Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 21:51
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
General
-
Target
sample.exe
-
Size
276KB
-
MD5
fe772386d4d851272a985dae3b0a254a
-
SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
-
SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
-
SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
Malware Config
Extracted
trickbot
2000016
lib11
202.136.89.226:449
202.169.244.252:449
203.176.135.38:449
212.3.104.50:449
41.203.215.122:449
41.41.179.239:449
43.239.152.240:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449
45.230.8.34:449
45.233.25.6:449
78.138.128.20:449
49.156.41.74:449
-
autorunName:pwgrab
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sample.exepid process 2036 sample.exe -
Loads dropped DLL 2 IoCs
Processes:
sample.exepid process 1580 sample.exe 1580 sample.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1224 1580 WerFault.exe sample.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1224 WerFault.exe 1224 WerFault.exe 1224 WerFault.exe 1224 WerFault.exe 1224 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exewermgr.exedescription pid process Token: SeDebugPrivilege 1224 WerFault.exe Token: SeDebugPrivilege 1148 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sample.exesample.exepid process 1580 sample.exe 2036 sample.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
sample.exesample.exedescription pid process target process PID 1580 wrote to memory of 2036 1580 sample.exe sample.exe PID 1580 wrote to memory of 2036 1580 sample.exe sample.exe PID 1580 wrote to memory of 2036 1580 sample.exe sample.exe PID 1580 wrote to memory of 2036 1580 sample.exe sample.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe PID 1580 wrote to memory of 1224 1580 sample.exe WerFault.exe PID 1580 wrote to memory of 1224 1580 sample.exe WerFault.exe PID 1580 wrote to memory of 1224 1580 sample.exe WerFault.exe PID 1580 wrote to memory of 1224 1580 sample.exe WerFault.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe PID 2036 wrote to memory of 1148 2036 sample.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeC:\Users\Admin\AppData\Roaming\Colorwin\sample.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exeMD5
fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
\Users\Admin\AppData\Roaming\Colorwin\sample.exeMD5
fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
\Users\Admin\AppData\Roaming\Colorwin\sample.exeMD5
fe772386d4d851272a985dae3b0a254a
SHA13ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec
-
memory/1148-15-0x0000000000000000-mapping.dmp
-
memory/1224-12-0x0000000000000000-mapping.dmp
-
memory/1224-13-0x0000000002040000-0x0000000002051000-memory.dmpFilesize
68KB
-
memory/1224-14-0x0000000002620000-0x0000000002631000-memory.dmpFilesize
68KB
-
memory/1580-4-0x0000000000290000-0x00000000002C4000-memory.dmpFilesize
208KB
-
memory/2036-7-0x0000000000000000-mapping.dmp