15-0x0000000000000000-mapping.dmp
-
memory/1080-5-0x00000000025F0000-0x0000000002624000-memory.dmpFilesize
208KB
-
memory/1080-13-0x0000000000370000-0x0000000000374000-memory.dmpFilesize
16KB
-
memory/1080-14-0x0000000002950000-0x0000000002954000-memory.dmpFilesize
16KB
-
memory/1200-4-0x0000000000000000-mapping.dmp
-
memory/1628-8-0x0000000000000000-mapping.dmp
-
memory/1628-16-0x00000000002B0000-0x00000000002B4000-memory.dmpFilesize
16KB
-
memory/1628-17-0x0000000002780000-0x0000000002784000-memory.dmpFilesize
16KB